RTX1210とNVR700WにてLTEを用いたVPN構築

センター側が光回線。拠点側がLTE回線を用いた拠点間VPNをSoftbankのLTE SIMにて構築しました。

以下備忘録として記録します。

センター側

RTX1210(光回線) 192.168.100.1

拠点側

NVR700W(Softbank 4GLTE SIM) 192.168.1.254

今回はSoftbankのSIMを利用しましたが、docomoやIIJなどでもCIDを適切なものに設定することで接続可能です。

各キャリアごとのCID等は、こちらを参考にしてください。

通常のVPNは両拠点ともにグローバルIPアドレスが必要ですが、IPsecのAggressive Modeを用いることで

拠点側はプライベートアドレスのみでVPNが確立します。

IIJやBiglobeなどの格安SIMを用いて、拠点間通信する際などに活用できます。

RTX1210 Config

# show config
console character en.ascii
console lines infinity
console prompt CENTER
ip route default gateway pp 1
ip route 192.168.1.0/24 gateway tunnel 1
ip route 192.168.100.254 gateway tunnel 1
ip lan1 address 192.168.100.1/24
pp select 1
 description pp ISP-A
 pp keepalive interval 30 retry-interval=30 count=12
 pp always-on on
 pppoe use lan2
 pppoe auto disconnect off
 pp auth accept pap chap
 pp auth myname id@isp-a.jp password
 ppp lcp mru on 1454
 ppp ipcp ipaddress on
 ppp ipcp msext on
 ppp ccp type none
 ip pp secure filter in  2105 2104 2103 2003 2020 2021 2022 2023 2024 2025 2030 2032 2100 2101 2102 2107
 ip pp secure filter out 2013 2020 2021 2022 2023 2024 2025 2026 2027 2099 dynamic 2080 2081 2082 2083 2084 2085 2098 2099
 ip pp nat descriptor 1000
 netvolante-dns hostname host pp server=1 lte-test.aa0.netvolante.jp
 pp enable 1
tunnel select 1
 description tunnel Remote-1
 ipsec tunnel 1
  ipsec sa policy 1 1 esp aes-cbc sha-hmac
  ipsec ike keepalive log 1 off
  ipsec ike keepalive use 1 on heartbeat 10 6
  ipsec ike local address 1 192.168.100.1
  ipsec ike nat-traversal 1 on
  ipsec ike pre-shared-key 1 PRE-SHARED-KEY
  ipsec ike remote address 1 any
  ipsec ike remote name 1 lte-test key-id
 ip tunnel tcp mss limit auto
 tunnel enable 1
ip filter 2000 reject 10.0.0.0/8 * * * *
ip filter 2001 reject 172.16.0.0/12 * * * *
ip filter 2002 reject 192.168.0.0/16 * * * *
ip filter 2003 reject 192.168.100.0/24 * * * *
ip filter 2010 reject * 10.0.0.0/8 * * *
ip filter 2011 reject * 172.16.0.0/12 * * *
ip filter 2012 reject * 192.168.0.0/16 * * *
ip filter 2013 reject * 192.168.100.0/24 * * *
ip filter 2020 reject * * udp,tcp 135 *
ip filter 2021 reject * * udp,tcp * 135
ip filter 2022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 2023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 2024 reject * * udp,tcp 445 *
ip filter 2025 reject * * udp,tcp * 445
ip filter 2026 restrict * * tcpfin * www,21,nntp
ip filter 2027 restrict * * tcprst * www,21,nntp
ip filter 2030 pass * 192.168.100.0/24 icmp * *
ip filter 2031 pass * 192.168.100.0/24 established * *
ip filter 2032 pass * 192.168.100.0/24 tcp * ident
ip filter 2033 pass * 192.168.100.0/24 tcp ftpdata *
ip filter 2034 pass * 192.168.100.0/24 tcp,udp * domain
ip filter 2035 pass * 192.168.100.0/24 udp domain *
ip filter 2036 pass * 192.168.100.0/24 udp * ntp
ip filter 2037 pass * 192.168.100.0/24 udp ntp *
ip filter 2099 pass * * * * *
ip filter 2100 pass * 192.168.100.1 udp * 500
ip filter 2101 pass * 192.168.100.1 esp * *
ip filter 2102 pass * 192.168.100.1 udp * 4500
ip filter 2103 pass * 192.168.1.0/24 tcp * *
ip filter 2104 pass 管理拠点WAN-IP 192.168.100.254 tcp * * #管理拠点から遠隔でログインする
ip filter 2105 pass 管理拠点WAN-IP 192.168.100.1 tcp *     #管理拠点から遠隔でログインする 
ip filter 500000 restrict * * * * *
ip filter dynamic 2080 * * ftp
ip filter dynamic 2081 * * domain
ip filter dynamic 2082 * * www
ip filter dynamic 2083 * * smtp
ip filter dynamic 2084 * * pop3
ip filter dynamic 2085 * * submission
ip filter dynamic 2098 * * tcp
ip filter dynamic 2099 * * udp
nat descriptor type 1000 masquerade
nat descriptor masquerade static 1000 1 192.168.100.1 udp 500
nat descriptor masquerade static 1000 2 192.168.100.1 esp
nat descriptor masquerade static 1000 3 192.168.100.1 udp 4500
ipsec auto refresh on
syslog notice on
dhcp server rfc2131 compliant except remain-silent
dns host lan1
dns server pp 1
dns server select 500001 pp 1 any . restrict pp 1
dns private address spoof on
httpd host lan
sshd service on
sshd host key generate *
CENTER#

NVR700w config

console character en.ascii
console lines infinity
console prompt LTE-REMOTE
ip route default gateway tunnel 1 filter 101 gateway 192.168.1.253 gateway pdp wan1
ip route 192.168.100.0/24 gateway tunnel 1
ip lan1 address 192.168.1.254/24
ip wan1 address pdp
ip wan1 secure filter in 5080 3003 3020 3021 3022 3023 3024 3025 3030 3032 3100 3101 3102
ip wan1 secure filter out 3013 3020 3021 3022 3023 3024 3025 3026 3027 3099 dynamic 3080 3081 3082 3083 3084 3085 3098 3099
ip wan1 nat descriptor 1000
wan1 bind wwan 1
wwan select 1
 description wwan softbank
 wwan always-on on
 wwan auth accept chap
 wwan auth myname plus 4g
 wwan auto connect on
 wwan disconnect time off
 wwan disconnect input time off
 wwan disconnect output time off
 wwan access-point name plus.4g
 wwan access limit length off
 wwan access limit time off
 wwan enable 1
tunnel select 1
 description tunnel Center
 ipsec tunnel 1
  ipsec sa policy 1 1 esp aes-cbc sha-hmac
  ipsec ike keepalive log 1 off
  ipsec ike keepalive use 1 on heartbeat 10 6
  ipsec ike local name 1 lte-test key-id
  ipsec ike nat-traversal 1 on
  ipsec ike pre-shared-key 1 PRE-SHARED-KEY
  ipsec ike remote address 1 lte-test.aa0.netvolante.jp
 ip tunnel tcp mss limit auto
 tunnel enable 1
ip filter 100 pass 0.0.0.0 * * *
ip filter 101 pass 192.168.1.200-192.168.1.250 * * * *
ip filter 102 pass 192.168.1.2-192.168.1.199 * * * *
ip filter 3000 reject 10.0.0.0/8 * * * *
ip filter 3001 reject 172.16.0.0/12 * * * *
ip filter 3002 reject 192.168.0.0/16 * * * *
ip filter 3003 reject 192.168.100.0/24 * * * *
ip filter 3010 reject * 10.0.0.0/8 * * *
ip filter 3011 reject * 172.16.0.0/12 * * *
ip filter 3012 reject * 192.168.0.0/16 * * *
ip filter 3013 reject * 192.168.100.0/24 * * *
ip filter 3020 reject * * udp,tcp 135 *
ip filter 3021 reject * * udp,tcp * 135
ip filter 3022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 3023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 3024 reject * * udp,tcp 445 *
ip filter 3025 reject * * udp,tcp * 445
ip filter 3026 restrict * * tcpfin * www,21,nntp
ip filter 3027 restrict * * tcprst * www,21,nntp
ip filter 3030 pass * 192.168.1.0/24 icmp * *
ip filter 3031 pass * 192.168.100.0/24 established * *
ip filter 3032 pass * 192.168.100.0/24 tcp * ident
ip filter 3033 pass * 192.168.100.0/24 tcp ftpdata *
ip filter 3034 pass * 192.168.100.0/24 tcp,udp * domain
ip filter 3035 pass * 192.168.100.0/24 udp domain *
ip filter 3036 pass * 192.168.100.0/24 udp * ntp
ip filter 3037 pass * 192.168.100.0/24 udp ntp *
ip filter 3099 pass * * * * *
ip filter 3100 pass * 192.168.1.254 udp * 500
ip filter 3101 pass * 192.168.1.254 esp * *
ip filter 3102 pass * 192.168.1.254 udp * 4500
ip filter 5080 pass-log * 192.168.1.200-192.168.1.253 tcp www *
ip filter dynamic 3080 * * ftp syslog=off
ip filter dynamic 3081 * * domain syslog=off
ip filter dynamic 3082 * * www syslog=off
ip filter dynamic 3083 * * smtp syslog=off
ip filter dynamic 3084 * * pop3 syslog=off
ip filter dynamic 3085 * * submission syslog=off
ip filter dynamic 3098 * * tcp syslog=off
ip filter dynamic 3099 * * udp syslog=off
nat descriptor type 1000 masquerade
nat descriptor address outer 1000 primary
nat descriptor masquerade static 1000 1 192.168.1.254 udp 500
nat descriptor masquerade static 1000 2 192.168.1.254 esp
nat descriptor masquerade static 1000 3 192.168.1.254 udp 4500
ipsec auto refresh on
syslog notice on
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.1.101-192.168.1.180/24 expire 0:30
dns host lan1
dns server pdp wan1
dns server select 500401 pdp wan1 any .
dns private address spoof on
dns private name setup.netvolante.jp
httpd host any
alarm entire off
sshd service on
sshd host key generate *
dashboard accumulate traffic on
wwan-module use on
wwan-module signal-strength off
LTE-REMOTE#

ご注意)

ip routeの行は少し修正する必要があるかもしれません。