OCN光 + RTX1210 で IPoE + PPPoE の両アーム接続
OCN光は申し込みさえすれば、無料でIPoEを利用可能であり
かつIPoEを利用しても、PPPoEも利用可能ということで
といったことが可能となる
なんか、あちこち調べてみたところ
IPoEの設定はCLIで実施するが、PPPoE & L2TP/IPsecはGUIで!
とかふざけたものしか見つからなかったので、全てCLIで実装した
取り敢えず細かい所の説明は省く
CLIで実装しようとしてる人なら、RTXのWebサイトみるなり他のサイトみればすぐにわかるとおもうので
実装のポイントは
- OCN光 + RTX1210
- インターネット通信は IPoE、 VPN関係は PPPoE
- PPPoE IPv4側にはDynamicDNSのmyDNSを利用しているので PPPoE IPv4側のIPを通知するように Filter Routingを実施
- PPPoE側のIPv4で、拠点間 IPsec-VPN & WIndows 7/8.x/10/11 の L2TP/IPsec & Android L2TP/IPsec 接続を実現
- VPN関係の通信は、Filter Routingで PPPoE側に流す
- IPoE側のIPv4 Addressは共有の為、利用できるポートが制限されており MAP-E の Nat Descriptor番号を指定して確認する
下記configだと [show nat descriptor address 6000]
一気に書いてあるけども
順番として
- IPoE接続
- PPPoE接続
で通信できる事を確認してから、IPsec-VPN & Filter Routing、その後に L2TP/IPsecの順番でせめていかないとトラブった時に解析に時間がかかる
(経験者は語る・・・
console columns 4096 console lines infinity ip route default gateway tunnel 1 gateway pp 10 filter 5000 5010 5011 5012 5013 ip route 172.16.0.0/24 gateway tunnel 10 ip filter source-route on ip filter directed-broadcast on ipv6 prefix 10 ra-prefix@lan3::/64 ipv6 source address selection rule lifetime ip lan1 address 172.16.10.1/24 ip lan1 proxyarp on ipv6 lan1 address ra-prefix@lan3::1/64 ipv6 lan1 rtadv send 10 o_flag=on ipv6 lan1 dhcp service server ipv6 lan3 secure filter in 6000 6001 6002 6003 ipv6 lan3 secure filter out 6099 dynamic 6100 6101 6102 6103 6104 6105 6198 6199 ipv6 lan3 dhcp service client ir=on ngn type lan3 ntt pp select 10 pp name ocn description pp ocn pp always-on on pppoe use lan3 pppoe auto connect on pppoe auto disconnect off pp auth accept pap chap pp auth myname <PPPoE ID> <PPPoE PASS> ppp lcp mru on 1454 ppp ipcp ipaddress on ppp ipcp msext on ip pp mtu 1454 ip pp secure filter in 4050 4060 4061 4062 4063 4099 ip pp secure filter out 4010 4011 4012 4013 4014 4015 4016 4017 4098 dynamic 4100 4101 4102 4103 4104 4105 4198 4199 ip pp intrusion detection in on ip pp nat descriptor 4000 pp enable 10 pp select anonymous pp bind tunnel20 pp auth request chap pp auth username <L2TP ID> <L2TP PASS> ppp ipcp ipaddress on ppp ipcp msext on ip pp remote address pool 172.16.10.150-172.16.10.200 ip pp mtu 1258 pp enable anonymous tunnel select 1 tunnel encapsulation map-e tunnel map-e type ocn ip tunnel mtu 1460 ip tunnel secure filter in 4010 4011 4012 4013 4014 4015 4050 4070 4099 ip tunnel secure filter out 4010 4011 4012 4013 4014 4015 4016 4017 4098 dynamic 4100 4101 4102 4103 4104 4105 4198 4199 ip tunnel nat descriptor 6000 tunnel enable 1 tunnel select 10 description tunnel IPsec/VPN ipsec tunnel 10 ipsec sa policy 10 10 esp aes256-cbc sha256-hmac ipsec ike encryption 10 aes-cbc ipsec ike keepalive log 10 off ipsec ike keepalive use 10 on ipsec ike local address 10 172.16.10.1 ipsec ike pre-shared-key 10 text <Pre-Shared Key> ipsec ike remote address 10 <Remote FQDN> tunnel enable 10 tunnel select 20 description tunnel l2tp tunnel encapsulation l2tp ipsec tunnel 20 ipsec sa policy 20 20 esp aes-cbc sha-hmac ipsec ike keepalive use 20 off ipsec ike local address 20 172.16.10.1 ipsec ike nat-traversal 20 on ipsec ike pre-shared-key 20 text <Pre-Shared Key> ipsec ike remote address 20 any l2tp tunnel disconnect time off l2tp keepalive use on 10 3 l2tp keepalive log on l2tp syslog on ip tunnel tcp mss limit auto tunnel enable 20 ip filter 4010 reject * * udp,tcp 135 * ip filter 4011 reject * * udp,tcp * 135 ip filter 4012 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 4013 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 4014 reject * * udp,tcp 445 * ip filter 4015 reject * * udp,tcp * 445 ip filter 4016 restrict * * tcpfin * www,21,nntp ip filter 4017 restrict * * tcprst * www,21,nntp ip filter 4050 pass * 172.16.10.0/24 icmp * * ip filter 4060 pass * 172.16.10.1 udp * 500 ip filter 4061 pass * 172.16.10.1 esp ip filter 4062 pass * 172.16.10.1 udp * 4500 ip filter 4063 pass * 172.16.10.1 udp * 1701 ip filter 4070 pass * 172.16.10.100 tcp * 1185-1194 ip filter 4098 pass * * * * * ip filter 4099 reject * * * * * ip filter 5000 pass * *.mydns.jp tcp * * ip filter 5010 pass * * udp 500 * ip filter 5011 pass * * esp ip filter 5012 pass * * udp 4500 * ip filter 5013 pass * * udp 1701 * ip filter dynamic 4100 * * ftp syslog=off ip filter dynamic 4101 * * domain syslog=off ip filter dynamic 4102 * * www syslog=off ip filter dynamic 4103 * * smtp syslog=off ip filter dynamic 4104 * * pop3 syslog=off ip filter dynamic 4105 * * submission syslog=off ip filter dynamic 4198 * * tcp ip filter dynamic 4199 * * udp nat descriptor type 4000 masquerade nat descriptor address outer 4000 ipcp nat descriptor masquerade incoming 4000 discard nat descriptor masquerade static 4000 101 172.16.10.1 udp 500 nat descriptor masquerade static 4000 102 172.16.10.1 esp nat descriptor masquerade static 4000 103 172.16.10.1 udp 4500 nat descriptor masquerade static 4000 104 172.16.10.1 udp 1701 nat descriptor type 6000 masquerade nat descriptor address outer 6000 map-e nat descriptor masquerade incoming 6000 discard nat descriptor masquerade static 6000 100 172.16.10.100 tcp 1185-1194 ipsec auto refresh on ipsec transport 20 20 udp 1701 ipv6 filter 6000 pass * * icmp6 * * ipv6 filter 6001 pass * * tcp * ident ipv6 filter 6002 pass * * udp * 546 ipv6 filter 6003 pass * * 4 ipv6 filter 6099 pass * * * * * ipv6 filter dynamic 6100 * * ftp ipv6 filter dynamic 6101 * * domain ipv6 filter dynamic 6102 * * www ipv6 filter dynamic 6103 * * smtp ipv6 filter dynamic 6104 * * pop3 ipv6 filter dynamic 6105 * * submission ipv6 filter dynamic 6198 * * tcp ipv6 filter dynamic 6199 * * udp telnetd service off dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 172.16.10.50-172.16.10.89/24 dhcp scope option 1 dns=172.16.10.1,1.0.0.1 dns host lan1 dns server dhcp lan3 dns private address spoof on l2tp service on upnp use on sshd service on
show nat descriptor address 6000 実行結果
> show nat descriptor address 6000 NAT/IPマスカレード 動作タイプ : 2 参照NATディスクリプタ : 6000, 適用インタフェース : TUNNEL[1](1) Masqueradeテーブル 外側アドレス: map-e/153.240.144.132 ポート範囲: 1184-1199, 2208-2223, 3232-3247, 4256-4271, 5280-5295, 6304-6319, 7328-7343, 8352-8367, 9376-9391, 10400-10415, 11424-11439, 12448-12463, 13472-13487, 14496-14511, 15520-15535, 16544-16559, 17568-17583, 18592-18607, 19616-19631, 20640-20655, 21664-21679, 22688-22703, 23712-23727, 24736-24751, 25760-25775, 26784-26799, 27808-27823, 28832-28847, 29856-29871, 30880-30895, 31904-31919, 32928-32943, 33952-33967, 34976-34991, 36000-36015, 37024-37039, 38048-38063, 39072-39087, 40096-40111, 41120-41135, 42144-42159, 43168-43183, 44192-44207, 45216-45231, 46240-46255, 47264-47279, 48288-48303, 49312-49327, 50336-50351, 51360-51375, 52384-52399, 53408-53423, 54432-54447, 55456-55471, 56480-56495, 57504-57519, 58528-58543, 59552-59567, 60576-60591, 61600-61615, 62624-62639, 63648-63663, 64672-64687 157 セッション