YAMAHA設定例:フレッツ回線とモバイル回線でのVPN

回線条件

拠点1 Office-A: フレッツ光回線(WAN側:グローバルIPアドレス+netvolante-dns)

拠点2 Office-B: モバイル回線(WAN側:ローカルIPアドレス)

IPsecによるIPsec Aggressive Modeを用いたVPN構築については、拠点1のみグローバルアドレスが必要になります。(Netvolante-dnsを利用しますので、固定IPアドレスの契約も不要です)

IPsecのAggressive Modeを利用すると、拠点2に関しては一般的なモバイルSIMを用いて拠点1へのVPNを確立することができます。

実際にIIJmioを用いて拠点間VPNを構築しましたので、設定ファイルを掲載します。

(IPv6関係とQoSの記述はVPN構築には不要ですので、適宜削除してください。)

ネットワーク構成

Office-A) LAN IP:192.168.11.0/24 WAN IP:グローバルアドレス(不定)

回線:NTT東日本フレッツ光 + IPv6

RTX1210:192.168.11.1

Linux:192.168.11.101

Office-B) LAN IP:192.168.21.0/24 WAN IP:ローカルアドレス(不定)

回線:IIJmio モバイルデータ通信SIM

SRT100:192.168.21.1

RaspberryPi:192.168.21.100

計測機器:192.168.21.170

Office-A RTX1210:

# Office-A (192.168.11.0/24)
# show config user attribute connection=serial security class 1 on on console character ascii console columns 200 console lines infinity console prompt RTX1210] login timer 600 ip route default gateway pp 1 filter 10 gateway pp 2 filter 20 gateway pp 1 ip route 192.168.21.0/24 gateway tunnel 21 ip filter source-route on ip filter directed-broadcast on ipv6 prefix 1 ra-prefix@lan2::/64 ip lan1 address 192.168.11.1/24 ip lan1 proxyarp on url lan1 filter out 11 12 13 14 15 16 17 18 19 99 ipv6 lan1 address ra-prefix@lan2::1/64 ipv6 lan1 rtadv send 1 o_flag=on ipv6 lan1 dhcp service server url lan2 filter in 11 12 13 14 15 16 17 18 19 99 url lan2 filter out 11 12 13 14 15 16 17 18 19 99 ipv6 lan2 secure filter in 6013 6010 6011 6012 6200 ipv6 lan2 secure filter out 689 6020 6021 6022 6023 6024 6025 6026 6027 6300 dynamic 600 601 ipv6 lan2 dhcp service client ir=on pp select 1 queue pp class filter list 11 12 13 14 15 16 17 pppoe use lan2 pppoe auto disconnect off pp auth accept pap chap pp auth myname ID@ISP.NET PASSWORD ppp ipcp ipaddress on ppp ipcp msext on ip pp mtu 1454 ip pp secure filter in 900 901 902 903 2080 2195 2081 2082 2083 2084 2085 2106 2525 3000 ip pp secure filter out 2088 1010 1011 1012 1013 1014 1015 2010 2011 2012 2013 2014 2015 5000 ip pp intrusion detection in on reject=on ip pp intrusion detection out on reject=on ip pp nat descriptor 1000 url pp filter in 11 12 99 url pp filter out 11 12 13 14 15 16 17 18 19 99 netvolante-dns use pp server=1 auto netvolante-dns hostname host pp server=1 OFFICE-A.aa0.netvolante.jp netvolante-dns auto hostname pp server=1 on netvolante-dns timeout pp server=1 180 pp enable 1 pp select anonymous description pp "anonymous pptp(t1), l2tp(t30)" pp bind tunnel29-tunnel30 pp auth request mschap-v2 pp auth accept mschap-v2 pp auth username USERID PASSWORD ppp ipcp ipaddress on ppp ipcp msext on ppp ccp type mppe-any ppp ipv6cp use off ip pp remote address pool 192.168.11.201-192.168.11.211 ip pp mtu 1280 pptp service type server pp enable anonymous tunnel select 21 description tunnel "tunnel for Office-B(192.168.21.1)" ipsec tunnel 121 ipsec sa policy 121 21 esp 3des-cbc md5-hmac ipsec ike local address 21 192.168.11.1 ipsec ike nat-traversal 21 on ipsec ike pre-shared-key 21 text PRE-SHARED-KEY ipsec ike remote address 21 any ipsec ike remote name 21 kyoten1 ip tunnel secure filter in 210 211 2099 ip tunnel secure filter out 210 211 2099 tunnel enable 21 tunnel select 29 description tunnel "tunnel for generic pptp" tunnel encapsulation pptp pptp tunnel disconnect time off tunnel enable 29 tunnel select 30 description tunnel "tunnel for l2tp by Mobile" tunnel encapsulation l2tp ipsec tunnel 101 ipsec sa policy 101 1 esp aes-cbc sha-hmac ipsec ike keepalive log 1 off ipsec ike keepalive use 1 off ipsec ike nat-traversal 1 on ipsec ike pre-shared-key 1 text PRE-SHARED-KEY ipsec ike remote address 1 any l2tp tunnel auth off l2tp keepalive use on ip tunnel tcp mss limit auto tunnel enable 30 ip filter 10 pass 192.168.11.1,192.168.11.100,192.168.21.0/24 * * * * ip filter 20 pass 192.168.11.99 * * * * ip filter 210 pass 192.168.21.170 * * * * ip filter 211 pass * 192.168.21.170 * * ip filter 900 pass * 192.168.11.1 esp * * ip filter 901 pass * 192.168.11.1 udp * 500 ip filter 902 pass * 192.168.11.1 udp * 4500 ip filter 903 pass * 192.168.11.1 udp * 1701 ip filter 1010 reject * * udp,tcp 135 * ip filter 1011 reject * * udp,tcp * 135 ip filter 1012 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 1013 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 1014 reject * * udp,tcp 445,548 * ip filter 1015 reject * * udp,tcp * 445,548 ip filter 1020 reject 192.168.11.0/24 * ip filter 1030 reject * * icmp ip filter 2010 reject-nolog * * udp,tcp 135,445,netbios_ns-netbios_ssn,548 * ip filter 2011 reject * * udp,tcp * 135,445,netbios_ns-netbios_ssn,548 ip filter 2020 reject 192.168.11.0/24 * ip filter 2021 reject 10.0.0.0/8 * * * * ip filter 2022 reject 172.16.0.0/16 * * * * ip filter 2023 reject 192.168.11.0/24 * * * * ip filter 2024 reject * 10.0.0.0/8 * * * ip filter 2025 reject * 172.16.0.0/16 * * * ip filter 2026 reject * 192.168.11.0/24 * * * ip filter 2030 pass-log * 192.168.11.0/24 icmp ip filter 2080 pass-log * * udp,tcp * 5060,8090,5001 ip filter 2081 pass * 192.168.11.0/24 * domain,www,ntp,https,465,587,993,38090,5001 * ip filter 2082 reject 78.140.191.0/24,203.209.152.96,42.99.254.146,42.99.254.144,184.168.221.104,124.147.10.210,50.22.46.25,184.172.1.99,23.37.150.156 * * * * ip filter 2083 pass-log * 192.168.11.170,192.168.21.170 * * * ip filter 2084 pass-log * 192.168.11.100,192.168.11.104,192.168.11.106,192.168.11.197,192.168.11.198 udp * * ip filter 2085 pass-log 特定のIPv4アドレス * * * * ip filter 2088 pass-log * 192.168.11.192 tcp 8090 ip filter 2099 pass * * * * ip filter 2106 pass-log * 192.168.11.106 * * * ip filter 2195 pass-log * 192.168.11.195 * * * ip filter 2525 pass-log * 192.168.11.0/24 * 81,82,843,1935,2525,2805,2807,2808,2825,2827,2867,8088 * ip filter 3000 reject * * * * ip filter 3021 pass-log * * ip filter 5000 pass * * * * * ip filter 6000 restrict * * * * * ip filter dynamic 80 * * ftp syslog=off ip filter dynamic 81 * * domain syslog=off ip filter dynamic 82 * * www syslog=off ip filter dynamic 83 * * smtp syslog=off ip filter dynamic 84 * * pop3 syslog=off ip filter dynamic 98 * * tcp syslog=off ip filter dynamic 99 * * udp syslog=off nat descriptor type 1000 masquerade nat descriptor sip 1000 on # 各種サーバへのmasquerade nat descriptor masquerade static 1000 10 192.168.11.1 tcp 1723,12345=22 nat descriptor masquerade static 1000 11 192.168.11.1 gre nat descriptor masquerade static 1000 12 192.168.11.1 udp 1701 nat descriptor masquerade static 1000 13 192.168.11.1 udp 500 nat descriptor masquerade static 1000 14 192.168.11.1 esp nat descriptor masquerade static 1000 15 192.168.11.1 udp 4500 nat descriptor masquerade static 1000 20 192.168.11.100 tcp 20023=22,23680=10001,28081=8080,18080=10772 nat descriptor masquerade static 1000 21 192.168.11.100 tcp 24839 nat descriptor masquerade static 1000 22 192.168.11.100 udp 24839 nat descriptor masquerade static 1000 23 192.168.11.100 udp 10000-20000 nat descriptor masquerade static 1000 24 192.168.11.101 tcp 20024=22,11170,21170 nat descriptor masquerade static 1000 25 192.168.11.170 tcp 11885=www,31334=30334 nat descriptor masquerade static 1000 26 192.168.11.200 tcp 15001=5001,https nat descriptor masquerade static 1000 27 192.168.11.210 tcp 25790=15790,25970=www nat descriptor masquerade static 1000 28 192.168.11.212 udp 29540 nat descriptor masquerade static 1000 50 192.168.21.100 tcp 20021=22 nat descriptor masquerade static 1000 51 192.168.21.170 tcp 32334=30334 nat descriptor masquerade static 1000 52 192.168.21.200 tcp 28080=8080,28090=8090,21000=10000 ipsec auto refresh on ipsec transport 1 101 udp 1701 ipv6 filter 688 pass-log 特定のIPv6アドレス1 * * * ipv6 filter 689 pass-log * 特定のIPv6アドレス1 * * ipv6 filter 6010 pass * * icmp6 * * ipv6 filter 6011 pass * * tcp * ident,22 ipv6 filter 6012 pass * * udp * 546 ipv6 filter 6013 pass-log 特定のIPv6アドレス1,特定のIPv6アドレス1 * * * * ipv6 filter 6014 reject * * udp,tcp 445,548 * ipv6 filter 6015 reject * * udp,tcp * 445,548 ipv6 filter 6016 reject * * tcp telnet,www,sunrpc,snmp,https,843,1900,2049,3702,5000,5001,5355 * ipv6 filter 6017 reject * * tcp * telnet,sunrpc,snmp,1900,2049,3702,5000,5001,5355 ipv6 filter 6020 reject * * udp,tcp 135 * ipv6 filter 6021 reject * * udp,tcp * 135 ipv6 filter 6022 reject * * udp,tcp netbios_ns-netbios_ssn * ipv6 filter 6023 reject * * udp,tcp * netbios_ns-netbios_ssn ipv6 filter 6024 reject * * udp,tcp 445,548 * ipv6 filter 6025 reject * * udp,tcp * 445,548 ipv6 filter 6026 reject * * tcp telnet,www,sunrpc,snmp,https,843,1900,2049,3702,5000,5001,5355 * ipv6 filter 6027 reject * * tcp * telnet,sunrpc,snmp,1900,2049,3702,5000,5001,5355 ipv6 filter 6200 reject * * * * * ipv6 filter 6300 pass * * * * * ipv6 filter dynamic 600 * * tcp ipv6 filter dynamic 601 * * udp queue class filter 11 4 ip * * tcp 5060 * queue class filter 12 4 ip * * udp 5004-5060 * queue class filter 13 3 ip * * * * 8090 queue class filter 14 3 ip * * * 8090 * queue class filter 17 3 ip * 203.211.199.0/24 * * * url filter 99 pass-log * * syslog host 172.16.0.1 syslog notice on syslog debug off tftp host 192.168.11.100 telnetd host lan dhcp service server dhcp scope 1 192.168.11.100-192.168.11.199/24 dns service fallback on dns server dhcp lan2 dns private address spoof on wins server 172.16.0.1 snmp host any schedule at 1 */Mon-Fri 06:50 * wol send lan1 00:26:9E:FC:CB:00 schedule at 2 */* 06:00 * ntpdate ntp3.jst.mfeed.ad.jp pptp service on pptp keepalive log off pptp syslog on l2tp service on httpd host lan1 upnp use on upnp syslog on sshd service on sshd host any sshd host key generate * sntpd service on sntpd host any

Office-B SRT100(USB-Mobile)

# Office-B 192.168.21.1
# show config security class 1 on on console character ascii console columns 200 console lines infinity console prompt SRT100_ login timer 600 # default gatewayは tunnel1 # filter型ルーティングでport単位で出口選択。 # filter1(各種サーバ)に関しては、tunnel 1経由で 拠点1からInternetに直接出る # filter2(通常の通信)に関しては、pp 1からInternetに直接出る # 192.168.11.0/24へは tunnel1 ip route default gateway tunnel 1 filter 1 gateway tunnel 1 filter 2 gateway pp 1 ip route 192.168.11.0/24 gateway tunnel 1 ip filter source-route on ip filter directed-broadcast on ip keepalive 1 icmp-echo 5 5 192.168.11.1 speed lan1 200k queue lan1 type priority queue lan1 class filter list 1 2 3 4 5 6 ip lan1 address 192.168.21.1/24 pp select 1 # IIJmioへの接続 pp bind usb1 pp always-on on pp auth accept pap chap

# ISPから割り当てられたIDとパスワードを記載 pp auth myname ID@ISP.NET PASSSWORD ppp lcp mru off 1792 ppp lcp accm on ppp lcp pfc on ppp lcp acfc on ppp ipcp ipaddress on ppp ipcp msext on ppp ipv6cp use off ip pp secure filter in 101 103 1020 1030 1040 1041 1050 1051 1052 1055 1056 3000 ip pp secure filter out 102 104 1010 1011 1012 1013 1014 1015 3000 ip pp nat descriptor 1000 mobile auto connect on mobile disconnect time off

# IIJ系は「vmobile.jp cid=1」となります。 mobile access-point name vmobile.jp cid=1 mobile access limit duration off mobile access limit length off mobile access limit time off pp enable 1 tunnel select 1 # OFFICE-Aへの接続 ipsec tunnel 101 ipsec sa policy 101 1 esp 3des-cbc md5-hmac ipsec ike always-on 1 on ipsec ike keepalive log 1 on ipsec ike keepalive use 1 on icmp-echo 192.168.11.1 ipsec ike local address 1 192.168.21.1 ipsec ike local name 1 kyoten1 key-id ipsec ike nat-traversal 1 on ipsec ike pre-shared-key 1 text PRE-SHARED-KEY ipsec ike remote address 1 OFFICE-A.aa0.netvolante.jp ipsec auto refresh 1 on queue tunnel class filter list 1 2 3 4 5 6 tunnel enable 1 # filter1(各種サーバ)に関しては、tunnel 1経由で 拠点1からInternetに直接出る # filter2(通常の通信)に関しては、pp 1からInternetに直接出る ip filter 1 pass-log * * tcp,udp * 22,telnet,514,3389,5900,8080,8090,10000,10001 ip filter 2 pass-log * * tcp,udp 22,telnet,514,3389,5900,8080,8090,10000,10001 * ip filter 101 pass-log * 192.168.21.200 * www,19788,28099 * ip filter 102 pass-log 192.168.21.200 * * * www,19788,28099 ip filter 103 reject * 192.168.21.100,192.168.21.200 * * * ip filter 104 reject 192.168.21.100,192.168.21.200 * * * * ip filter 1010 reject * * udp,tcp 135 * ip filter 1011 reject * * udp,tcp * 135 ip filter 1012 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 1013 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 1014 reject * * udp,tcp 445 * ip filter 1015 reject * * udp,tcp * 445 ip filter 1020 reject 192.168.21.0/24 * ip filter 1030 pass * * icmp ip filter 1051 pass-log 管理IP_Address * * * ip filter 1055 pass 192.168.21.0/24 * tcp * * ip filter 1056 pass * 192.168.21.0/24 tcp * * ip filter 2000 reject * * ip filter 3000 pass * * ip filter 3011 pass-log * * ip filter 3021 pass-log * * ip filter 9999 pass * * * nat descriptor type 1 masquerade nat descriptor type 1000 masquerade nat descriptor masquerade static 1000 1 192.168.21.1 tcp 22,telnet,www nat descriptor masquerade static 1000 2 192.168.21.1 tcp 1723 nat descriptor masquerade static 1000 3 192.168.21.1 gre nat descriptor masquerade static 1000 4 192.168.21.100 tcp 5900 nat descriptor masquerade static 1000 11 192.168.21.1 udp 500 nat descriptor masquerade static 1000 12 192.168.21.1 esp ipsec auto refresh on syslog notice on syslog info on syslog debug off dhcp service server dhcp server rfc2131 compliant on dhcp scope 1 192.168.21.100-192.168.21.199/24 dhcp scope bind 1 192.168.21.170 ethernet NN:NN:NN:NN:NN:NN dns server 129.250.35.250 dns private address spoof on snmp host 192.168.21.200 snmp community read-only private snmp yrifppdisplayatmib2 on # ping_restart.luaにて回線死活監視。再起動実施。 schedule at 1 */* 02:30 * ntpdate ntp2.jst.mfeed.ad.jp schedule at 2 */* *:00 * lua /ping_restart.lua schedule at 3 */Mon-Fri 02:45 * disconnect 1 schedule at 4 */Mon-Fri 02:55 * connect 1 schedule at 5 */* *:10 * lua /ping_restart.lua schedule at 6 */* *:20 * lua /ping_restart.lua schedule at 7 */* *:30 * lua /ping_restart.lua schedule at 8 */* *:40 * lua /ping_restart.lua schedule at 9 */* *:50 * lua /ping_restart.lua httpd host lan alarm entire off sshd service on sshd host any sshd host key generate * jate number mobile syslog on mobile use usb1 on

参考モバイルルータ情報

SRT100_> show status usbhost
USB host controller:       Running
USB bus power feed:        ON
Attached USB device
  Device name:             0x6326 <docomo L03D>
  Vendor name:             0x1004 <NTT DOCOMO, INC.>
  Telephone number:        07012345678
  Maximum transfer rate:   480Mbps(High speed)
SRT100_>

ping_restart.lua 死活監視・再起動スクリプト。

めむ帖 ~駆け出しSEの雑記帖~様よりお知恵を拝借しました。有難うございます。

YAMAHA SRT100にて収容してるUSB-3G(LTE)のインターネット接続が原因不明のパケ詰まりを起こしているため、Internet抜けができなくなった時にルータを再起動する簡易スクリプトを作成して様子を見ることにした備忘録。

【要件】
一定間隔(毎時00分)に8.8.8.8にPing試行、Lossするようなら装置restartする。

【コンフィグに下記追加】
schedule at 1 */* *:00 * lua /ping_restart.lua

【Luaスクリプト】
rtn, str = rt.command(“ping -c 10 8.8.8.8″)
if (rtn) and (str) then
   loss = string.match(str, “(%d+)%.%d+%%”)      — パケットロス率(NNN.N%)の整数部を抽出
   if (loss ~= nil) then
      loss = tonumber(loss)                 — 文字列から数値へ変換
      if (loss >= 30) then
         rt.command(“restart”)
      end
   end
end

LuaスクリプトをPCからルーターにコピーする(YAMAHA HPより)

USBメモリのルートディレクトリーからルーターのルートディレクトリーにLuaスクリプトをコピーする場合:

[ルーターコンソール]
# copy usb1:/ping_restart.lua /ping_restart.lua

# show file list /
2015/05/29 10:15:47             262 ping_restart.lua