センター側が光回線。拠点側が4G回線を用いた拠点間VPNを、SoftbankのデータSIMを用いて構築しました。
以下備忘録として記録します。
センター側
RTX1210(光回線) 192.168.100.1
リンク
拠点側
NVR700W(Softbank 4GLTE SIM) 192.168.1.254
リンク
今回はSoftbankのSIMを利用しましたが、docomoやIIJなどでもCIDを適切なものに設定することで接続可能です。
各キャリアごとのCID等は、こちらを参考にしてください。
通常のVPNは両拠点ともにグローバルIPアドレスが必要ですが、IPsecのAggressive Modeを用いることで
拠点側はプライベートアドレスのみでVPNが確立します。
IIJやBiglobeなどの格安SIMを用いて、拠点間通信する際などに活用できます。
RTX1210 Config
# show config
console character en.ascii
console lines infinity
console prompt CENTER
ip route default gateway pp 1
ip route 192.168.1.0/24 gateway tunnel 1
ip route 192.168.100.254 gateway tunnel 1
ip lan1 address 192.168.100.1/24
pp select 1
description pp ISP-A
pp keepalive interval 30 retry-interval=30 count=12
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname id@isp-a.jp password
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type none
ip pp secure filter in 2105 2104 2103 2003 2020 2021 2022 2023 2024 2025 2030 2032 2100 2101 2102 2107
ip pp secure filter out 2013 2020 2021 2022 2023 2024 2025 2026 2027 2099 dynamic 2080 2081 2082 2083 2084 2085 2098 2099
ip pp nat descriptor 1000
netvolante-dns hostname host pp server=1 lte-test.aa0.netvolante.jp
pp enable 1
tunnel select 1
description tunnel Remote-1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on heartbeat 10 6
ipsec ike local address 1 192.168.100.1
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 PRE-SHARED-KEY
ipsec ike remote address 1 any
ipsec ike remote name 1 lte-test key-id
ip tunnel tcp mss limit auto
tunnel enable 1
ip filter 2000 reject 10.0.0.0/8 * * * *
ip filter 2001 reject 172.16.0.0/12 * * * *
ip filter 2002 reject 192.168.0.0/16 * * * *
ip filter 2003 reject 192.168.100.0/24 * * * *
ip filter 2010 reject * 10.0.0.0/8 * * *
ip filter 2011 reject * 172.16.0.0/12 * * *
ip filter 2012 reject * 192.168.0.0/16 * * *
ip filter 2013 reject * 192.168.100.0/24 * * *
ip filter 2020 reject * * udp,tcp 135 *
ip filter 2021 reject * * udp,tcp * 135
ip filter 2022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 2023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 2024 reject * * udp,tcp 445 *
ip filter 2025 reject * * udp,tcp * 445
ip filter 2026 restrict * * tcpfin * www,21,nntp
ip filter 2027 restrict * * tcprst * www,21,nntp
ip filter 2030 pass * 192.168.100.0/24 icmp * *
ip filter 2031 pass * 192.168.100.0/24 established * *
ip filter 2032 pass * 192.168.100.0/24 tcp * ident
ip filter 2033 pass * 192.168.100.0/24 tcp ftpdata *
ip filter 2034 pass * 192.168.100.0/24 tcp,udp * domain
ip filter 2035 pass * 192.168.100.0/24 udp domain *
ip filter 2036 pass * 192.168.100.0/24 udp * ntp
ip filter 2037 pass * 192.168.100.0/24 udp ntp *
ip filter 2099 pass * * * * *
ip filter 2100 pass * 192.168.100.1 udp * 500
ip filter 2101 pass * 192.168.100.1 esp * *
ip filter 2102 pass * 192.168.100.1 udp * 4500
ip filter 2103 pass * 192.168.1.0/24 tcp * *
ip filter 2104 pass 管理拠点WAN-IP 192.168.100.254 tcp * * #管理拠点から遠隔でログインする
ip filter 2105 pass 管理拠点WAN-IP 192.168.100.1 tcp * #管理拠点から遠隔でログインする
ip filter 500000 restrict * * * * *
ip filter dynamic 2080 * * ftp
ip filter dynamic 2081 * * domain
ip filter dynamic 2082 * * www
ip filter dynamic 2083 * * smtp
ip filter dynamic 2084 * * pop3
ip filter dynamic 2085 * * submission
ip filter dynamic 2098 * * tcp
ip filter dynamic 2099 * * udp
nat descriptor type 1000 masquerade
nat descriptor masquerade static 1000 1 192.168.100.1 udp 500
nat descriptor masquerade static 1000 2 192.168.100.1 esp
nat descriptor masquerade static 1000 3 192.168.100.1 udp 4500
ipsec auto refresh on
syslog notice on
dhcp server rfc2131 compliant except remain-silent
dns host lan1
dns server pp 1
dns server select 500001 pp 1 any . restrict pp 1
dns private address spoof on
httpd host lan
sshd service on
sshd host key generate *
CENTER#
NVR700w config
console character en.ascii
console lines infinity
console prompt LTE-REMOTE
ip route default gateway tunnel 1 filter 101 gateway 192.168.1.253 gateway pdp wan1
ip route 192.168.100.0/24 gateway tunnel 1
ip lan1 address 192.168.1.254/24
ip wan1 address pdp
ip wan1 secure filter in 5080 3003 3020 3021 3022 3023 3024 3025 3030 3032 3100 3101 3102
ip wan1 secure filter out 3013 3020 3021 3022 3023 3024 3025 3026 3027 3099 dynamic 3080 3081 3082 3083 3084 3085 3098 3099
ip wan1 nat descriptor 1000
wan1 bind wwan 1
wwan select 1
description wwan softbank
wwan always-on on
wwan auth accept chap
wwan auth myname plus 4g
wwan auto connect on
wwan disconnect time off
wwan disconnect input time off
wwan disconnect output time off
wwan access-point name plus.4g
wwan access limit length off
wwan access limit time off
wwan enable 1
tunnel select 1
description tunnel Center
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on heartbeat 10 6
ipsec ike local name 1 lte-test key-id
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 PRE-SHARED-KEY
ipsec ike remote address 1 lte-test.aa0.netvolante.jp
ip tunnel tcp mss limit auto
tunnel enable 1
ip filter 100 pass 0.0.0.0 * * *
ip filter 101 pass 192.168.1.200-192.168.1.250 * * * *
ip filter 102 pass 192.168.1.2-192.168.1.199 * * * *
ip filter 3000 reject 10.0.0.0/8 * * * *
ip filter 3001 reject 172.16.0.0/12 * * * *
ip filter 3002 reject 192.168.0.0/16 * * * *
ip filter 3003 reject 192.168.100.0/24 * * * *
ip filter 3010 reject * 10.0.0.0/8 * * *
ip filter 3011 reject * 172.16.0.0/12 * * *
ip filter 3012 reject * 192.168.0.0/16 * * *
ip filter 3013 reject * 192.168.100.0/24 * * *
ip filter 3020 reject * * udp,tcp 135 *
ip filter 3021 reject * * udp,tcp * 135
ip filter 3022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 3023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 3024 reject * * udp,tcp 445 *
ip filter 3025 reject * * udp,tcp * 445
ip filter 3026 restrict * * tcpfin * www,21,nntp
ip filter 3027 restrict * * tcprst * www,21,nntp
ip filter 3030 pass * 192.168.1.0/24 icmp * *
ip filter 3031 pass * 192.168.100.0/24 established * *
ip filter 3032 pass * 192.168.100.0/24 tcp * ident
ip filter 3033 pass * 192.168.100.0/24 tcp ftpdata *
ip filter 3034 pass * 192.168.100.0/24 tcp,udp * domain
ip filter 3035 pass * 192.168.100.0/24 udp domain *
ip filter 3036 pass * 192.168.100.0/24 udp * ntp
ip filter 3037 pass * 192.168.100.0/24 udp ntp *
ip filter 3099 pass * * * * *
ip filter 3100 pass * 192.168.1.254 udp * 500
ip filter 3101 pass * 192.168.1.254 esp * *
ip filter 3102 pass * 192.168.1.254 udp * 4500
ip filter 5080 pass-log * 192.168.1.200-192.168.1.253 tcp www *
ip filter dynamic 3080 * * ftp syslog=off
ip filter dynamic 3081 * * domain syslog=off
ip filter dynamic 3082 * * www syslog=off
ip filter dynamic 3083 * * smtp syslog=off
ip filter dynamic 3084 * * pop3 syslog=off
ip filter dynamic 3085 * * submission syslog=off
ip filter dynamic 3098 * * tcp syslog=off
ip filter dynamic 3099 * * udp syslog=off
nat descriptor type 1000 masquerade
nat descriptor address outer 1000 primary
nat descriptor masquerade static 1000 1 192.168.1.254 udp 500
nat descriptor masquerade static 1000 2 192.168.1.254 esp
nat descriptor masquerade static 1000 3 192.168.1.254 udp 4500
ipsec auto refresh on
syslog notice on
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.1.101-192.168.1.180/24 expire 0:30
dns host lan1
dns server pdp wan1
dns server select 500401 pdp wan1 any .
dns private address spoof on
dns private name setup.netvolante.jp
httpd host any
alarm entire off
sshd service on
sshd host key generate *
dashboard accumulate traffic on
wwan-module use on
wwan-module signal-strength off
LTE-REMOTE#
ご注意)
ip routeの行は少し修正する必要があるかもしれません。