回線条件
拠点1 Office-A: フレッツ光回線(WAN側:グローバルIPアドレス+netvolante-dns)
拠点2 Office-B: モバイル回線(WAN側:ローカルIPアドレス)
IPsecによるIPsec Aggressive Modeを用いたVPN構築については、拠点1のみグローバルアドレスが必要になります。(Netvolante-dnsを利用しますので、固定IPアドレスの契約も不要です)
IPsecのAggressive Modeを利用すると、拠点2に関しては一般的なモバイルSIMを用いて拠点1へのVPNを確立することができます。
リンク
実際にIIJmioを用いて拠点間VPNを構築しましたので、設定ファイルを掲載します。
(IPv6関係とQoSの記述はVPN構築には不要ですので、適宜削除してください。)
ネットワーク構成
Office-A) LAN IP:192.168.11.0/24 WAN IP:グローバルアドレス(不定)
回線:NTT東日本フレッツ光 + IPv6
RTX1210:192.168.11.1
Linux:192.168.11.101
Office-B) LAN IP:192.168.21.0/24 WAN IP:ローカルアドレス(不定)
回線:IIJmio モバイルデータ通信SIM
SRT100:192.168.21.1
RaspberryPi:192.168.21.100
計測機器:192.168.21.170
Office-A RTX1210:
余計なFilterが残っているので、運用時には適宜削除してください。
# Office-A (192.168.11.0/24)# show config
user attribute connection=serial
security class 1 on on
console character ascii
console columns 200
console lines infinity
console prompt RTX1210]
login timer 600
ip route default gateway pp 1 filter 10 gateway pp 2 filter 20 gateway pp 1
# Office-Bへは tunnel 21を経由する
ip route 192.168.21.0/24 gateway tunnel 21
ip filter source-route on
ip filter directed-broadcast on
ip lan1 address 192.168.11.1/24
ip lan1 proxyarp on
pp select 1
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname ID@ISP.NET PASSWORD
ppp ipcp ipaddress on
ppp ipcp msext on
ip pp mtu 1454
ip pp secure filter in 900 901 902 903 2080 2195 2081 2082 2083 2084 2085 2106 2525 3000
ip pp secure filter out 2088 1010 1011 1012 1013 1014 1015 2010 2011 2012 2013 2014 2015 5000
ip pp intrusion detection in on reject=on
ip pp intrusion detection out on reject=on
ip pp nat descriptor 1000
url pp filter in 11 12 99
url pp filter out 11 12 13 14 15 16 17 18 19 99
netvolante-dns use pp server=1 auto
netvolante-dns hostname host pp server=1 OFFICE-A.aa0.netvolante.jp
netvolante-dns auto hostname pp server=1 on
netvolante-dns timeout pp server=1 180
pp enable 1
tunnel select 21
description tunnel "tunnel for Office-B(192.168.21.1)"
ipsec tunnel 121
ipsec sa policy 121 21 esp 3des-cbc md5-hmac
ipsec ike local address 21 192.168.11.1
ipsec ike nat-traversal 21 on
ipsec ike pre-shared-key 21 text PRE-SHARED-KEY
ipsec ike remote address 21 any
ipsec ike remote name 21 kyoten1
ip tunnel secure filter in 210 211 2099
ip tunnel secure filter out 210 211 2099
tunnel enable 21
ip filter 10 pass 192.168.11.1,192.168.11.100,192.168.21.0/24 * * * *
ip filter 20 pass 192.168.11.99 * * * *
ip filter 210 pass 192.168.21.170 * * * *
ip filter 211 pass * 192.168.21.170 * *
ip filter 900 pass * 192.168.11.1 esp * *
ip filter 901 pass * 192.168.11.1 udp * 500
ip filter 902 pass * 192.168.11.1 udp * 4500
ip filter 903 pass * 192.168.11.1 udp * 1701
ip filter 1010 reject * * udp,tcp 135 *
ip filter 1011 reject * * udp,tcp * 135
ip filter 1012 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 1013 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 1014 reject * * udp,tcp 445,548 *
ip filter 1015 reject * * udp,tcp * 445,548
ip filter 1020 reject 192.168.11.0/24 *
ip filter 1030 reject * * icmp
ip filter 2010 reject-nolog * * udp,tcp 135,445,netbios_ns-netbios_ssn,548 *
ip filter 2011 reject * * udp,tcp * 135,445,netbios_ns-netbios_ssn,548
ip filter 2020 reject 192.168.11.0/24 *
ip filter 2021 reject 10.0.0.0/8 * * * *
ip filter 2022 reject 172.16.0.0/16 * * * *
ip filter 2023 reject 192.168.11.0/24 * * * *
ip filter 2024 reject * 10.0.0.0/8 * * *
ip filter 2025 reject * 172.16.0.0/16 * * *
ip filter 2026 reject * 192.168.11.0/24 * * *
ip filter 2030 pass-log * 192.168.11.0/24 icmp
ip filter 2080 pass-log * * udp,tcp * 5060,8090,5001
ip filter 2081 pass * 192.168.11.0/24 * domain,www,ntp,https,465,587,993,38090,5001 *
ip filter 2082 reject 78.140.191.0/24,203.209.152.96,42.99.254.146,42.99.254.144,184.168.221.104,124.147.10.210,50.22.46.25,184.172.1.99,23.37.150.156 * * * *
ip filter 2083 pass-log * 192.168.11.170,192.168.21.170 * * *
ip filter 2084 pass-log * 192.168.11.100,192.168.11.104,192.168.11.106,192.168.11.197,192.168.11.198 udp * *
ip filter 2085 pass-log 特定のIPv4アドレス * * * *
ip filter 2088 pass-log * 192.168.11.192 tcp 8090
ip filter 2099 pass * * * *
ip filter 2106 pass-log * 192.168.11.106 * * *
ip filter 2195 pass-log * 192.168.11.195 * * *
ip filter 2525 pass-log * 192.168.11.0/24 * 81,82,843,1935,2525,2805,2807,2808,2825,2827,2867,8088 *
ip filter 3000 reject * * * *
ip filter 3021 pass-log * *
ip filter 5000 pass * * * * *
ip filter 6000 restrict * * * * *
ip filter dynamic 80 * * ftp syslog=off
ip filter dynamic 81 * * domain syslog=off
ip filter dynamic 82 * * www syslog=off
ip filter dynamic 83 * * smtp syslog=off
ip filter dynamic 84 * * pop3 syslog=off
ip filter dynamic 98 * * tcp syslog=off
ip filter dynamic 99 * * udp syslog=off
# 各種サーバへのmasquerade
nat descriptor type 1000 masquerade
nat descriptor masquerade static 1000 10 192.168.11.1 tcp 1723,12345=22
nat descriptor masquerade static 1000 11 192.168.11.1 gre
nat descriptor masquerade static 1000 12 192.168.11.1 udp 1701
nat descriptor masquerade static 1000 13 192.168.11.1 udp 500
nat descriptor masquerade static 1000 14 192.168.11.1 esp
nat descriptor masquerade static 1000 15 192.168.11.1 udp 4500
# Office-Bの特定のサーバをOffice-A経由で外部公開する
nat descriptor masquerade static 1000 50 192.168.21.100 tcp 20021=22
nat descriptor masquerade static 1000 51 192.168.21.170 tcp 32334=33334
nat descriptor masquerade static 1000 52 192.168.21.200 tcp 28080=8080,28090=8090,21000=10000
ipsec auto refresh on
ipsec transport 1 101 udp 1701
syslog notice on
syslog debug off
telnetd host lan
dhcp service server
dhcp scope 1 192.168.11.100-192.168.11.199/24
dns service fallback on
dns server dhcp lan2
dns private address spoof on
snmp host any
pptp service on
pptp keepalive log off
pptp syslog on
l2tp service on
httpd host lan1
upnp use on
upnp syslog on
sshd service on
sshd host any
sshd host key generate *
sntpd service on
sntpd host any
Office-B SRT100(USB-Mobile)
# Office-B 192.168.21.1# show config
security class 1 on on
console character ascii
console columns 200
console lines infinity
console prompt SRT100_
login timer 600
# default gatewayは tunnel1
# filter型ルーティングでport単位で出口選択。
# filter1(各種サーバ)に関しては、tunnel 1経由で 拠点1からInternetに直接出る
# filter2(通常の通信)に関しては、pp 1からInternetに直接出る
# 192.168.11.0/24へは tunnel1
ip route default gateway tunnel 1 filter 1 gateway tunnel 1 filter 2 gateway pp 1
ip route 192.168.11.0/24 gateway tunnel 1
ip filter source-route on
ip filter directed-broadcast on
ip keepalive 1 icmp-echo 5 5 192.168.11.1
speed lan1 200k
queue lan1 type priority
queue lan1 class filter list 1 2 3 4 5 6
ip lan1 address 192.168.21.1/24
pp select 1
# IIJmioへの接続
pp bind usb1
pp always-on on
pp auth accept pap chap # ISPから割り当てられたIDとパスワードを記載
pp auth myname ID@ISP.NET PASSSWORD
ppp lcp mru off 1792
ppp lcp accm on
ppp lcp pfc on
ppp lcp acfc on
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ipv6cp use off
ip pp secure filter in 101 103 1020 1030 1040 1041 1050 1051 1052 1055 1056 3000
ip pp secure filter out 102 104 1010 1011 1012 1013 1014 1015 3000
ip pp nat descriptor 1000
mobile auto connect on
mobile disconnect time off # IIJ系は「vmobile.jp cid=1」となります。
mobile access-point name vmobile.jp cid=1
mobile access limit duration off
mobile access limit length off
mobile access limit time off
pp enable 1
tunnel select 1
# OFFICE-Aへの接続
ipsec tunnel 101
ipsec sa policy 101 1 esp 3des-cbc md5-hmac
ipsec ike always-on 1 on
ipsec ike keepalive log 1 on
ipsec ike keepalive use 1 on icmp-echo 192.168.11.1
ipsec ike local address 1 192.168.21.1
ipsec ike local name 1 kyoten1 key-id
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text PRE-SHARED-KEY
ipsec ike remote address 1 OFFICE-A.aa0.netvolante.jp
ipsec auto refresh 1 on
queue tunnel class filter list 1 2 3 4 5 6
tunnel enable 1
# filter1(各種サーバ)に関しては、tunnel 1経由で 拠点1からInternetに直接出る
# filter2(通常の通信)に関しては、pp 1からInternetに直接出る
ip filter 1 pass-log * * tcp,udp * 22,telnet,514,3389,5900,8080,8090,10000,10001
ip filter 2 pass-log * * tcp,udp 22,telnet,514,3389,5900,8080,8090,10000,10001 *
ip filter 101 pass-log * 192.168.21.200 * www,19788,28099 *
ip filter 102 pass-log 192.168.21.200 * * * www,19788,28099
ip filter 103 reject * 192.168.21.100,192.168.21.200 * * *
ip filter 104 reject 192.168.21.100,192.168.21.200 * * * *
ip filter 1010 reject * * udp,tcp 135 *
ip filter 1011 reject * * udp,tcp * 135
ip filter 1012 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 1013 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 1014 reject * * udp,tcp 445 *
ip filter 1015 reject * * udp,tcp * 445
ip filter 1020 reject 192.168.21.0/24 *
ip filter 1030 pass * * icmp
ip filter 1051 pass-log 管理IP_Address * * *
ip filter 1055 pass 192.168.21.0/24 * tcp * *
ip filter 1056 pass * 192.168.21.0/24 tcp * *
ip filter 2000 reject * *
ip filter 3000 pass * *
ip filter 3011 pass-log * *
ip filter 3021 pass-log * *
ip filter 9999 pass * * *
nat descriptor type 1 masquerade
nat descriptor type 1000 masquerade
nat descriptor masquerade static 1000 1 192.168.21.1 tcp 22,telnet,www
nat descriptor masquerade static 1000 2 192.168.21.1 tcp 1723
nat descriptor masquerade static 1000 3 192.168.21.1 gre
nat descriptor masquerade static 1000 4 192.168.21.100 tcp 5900
nat descriptor masquerade static 1000 11 192.168.21.1 udp 500
nat descriptor masquerade static 1000 12 192.168.21.1 esp
ipsec auto refresh on
syslog notice on
syslog info on
syslog debug off
dhcp service server
dhcp server rfc2131 compliant on
dhcp scope 1 192.168.21.100-192.168.21.199/24
dhcp scope bind 1 192.168.21.170 ethernet NN:NN:NN:NN:NN:NN
dns server 129.250.35.250
dns private address spoof on
snmp host 192.168.21.200
snmp community read-only private
snmp yrifppdisplayatmib2 on
# ping_restart.luaにて回線死活監視。再起動実施。
schedule at 1 */* 02:30 * ntpdate ntp2.jst.mfeed.ad.jp
schedule at 2 */* *:00 * lua /ping_restart.lua
schedule at 3 */Mon-Fri 02:45 * disconnect 1
schedule at 4 */Mon-Fri 02:55 * connect 1
schedule at 5 */* *:10 * lua /ping_restart.lua
schedule at 6 */* *:20 * lua /ping_restart.lua
schedule at 7 */* *:30 * lua /ping_restart.lua
schedule at 8 */* *:40 * lua /ping_restart.lua
schedule at 9 */* *:50 * lua /ping_restart.lua
httpd host lan
alarm entire off
sshd service on
sshd host any
sshd host key generate *
jate number
mobile syslog on
mobile use usb1 on
参考モバイルルータ情報
SRT100_> show status usbhost
USB host controller: Running
USB bus power feed: ON
Attached USB device
Device name: 0x6326 <docomo L03D>
Vendor name: 0x1004 <NTT DOCOMO, INC.>
Telephone number: 07012345678
Maximum transfer rate: 480Mbps(High speed)
SRT100_>ping_restart.lua 死活監視・再起動スクリプト。
めむ帖 ~駆け出しSEの雑記帖~様よりお知恵を拝借しました。有難うございます。
YAMAHA SRT100にて収容してるUSB-3G(LTE)のインターネット接続が原因不明のパケ詰まりを起こしているため、Internet抜けができなくなった時にルータを再起動する簡易スクリプトを作成して様子を見ることにした備忘録。
【要件】
一定間隔(毎時00分)に8.8.8.8にPing試行、Lossするようなら装置restartする。
【コンフィグに下記追加】
schedule at 1 */* *:00 * lua /ping_restart.lua
【Luaスクリプト】
rtn, str = rt.command(“ping -c 10 8.8.8.8″)
if (rtn) and (str) then
loss = string.match(str, “(%d+)%.%d+%%”) — パケットロス率(NNN.N%)の整数部を抽出
if (loss ~= nil) then
loss = tonumber(loss) — 文字列から数値へ変換
if (loss >= 30) then
rt.command(“restart”)
end
end
endLuaスクリプトをPCからルーターにコピーする(YAMAHA HPより)
USBメモリのルートディレクトリーからルーターのルートディレクトリーにLuaスクリプトをコピーする場合:
[ルーターコンソール]
# copy usb1:/ping_restart.lua /ping_restart.lua
# show file list /
2015/05/29 10:15:47 262 ping_restart.lua