編集履歴

質問編集履歴

拠点Aのコンフィグ追加

2018/02/13 03:15

投稿

ky1990

スコア14

title CHANGED Viewed

File without changes

body CHANGED Viewed

@@ -5,4 +5,241 @@
 もし、設定に問題があったらご指摘頂ければ幸いです。
 その他、セキュリティやFW等、疑うべき箇所につきましてご指導頂ければ幸いです。
-使用機器：RTX1210
+使用機器：RTX1210
+下記実際のコンフィグです。
+拠点A
+ip route default gateway pp 1
+ip filter source-route on
+ip filter directed-broadcast on
+bridge member bridge1 lan1 tunnel7
+ip bridge1 address 172.27.1.253/24
+ip lan1 address 172.27.1.253/24
+ip lan1 proxyarp on
+ip lan1 secure filter in 10 99
+ip lan3 address 172.27.2.253/24
+ip lan3 proxyarp on
+ip lan3 secure filter in 11 99
+pp select 1
+ pp always-on on
+ pppoe use lan2
+ pp auth accept pap chap
+ pp auth myname (ISP1へ接続するID) (ISP1へ接続するパスワード)
+ ppp lcp mru on 1454
+ ppp ipcp msext on
+ ppp ccp type none
+ ip pp address (拠点AのグローバルIP)
+ ip pp mtu 1454
+ ip pp secure filter in 1020 1030 1040 1041 1042 1043 1044 1045 2000
+ ip pp secure filter out 1010 1011 1012 1013 1014 1015 3000 dynamic 100 101 102 103 104 105 106 107
+ ip pp nat descriptor 1
+ pp enable 1
+pp select anonymous
+ pp bind tunnel1-tunnel6 tunnel8-tunnel9
+ pp auth request mschap-v2
+ pp auth username (接続ユーザ名) (接続パスワード)
+ pp auth username (接続ユーザ名) (接続パスワード)
+ pp auth username (接続ユーザ名) (接続パスワード)
+ pp auth username (接続ユーザ名) (接続パスワード)
+ pp auth username (接続ユーザ名) (接続パスワード)
+ pp auth username (接続ユーザ名) (接続パスワード)
+ pp auth username (接続ユーザ名) (接続パスワード)
+ pp auth username (接続ユーザ名) (接続パスワード)
+ ppp ipcp ipaddress on
+ ppp ipcp msext on
+ ip pp remote address pool 172.27.1.200-172.27.1.209
+ ip pp mtu 1258
+ pp enable anonymous
+tunnel select 1
+ tunnel encapsulation l2tp
+ ipsec tunnel 101
+  ipsec sa policy 101 1 esp 3des-cbc sha-hmac
+  ipsec ike keepalive use 1 off
+  ipsec ike local address 1 172.27.1.253
+  ipsec ike nat-traversal 1 on
+  ipsec ike remote address 1 any
+  ipsec ike license-key use 1 on
+ l2tp tunnel disconnect time off
+ l2tp keepalive use on 10 3
+ l2tp keepalive log on
+ l2tp syslog on
+ ip tunnel tcp mss limit auto
+ tunnel enable 1
+tunnel select 2
+ tunnel encapsulation l2tp
+ ipsec tunnel 102
+  ipsec sa policy 102 2 esp 3des-cbc sha-hmac
+  ipsec ike keepalive use 2 off
+  ipsec ike local address 2 172.27.1.253
+  ipsec ike nat-traversal 2 on
+  ipsec ike remote address 2 any
+  ipsec ike license-key use 2 on
+ l2tp tunnel disconnect time off
+ l2tp keepalive use on 10 3
+ l2tp keepalive log on
+ l2tp syslog on
+ ip tunnel tcp mss limit auto
+ tunnel enable 2
+tunnel select 3
+ tunnel encapsulation l2tp
+ ipsec tunnel 103
+  ipsec sa policy 103 3 esp 3des-cbc sha-hmac
+  ipsec ike keepalive use 3 off
+  ipsec ike local address 3 172.27.1.253
+  ipsec ike nat-traversal 3 on
+  ipsec ike remote address 3 any
+  ipsec ike license-key use 3 on
+ l2tp tunnel disconnect time off
+ l2tp keepalive use on 10 3
+ l2tp keepalive log on
+ l2tp syslog on
+ ip tunnel tcp mss limit auto
+ tunnel enable 3
+tunnel select 4
+ tunnel encapsulation l2tp
+ ipsec tunnel 104
+  ipsec sa policy 104 4 esp 3des-cbc sha-hmac
+  ipsec ike keepalive use 4 off
+  ipsec ike local address 4 172.27.1.253
+  ipsec ike nat-traversal 4 on
+  ipsec ike remote address 4 any
+  ipsec ike license-key use 4 on
+ l2tp tunnel disconnect time off
+ l2tp keepalive use on 10 3
+ l2tp keepalive log on
+ l2tp syslog on
+ ip tunnel tcp mss limit auto
+ tunnel enable 4
+tunnel select 5
+ tunnel encapsulation l2tp
+ ipsec tunnel 105
+  ipsec sa policy 105 5 esp 3des-cbc sha-hmac
+  ipsec ike keepalive use 5 off
+  ipsec ike local address 5 172.27.1.253
+  ipsec ike nat-traversal 5 on
+  ipsec ike remote address 5 any
+  ipsec ike license-key use 5 on
+ l2tp tunnel disconnect time off
+ l2tp keepalive use on 10 3
+ l2tp keepalive log on
+ l2tp syslog on
+ ip tunnel tcp mss limit auto
+ tunnel enable 5
+tunnel select 6
+ tunnel encapsulation l2tp
+ ipsec tunnel 106
+  ipsec sa policy 106 6 esp 3des-cbc sha-hmac
+  ipsec ike keepalive use 6 off
+  ipsec ike local address 6 172.27.1.253
+  ipsec ike nat-traversal 6 on
+  ipsec ike remote address 6 any
+  ipsec ike license-key use 6 on
+ l2tp tunnel disconnect time off
+ l2tp keepalive use on 10 3
+ l2tp keepalive log on
+ l2tp syslog on
+ ip tunnel tcp mss limit auto
+ tunnel enable 6
+tunnel select 7
+ tunnel encapsulation l2tpv3
+ tunnel endpoint address 172.27.1.253 (拠点BのグローバルIP)
+ ipsec tunnel 107
+  ipsec sa policy 107 7 esp aes-cbc sha-hmac
+  ipsec ike keepalive log 7 on
+  ipsec ike keepalive use 7 on
+  ipsec ike local address 7 172.27.1.253
+  ipsec ike pre-shared-key 7 text (事前共有鍵①)
+  ipsec ike remote address 7 (拠点BのグローバルIP)
+ l2tp always-on on
+ l2tp hostname surluster
+ l2tp tunnel auth on (L2TP トンネル認証に用いるパスワード①)
+ l2tp tunnel disconnect time off
+ l2tp keepalive use on 60 3
+ l2tp keepalive log on
+ l2tp syslog on
+ l2tp local router-id 172.27.1.253
+ l2tp remote router-id 172.27.1.254
+ l2tp remote end-id A
+ tunnel enable 7
+tunnel select 8
+ tunnel encapsulation l2tp
+ ipsec tunnel 108
+  ipsec sa policy 108 8 esp aes-cbc sha-hmac
+  ipsec ike keepalive use 8 off
+  ipsec ike nat-traversal 8 on
+  ipsec ike pre-shared-key 8 text (事前共有鍵)
+  ipsec ike remote address 8 any
+ l2tp tunnel disconnect time off
+ l2tp keepalive use on 10 3
+ l2tp keepalive log on
+ l2tp syslog on
+ ip tunnel tcp mss limit auto
+ tunnel enable 8
+tunnel select 9
+ tunnel encapsulation l2tp
+ ipsec tunnel 109
+  ipsec sa policy 109 9 esp aes-cbc sha-hmac
+  ipsec ike keepalive use 9 off
+  ipsec ike nat-traversal 9 on
+  ipsec ike pre-shared-key 9 text (事前共有鍵)
+  ipsec ike remote address 9 any
+ l2tp tunnel disconnect time off
+ l2tp keepalive use on 10 3
+ l2tp keepalive log on
+ l2tp syslog on
+ ip tunnel tcp mss limit auto
+ tunnel enable 9
+ip filter 10 reject * 172.27.2.0/24 * * *
+ip filter 11 reject * 172.27.1.0/24 * * *
+ip filter 99 pass * * * * *
+ip filter 1010 reject * * udp,tcp 135 *
+ip filter 1011 reject * * udp,tcp * 135
+ip filter 1012 reject * * udp,tcp netbios_ns-netbios_ssn *
+ip filter 1013 reject * * udp,tcp * netbios_ns-netbios_ssn
+ip filter 1014 reject * * udp,tcp 445 *
+ip filter 1015 reject * * udp,tcp * 445
+ip filter 1020 reject 172.27.1.0/24 *
+ip filter 1030 pass * 172.27.1.0/24 icmp
+ip filter 1040 pass * 172.27.1.253 udp * 500
+ip filter 1041 pass * 172.27.1.253 udp * 4500
+ip filter 1042 pass * 172.27.1.253 esp
+ip filter 1043 pass * 172.27.1.254 udp * 500
+ip filter 1044 pass * 172.27.1.254 udp * 4500
+ip filter 1045 pass * 172.27.1.254 esp
+ip filter 2000 reject * *
+ip filter 3000 pass * *
+ip filter dynamic 100 * * ftp
+ip filter dynamic 101 * * www
+ip filter dynamic 102 * * domain
+ip filter dynamic 103 * * smtp
+ip filter dynamic 104 * * pop3
+ip filter dynamic 105 * * imap
+ip filter dynamic 106 * * netmeeting
+ip filter dynamic 107 * * tcp
+ip filter dynamic 108 * * udp
+ip filter dynamic 109 * * submission
+nat descriptor type 1 masquerade
+nat descriptor address outer 1 (拠点AのグローバルIP)
+nat descriptor masquerade static 1 1 172.27.1.253 esp
+nat descriptor masquerade static 1 2 172.27.1.253 udp 500
+nat descriptor masquerade static 1 3 172.27.1.253 udp 4500
+ipsec auto refresh on
+ipsec ike license-key 1 (ライセンスキー)
+ipsec transport 1 101 udp 1701
+ipsec transport 2 102 udp 1701
+ipsec transport 3 103 udp 1701
+ipsec transport 4 104 udp 1701
+ipsec transport 5 105 udp 1701
+ipsec transport 6 106 udp 1701
+ipsec transport 7 107 udp 1701
+ipsec transport 8 108 udp 1701
+ipsec transport 9 109 udp 1701
+dhcp service server
+dhcp server rfc2131 compliant except remain-silent
+dhcp scope 1 172.27.1.2-172.27.1.191/24
+dns server (拠点AのDNS① 拠点AのDNS②)
+dns private address spoof on
+l2tp service on
+httpd host any
+dashboard accumulate traffic on