いろんな設定例

<<Ａｌｌｉｅｄ>>

●ｲﾝﾀｰﾈｯﾄ
CREATE PPP=0 OVER=eth0-ANY SET PPP=0 OVER=eth0-ANY BAP=OFF IPREQUEST=ON USER=user@isp PASSWORD=isppasswd LQR=OFF ECHO=ON ENABLE IP ENABLE IP REMOTEASSIGN ADD IP INT=vlan1 IP=192.168.10.1 MASK=255.255.255.0 ADD IP INT=ppp0 IP=0.0.0.0 ADD IP ROUTE=0.0.0.0 INT=ppp0 NEXTHOP=0.0.0.0 ENABLE IP DNSRELAY SET IP DNSRELAY INT=ppp0 ENABLE FIREWALL CREATE FIREWALL POLICY=net ENABLE FIREWALL POLICY=net ICMP_F=PING,UNREACH DISABLE FIREWALL POLICY=net IDENTPROXY ADD FIREWALL POLICY=net INT=vlan1 TYPE=PRIVATE ADD FIREWALL POLICY=net INT=ppp0 TYPE=PUBLIC ADD FIREWALL POLICY=net NAT=ENHANCED INT=vlan1 GBLINT=ppp0 ENABLE DHCP CREATE DHCP POLICY=BASE LEASETIME=7200 ADD DHCP POLICY=BASE SUBNET=255.255.255.0 ROUTER=192.168.10.1 DNSSERVER=192.168.10.1 CREATE DHCP RANGE=LOCAL POLICY=BASE IP=192.168.10.100 NUMBER=32

･････････････････････････････････････････････････････････････････････････････････････････････････････････・・・・・・・・・・・・・・・
CREATE PPP=0 OVER=eth0-ANY
SET PPP=0 OVER=eth0-ANY BAP=OFF IPREQUEST=ON USER=isp PASSWORD=pass LQR=OFF ECHO=ON
ENABLE IP
ENABLE IP REMOTEASSIGN
ADD IP INT=vlan1 IP=10.200.30.1 MASK=255.255.255.128
ADD IP INT=ppp0 IP=0.0.0.0
ADD IP ROUTE=0.0.0.0 INT=ppp0 NEXTHOP=0.0.0.0
add ip route=10.200.30.128 mask=255.255.255.128 int=vlan1 nexthop=10.200.30.2
ENABLE IP DNSRELAY
SET IP DNSRELAY INT=ppp0
ENABLE FIREWALL
CREATE FIREWALL POLICY=net
ENABLE FIREWALL POLICY=net ICMP_F=PING,UNREACH
DISABLE FIREWALL POLICY=net IDENTPROXY
ADD FIREWALL POLICY=net INT=vlan1 TYPE=PRIVATE
ADD FIREWALL POLICY=net INT=ppp0 TYPE=PUBLIC
ADD FIREWALL POLICY=net NAT=ENHANCED INT=vlan1 GBLINT=ppp0

ENABLE IP DNSRELAY
SET IP DNSRELAY INT=ppp0
ENABLE DHCP
CREATE DHCP POLICY=BASE LEASETIME=7200
ADD DHCP POLICY=BASE SUBNET=255.255.255.128 ROUTER=10.200.30.1 DNSSERVER=10.200.30.1
CREATE DHCP RANGE=LOCAL POLICY=BASE IP=10.200.30.10 NUMBER=32 PROBE=ARP

●DNSリレー
ADD IP DNS PRIMARY=11.22.33.44
ADD IP DNS PRIMARY=11.22.33.44 SECONDARY=11.22.33.45
ENABLE IP DNSRELAY

●ＤＨＣＰとDNS
ENABLE IP DNSRELAY
SET IP DNSRELAY INT=ppp0
ENABLE DHCP
CREATE DHCP POLICY=BASE LEASETIME=7200
ADD DHCP POLICY=BASE SUBNET=255.255.255.128 ROUTER=10.200.30.1 DNSSERVER=10.200.30.1
CREATE DHCP RANGE=LOCAL POLICY=BASE IP=10.200.30.10 NUMBER=32 PROBE=ARP

●#センター経由（センター側）
add user=secoff pass=PasswordS priv=securityOfficer lo=yes
create ppp=0 over=eth0-ANY
set ppp=0 bap=off iprequest=on username=cug password=pass
set ppp=0 over=eth0-ANY lqr=off echo=10
create ppp=1 over=eth0-ANY
set ppp=1 bap=off iprequest=on username=isp password=pass
set ppp=1 over=eth0-ANY lqr=off echo=10
enable ip
enable ip remote
ena ip dnsrelay
set ip dnsrelay int=ppp1
add ip int=vlan1 ip=192.168.1.254
add ip int=ppp1 ip=61.214.229.123 mask=255.255.255.255
add ip int=ppp0 ip=172.25.76.3 mask=255.255.255.255
add ip rou=0.0.0.0 mask=0.0.0.0 int=ppp1 next=0.0.0.0
add ip rou=172.0.0.0 mask=255.0.0.0 int=ppp0 next=0.0.0.0
add ip rou=192.168.2.0 mask=255.255.255.0 int=ppp0 next=0.0.0.0
add ip dns int=ppp1
enable firewall
create firewall policy="net"
disable firewall policy="net" identproxy
enable firewall policy="net" icmp_f=unre,ping
add firewall policy="net" int=ppp0 type=private
add firewall policy="net" int=vlan1 type=private
add firewall policy="net" int=ppp1 type=public
add firewall poli="net" nat=enhanced int=ppp0 gblin=ppp1
add firewall poli="net" nat=enhanced int=vlan1 gblin=ppp1
disable log reception
create ipsec sas=1 key=isakmp prot=esp enc=des hasha=sha
create ipsec bund=1 key=isakmp string="1"
create ipsec pol="isa" int=ppp0 ac=permit lp=500 rp=500 tra=UDP
create ipsec pol="vpn_B" int=ppp0 ac=ipsec key=isakmp bund=1 peer=172.25.76.2 isa="i_B"
#ｾﾝﾀｰ経由はﾛｰｶﾙｱﾄﾞﾚｽは全て0、拠点直接はﾛｰｶﾙｱﾄﾞﾚｽを設定する。
#直接はﾛｰｶﾙｱﾄﾞﾚｽとﾘﾓｰﾄｱﾄﾞﾚｽを設定
#
SET IPSEC POLICY="vpn_B" LAD=0.0.0.0 LMA=0.0.0.0 RAD=192.168.2.0 RMA=255.255.255.0
create ipsec pol="inet" int=ppp1 ac=permit
enable ipsec
create enco key=1 type=general value=secret-ab
create isakmp pol="i_B" pe=172.25.76.2 key=1 sendn=true hear=BOTH
enable isakmp
ENABLE DHCP
CREATE DHCP POLICY=BASE LEASETIME=7200
ADD DHCP POLICY=BASE SUBNET=255.255.255.0 ROUTER=192.168.1.254 DNSSERVER=192.168.1.254
CREATE DHCP RANGE=LOCAL POLICY=BASE IP=192.168.1.101 NUMBER=32 PROBE=ARP
#login secoff
#enable system security_mode
#set user securedelay=3600
･･･････････････････････････････････････････････････････････････････････････････････････････････････・・・・・・・・・・・・・・・・
●#センター経由（拠点側）
set user=manager telnet=yes desc="Manager Account"
add user=secoff pass=PasswordS priv=securityOfficer lo=yes
set user=secoff telnet=no netmask=255.255.255.255
create ppp=0 over=eth0-ANY
set ppp=0 bap=off username=cug password=pass
set ppp=0 over=eth0-ANY lqr=off echo=10
enable ip
add ip int=vlan1 ip=192.168.2.254
add ip int=ppp0 ip=172.25.76.2 mask=255.255.255.255
add ip rou=0.0.0.0 mask=0.0.0.0 int=ppp0 next=0.0.0.0
add ip rou=192.168.1.0 mask=255.255.0.0 int=ppp0 next=0.0.0.0
enable ip dnsrelay
set ip dnsrelay int=ppp1
create ipsec sas=1 key=isakmp prot=esp enc=des hasha=sha
create ipsec bund=1 key=isakmp string="1"
create ipsec pol="isa" int=ppp0 ac=permit
set ipsec pol="isa" lp=500 rp=500 tra=UDP
create ipsec pol="vpn_A" int=ppp0 ac=ipsec key=isakmp bund=1 peer=172.25.76.3
SET IPSEC POLICY="vpn_A" LAD=192.168.2.0 LMA=255.255.255.0 RAD=0.0.0.0 RMA=0.0.0.0
enable ipsec
create isakmp pol="i_A" pe=172.25.76.3 key=1 sendn=true hear=BOTH
enable isakmp
create enco key=1 type=general value="secret-ab"
ENABLE DHCP
CREATE DHCP POLICY=BASE LEASETIME=7200
ADD DHCP POLICY=BASE SUBNET=255.255.255.0 ROUTER=192.168.2.254 DNSSERVER=192.168.2.254
CREATE DHCP RANGE=LOCAL POLICY=BASE IP=192.168.2.101 NUMBER=32 PROBE=ARP

#login secoff
#enable system security_mode
#set user securedelay=3600

●ＩＰＳＥＣ（片端ｱﾄﾞﾚｽ固定）
ﾙｰﾀA
ADD USER=secoff PASSWORD=PasswordS PRIVILEGE=SECURITYOFFICER CREATE PPP=0 OVER=eth0-ANY SET PPP=0 OVER=eth0-ANY BAP=OFF IPREQUEST=ON USER=user@ispA PASSWORD=isppasswdA LQR=OFF ECHO=ON ENABLE IP ENABLE IP REMOTEASSIGN ADD IP INT=eth1 IP=4.4.4.2 MASK=255.255.255.248 ADD IP INT=vlan1 IP=192.168.10.1 MASK=255.255.255.0 ADD IP INT=ppp0-0 IP=0.0.0.0 ADD IP INT=ppp0-1 IP=4.4.4.1 MASK=255.255.255.255 ADD IP ROUTE=0.0.0.0 INT=ppp0-1 NEXTHOP=0.0.0.0 ENABLE FIREWALL CREATE FIREWALL POLICY=net ENABLE FIREWALL POLICY=net ICMP_F=PING,UNREACH DISABLE FIREWALL POLICY=net IDENTPROXY ADD FIREWALL POLICY=net INT=vlan1 TYPE=PRIVATE ADD FIREWALL POLICY=net INT=eth1 TYPE=PRIVATE ADD FIREWALL POLICY=net INT=ppp0-0 TYPE=PUBLIC ADD FIREWALL POLICY=net INT=ppp0-1 TYPE=PUBLIC ADD FIREWALL POLICY=net NAT=ENHANCED INT=vlan1 GBLINT=ppp0-1 GBLIP=4.4.4.1 ADD FIREWALL POLICY=net RULE=1 AC=ALLOW INT=ppp0-1 PROTO=TCP IP=4.4.4.3 PORT=80 ADD FIREWALL POLICY=net RULE=2 AC=ALLOW INT=ppp0-1 PROTO=TCP IP=4.4.4.4 PORT=25 ADD FIREWALL POLICY=net RULE=3 AC=ALLOW INT=ppp0-1 PROTO=TCP IP=4.4.4.4 PORT=53 ADD FIREWALL POLICY=net RULE=4 AC=ALLOW INT=ppp0-1 PROTO=UDP IP=4.4.4.4 PORT=53 ADD FIREWALL POLICY=net RULE=5 AC=ALLOW INT=ppp0-1 PROT=UDP GBLPO=500 GBLIP=4.4.4.1 PO=500 IP=4.4.4.1 ADD FIREWALL POLICY=net RULE=6 AC=NONAT INT=vlan1 PROT=ALL IP=192.168.10.1-192.168.10.254 SET FIREWALL POLICY=net RULE=6 REMOTEIP=192.168.20.1-192.168.20.254 ADD FIREWALL POLICY=net RULE=7 AC=NONAT INT=ppp0-1 PROT=ALL IP=192.168.10.1-192.168.10.254 ENCAP=IPSEC # CREATE ENCO KEY=1 TYPE=GENERAL VALUE="secret" CREATE ISAKMP POLICY="i" PEER=ANY KEY=1 HEARTBEATMODE=BOTH SENDN=TRUE REMOTEID="client" MODE=AGGRESSIVE CREATE IPSEC SASPEC=1 KEYMAN=ISAKMP PROTOCOL=ESP ENCALG=DES HASHALG=SHA CREATE IPSEC BUNDLE=1 KEYMAN=ISAKMP STRING="1" CREATE IPSEC POLICY="isa" INT=ppp0-1 ACTION=PERMIT LPORT=500 RPORT=500 TRANSPORT=UDP CREATE IPSEC POLICY="vpn" INT=ppp0-1 ACTION=IPSEC KEYMAN=ISAKMP BUNDLE=1 PEER=DYNAMIC SET IPSEC POLICY="vpn" LAD=192.168.10.0 LMA=255.255.255.0 RAD=192.168.20.0 RMA=255.255.255.0 CREATE IPSEC POLICY="inet" INT=ppp0-1 ACTION=PERMIT ENABLE IPSEC ENABLE ISAKMP # LOGIN secoff # ENABLE SYSTEM SECURITY_MODE
ﾙｰﾀB
ADD USER=secoff PASSWORD=PasswordS PRIVILEGE=SECURITYOFFICER CREATE PPP=0 OVER=eth0-ANY SET PPP=0 OVER=eth0-ANY IPREQUEST=ON USER=user@ispB PASSWORD=isppasswdB LQR=OFF BAP=OFF ECHO=ON ENABLE IP ENABLE IP REMOTEASSIGN ADD IP INT=vlan1 IP=192.168.20.1 MASK=255.255.255.0 ADD IP INT=ppp0 IP=0.0.0.0 ADD IP ROUTE=0.0.0.0 INT=ppp0 NEXTHOP=0.0.0.0 ENABLE FIREWALL CREATE FIREWALL POLICY=net ENABLE FIREWALL POLICY=net ICMP_F=PING,UNREACH DISABLE FIREWALL POLICY=net IDENTPROXY ADD FIREWALL POLICY=net INT=vlan1 TYPE=PRIVATE ADD FIREWALL POLICY=net INT=ppp0 TYPE=PUBLIC ADD FIREWALL POLICY=net NAT=ENHANCED INT=vlan1 GBLINT=ppp0 ADD FIREWALL POLICY=net RULE=1 AC=NONAT INT=vlan1 PROT=ALL IP=192.168.20.1-192.168.20.254 SET FIREWALL POLICY=net RULE=1 REMOTEIP=192.168.10.1-192.168.10.254 ADD FIREWALL POLICY=net RULE=2 AC=NONAT INT=ppp0 PROT=ALL IP=192.168.20.1-192.168.20.254 ENCAP=IPSEC # CREATE ENCO KEY=1 TYPE=GENERAL VALUE="secret" CREATE ISAKMP POLICY="i" PEER=4.4.4.1 KEY=1 HEARTBEATMODE=BOTH SENDN=TRUE LOCALID="client" MODE=AGGRESSIVE CREATE IPSEC SASPEC=1 KEYMAN=ISAKMP PROTOCOL=ESP ENCALG=DES HASHALG=SHA CREATE IPSEC BUNDLE=1 KEYMAN=ISAKMP STRING="1" CREATE IPSEC POLICY="isa" INT=ppp0 ACTION=PERMIT LPORT=500 RPORT=500 TRANSPORT=UDP CREATE IPSEC POLICY="vpn" INT=ppp0 ACTION=IPSEC KEYMAN=ISAKMP BUNDLE=1 PEER=4.4.4.1 SET IPSEC POLICY="vpn" LAD=192.168.20.0 LMA=255.255.255.0 RAD=192.168.10.0 RMA=255.255.255.0 CREATE IPSEC POLICY="inet" INT=ppp0 ACTION=PERMIT ENABLE IPSEC ENABLE ISAKMP # LOGIN secoff # ENABLE SYSTEM SECURITY_MODE

●両側ｱﾄﾞﾚｽ固定
ﾙｰﾀA
ADD USER=secoff PASSWORD=PasswordS PRIVILEGE=SECURITYOFFICER CREATE PPP=0 OVER=eth0-ANY SET PPP=0 OVER=eth0-ANY BAP=OFF IPREQUEST=ON USER=user@ispA PASSWORD=isppasswdA LQR=OFF ECHO=ON ENABLE IP ENABLE IP REMOTEASSIGN ADD IP INT=eth1 IP=4.4.4.2 MASK=255.255.255.248 ADD IP INT=vlan1 IP=192.168.10.1 MASK=255.255.255.0 ADD IP INT=ppp0-0 IP=0.0.0.0 ADD IP INT=ppp0-1 IP=4.4.4.1 MASK=255.255.255.255 ADD IP ROUTE=0.0.0.0 INT=ppp0-1 NEXTHOP=0.0.0.0 ENABLE FIREWALL CREATE FIREWALL POLICY=net ENABLE FIREWALL POLICY=net ICMP_F=PING,UNREACH DISABLE FIREWALL POLICY=net IDENTPROXY ADD FIREWALL POLICY=net INT=vlan1 TYPE=PRIVATE ADD FIREWALL POLICY=net INT=eth1 TYPE=PRIVATE ADD FIREWALL POLICY=net INT=ppp0-0 TYPE=PUBLIC ADD FIREWALL POLICY=net INT=ppp0-1 TYPE=PUBLIC ADD FIREWALL POLICY=net NAT=ENHANCED INT=vlan1 GBLINT=ppp0-1 GBLIP=4.4.4.1 ADD FIREWALL POLICY=net RULE=1 AC=ALLOW INT=ppp0-1 PROTO=TCP IP=4.4.4.3 PORT=80 ADD FIREWALL POLICY=net RULE=2 AC=ALLOW INT=ppp0-1 PROTO=TCP IP=4.4.4.4 PORT=25 ADD FIREWALL POLICY=net RULE=3 AC=ALLOW INT=ppp0-1 PROTO=TCP IP=4.4.4.4 PORT=53 ADD FIREWALL POLICY=net RULE=4 AC=ALLOW INT=ppp0-1 PROTO=UDP IP=4.4.4.4 PORT=53 ADD FIREWALL POLICY=net RULE=5 AC=ALLOW INT=ppp0-1 PROT=UDP GBLPO=500 GBLIP=4.4.4.1 PO=500 IP=4.4.4.1 ADD FIREWALL POLICY=net RULE=6 AC=NONAT INT=vlan1 PROT=ALL IP=192.168.10.1-192.168.10.254 SET FIREWALL POLICY=net RULE=6 REMOTEIP=192.168.20.1-192.168.20.254 ADD FIREWALL POLICY=net RULE=7 AC=NONAT INT=ppp0-1 PROT=ALL IP=192.168.10.1-192.168.10.254 ENCAP=IPSEC # CREATE ENCO KEY=1 TYPE=GENERAL VALUE="secret" CREATE ISAKMP POLICY="i" PEER=12.34.56.78 KEY=1 HEARTBEATMODE=BOTH SENDN=TRUE CREATE IPSEC SASPEC=1 KEYMAN=ISAKMP PROTOCOL=ESP ENCALG=DES HASHALG=SHA CREATE IPSEC BUNDLE=1 KEYMAN=ISAKMP STRING="1" CREATE IPSEC POLICY="isa" INT=ppp0-1 ACTION=PERMIT LPORT=500 RPORT=500 TRANSPORT=UDP CREATE IPSEC POLICY="vpn" INT=ppp0-1 ACTION=IPSEC KEYMAN=ISAKMP BUNDLE=1 PEER=12.34.56.78 SET IPSEC POLICY="vpn" LAD=192.168.10.0 LMA=255.255.255.0 RAD=192.168.20.0 RMA=255.255.255.0 CREATE IPSEC POLICY="inet" INT=ppp0-1 ACTION=PERMIT ENABLE IPSEC ENABLE ISAKMP # LOGIN secoff # ENABLE SYSTEM SECURITY_MODEﾙｰﾀB
ADD USER=secoff PASSWORD=PasswordS PRIVILEGE=SECURITYOFFICER CREATE PPP=0 OVER=eth0-ANY SET PPP=0 OVER=eth0-ANY USER=user@ispB PASSWORD=isppasswdB LQR=OFF BAP=OFF ECHO=ON ENABLE IP ADD IP INT=vlan1 IP=192.168.20.1 MASK=255.255.255.0 ADD IP INT=ppp0 IP=12.34.56.78 MASK=255.255.255.255 ADD IP ROUTE=0.0.0.0 INT=ppp0 NEXTHOP=0.0.0.0 ENABLE FIREWALL CREATE FIREWALL POLICY=net ENABLE FIREWALL POLICY=net ICMP_F=PING,UNREACH DISABLE FIREWALL POLICY=net IDENTPROXY ADD FIREWALL POLICY=net INT=vlan1 TYPE=PRIVATE ADD FIREWALL POLICY=net INT=ppp0 TYPE=PUBLIC ADD FIREWALL POLICY=net NAT=ENHANCED INT=vlan1 GBLINT=ppp0 ADD FIREWALL POLICY=net RULE=1 AC=ALLOW INT=ppp0 PROT=UDP GBLPO=500 GBLIP=12.34.56.78 PO=500 IP=12.34.56.78 ADD FIREWALL POLICY=net RULE=2 AC=NONAT INT=vlan1 PROT=ALL IP=192.168.20.1-192.168.20.254 SET FIREWALL POLICY=net RULE=2 REMOTEIP=192.168.10.1-192.168.10.254 ADD FIREWALL POLICY=net RULE=3 AC=NONAT INT=ppp0 PROT=ALL IP=192.168.20.1-192.168.20.254 ENCAP=IPSEC # CREATE ENCO KEY=1 TYPE=GENERAL VALUE="secret" CREATE ISAKMP POLICY="i" PEER=4.4.4.1 KEY=1 HEARTBEATMODE=BOTH SENDN=TRUE CREATE IPSEC SASPEC=1 KEYMAN=ISAKMP PROTOCOL=ESP ENCALG=DES HASHALG=SHA CREATE IPSEC BUNDLE=1 KEYMAN=ISAKMP STRING="1" CREATE IPSEC POLICY="isa" INT=ppp0 ACTION=PERMIT LPORT=500 RPORT=500 TRANSPORT=UDP CREATE IPSEC POLICY="vpn" INT=ppp0 ACTION=IPSEC KEYMAN=ISAKMP BUNDLE=1 PEER=4.4.4.1 SET IPSEC POLICY="vpn" LAD=192.168.20.0 LMA=255.255.255.0 RAD=192.168.10.0 RMA=255.255.255.0 CREATE IPSEC POLICY="inet" INT=ppp0 ACTION=PERMIT ENABLE IPSEC ENABLE ISAKMP # LOGIN secoff # ENABLE SYSTEM SECURITY_MODE

●ﾛｰｶﾙﾙｰﾀ

ﾙｰﾀA
ENABLE IP ADD IP INT=eth0 IP=192.168.10.1 MASK=255.255.255.0 ADD IP INT=vlan1 IP=192.168.20.1 MASK=255.255.255.0 ADD IP ROUTE=192.168.30.0 MASK=255.255.255.0 INT=vlan1 NEXTHOP=192.168.20.254 METRIC=2

ﾙｰﾀBENABLE IP ADD IP INT=eth0 IP=192.168.20.254 MASK=255.255.255.0 ADD IP INT=vlan1 IP=192.168.30.1 MASK=255.255.255.0 ADD IP ROUTE=192.168.10.0 MASK=255.255.255.0 INT=eth0 NEXTHOP=192.168.20.1 METRIC=2

---------------------------------------------------------------------------------------------------------------
<<YAMAHA>>

# yamaha seg分割

ip route default gateway 10.200.30.1
ip lan1 address 10.200.30.193/27
ip lan1 secure filter out 1 2
ip lan2 address 10.200.30.2/25
ip lan3 address 10.200.30.129/26
ip lan3 secure filter out 3 4
ip filter 1 reject 10.200.30.128/26 10.200.30.192/27 * * *
ip filter 2 pass * * * * *
ip filter 3 reject 10.200.30.192/27 10.200.30.128/26 * * *
ip filter 4 pass * * * * *
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 10.200.30.194-10.200.30.200/27
dhcp scope 2 10.200.30.130-10.200.30.135/26
dns server 10.200.30.1
ＩＰＳＥＣ

ﾙｰﾀA
# ip lan1 address 192.168.0.254/24
# pp select 1
pp1# pppoe use lan2
pp1# pp auth accept pap chap
pp1# pp auth myname ID PASSWORD
pp1# pp always-on on
pp1# ppp lcp mru on 1454
pp1# ppp ccp type none
pp1# ip pp mtu 1454
pp1# ip pp address 172.16.0.1/32
pp1# pp enable 1
pp1# tunnel select 1
tunnel1# ipsec tunnel 101
tunnel1# tunnel enable 1
tunnel1# ip route 192.168.1.0/24 gateway tunnel 1
tunnel1# ip route default gateway pp 1
tunnel1# ipsec ike pre-shared-key 1 text IKEKEYPASS
tunnel1# ipsec ike remote address 1 any
tunnel1# ipsec ike remote name 1 kyoten1
tunnel1# ipsec ike local address 1 172.16.0.1
tunnel1# ipsec sa policy 101 1 esp 3des-cbc md5-hmac
tunnel1# ipsec auto refresh on
tunnel1# save

ﾙｰﾀB
# ip lan1 address 192.168.1.254/24
# pp select 1
pp1# pppoe use lan2
pp1# pp auth accept pap chap
pp1# pp auth myname ID PASSWORD
pp1# pp always-on on
pp1# ppp ipcp ipaddress on
pp1# ppp ipcp msext on
pp1# ppp lcp mru on 1454
pp1# ppp ccp type none
pp1# ip pp mtu 1454
pp1# ip pp nat descriptor 1
pp1# pp enable 1
pp1# tunnel select 1
tunnel1# ipsec tunnel 101
tunnel1# tunnel enable 1
tunnel1# ip route 192.168.0.0/24 gateway tunnel 1
tunnel1# ip route default gateway pp 1
tunnel1# ipsec ike local address 1 192.168.1.254
tunnel1# nat descriptor type 1 masquerade
tunnel1# nat descriptor masquerade static 1 1 192.168.1.254 udp 500
tunnel1# nat descriptor masquerade static 1 2 192.168.1.254 esp
tunnel1# ipsec ike local name 1 kyoten1
tunnel1# ipsec ike pre-shared-key 1 text IKEKEYPASS
tunnel1# ipsec ike remote address 1 172.16.0.1
tunnel1# ipsec sa policy 101 1 esp 3des-cbc md5-hmac
tunnel1# ipsec auto refresh on
tunnel1# save

●ｲﾝﾀｰﾈｯﾄ
# ip lan1 address 192.168.0.1/24
# nat descriptor type 1 masquerade
# pp select 1
pp1# pppoe use lan2
pp1# pp auth accept chap pap
pp1# pp auth myname ID PASSWORD
pp1# ppp ipcp ipaddress on
pp1# ppp ipcp msext on
pp1# ip pp nat descriptor 1
pp1# ppp lcp mru on 1454
pp1# ip pp mtu 1454
pp1# ppp ccp type none
pp1# pp enable 1
pp1# pp select none
# ip route default gateway pp 1
# dns server pp 1
# dns private address spoof on
# dhcp service server
# dhcp scope 1 192.168.0.2-192.168.0.254/24
# save

●IP-IP
RT58i
ip route default gateway pp 1 filter 500000 gateway pp 1
ip route 172.16.2.1 gateway pp 2
ip route 192.168.2.0/24 gateway tunnel 1
ip keepalive 1 icmp-echo 10 6 172.16.2.1
ip lan1 address 192.168.1.1/24
ip lan1 secure filter in 100000 100001 100002 100003 100004 100005 100006 100007 100099
provider type isdn-terminal
provider filter routing connection
provider lan1 name LAN:
provider lan2 name PPPoE/0/4/5/0/0/0:flets_service
pp select 1
pp name PRV/1/1/5/0/0/0:provider1
pp keepalive interval 30 retry-interval=30 count=12
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pppoe call prohibit auth-error count off
pp auth accept pap chap
pp auth myname (ISPに接続するID) (パスワード)
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type none
ip pp secure filter in 200003 200020 200021 200022 200023 200024 200025 200030 200032
ip pp secure filter out 200013 200020 200021 200022 200023 200024 200025 200026 200027 200099 dynamic 200080 200081 200082 200083 200084 200098 200099
ip pp nat descriptor 1000
pp enable 1
provider set 1 provider1
provider dns server pp 1 1
provider select 1
pp select 2
pp name PRV/2/4/5/0/0/0:flets_service
pp keepalive interval 30 retry-interval=30 count=12
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pppoe call prohibit auth-error count off
pp auth accept pap chap
pp auth myname (フレッツサービスに接続するID) (パスワード)
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ccp type none
ip pp secure filter in 201003 201020 201021 201022 201023 201024 201025 201030 201032 201080
ip pp secure filter out 201013 201020 201021 201022 201023 201024 201025 201026 201027 201099 dynamic 201080 201081 201082 201083 201084 201098 201099
ip pp nat descriptor 1100
pp enable 2
provider set 2 flets_service
provider pp bind 2 1
tunnel select 1
tunnel name ipip
tunnel endpoint address 172.16.2.1
ip tunnel tcp mss limit auto
tunnel enable 1
ip filter 100000 reject * * udp,tcp 135 *
ip filter 100001 reject * * udp,tcp * 135
ip filter 100002 reject * * udp,tcp netbios_ns-netbios_dgm *
ip filter 100003 reject * * udp,tcp * netbios_ns-netbios_dgm
ip filter 100004 reject * * udp,tcp netbios_ssn *
ip filter 100005 reject * * udp,tcp * netbios_ssn
ip filter 100006 reject * * udp,tcp 445 *
ip filter 100007 reject * * udp,tcp * 445
ip filter 100099 pass * * * * *
ip filter 200000 reject 10.0.0.0/8 * * * *
ip filter 200001 reject 172.16.0.0/12 * * * *
ip filter 200002 reject 192.168.0.0/16 * * * *
ip filter 200003 reject 192.168.1.0/24 * * * *
ip filter 200010 reject * 10.0.0.0/8 * * *
ip filter 200011 reject * 172.16.0.0/12 * * *
ip filter 200012 reject * 192.168.0.0/16 * * *
ip filter 200013 reject * 192.168.1.0/24 * * *
ip filter 200020 reject * * udp,tcp 135 *
ip filter 200021 reject * * udp,tcp * 135
ip filter 200022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 200023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 200024 reject * * udp,tcp 445 *
ip filter 200025 reject * * udp,tcp * 445
ip filter 200026 restrict * * tcpfin * www,21,nntp
ip filter 200027 restrict * * tcprst * www,21,nntp
ip filter 200030 pass * 192.168.1.0/24 icmp * *
ip filter 200031 pass * 192.168.1.0/24 established * *
ip filter 200032 pass * 192.168.1.0/24 tcp * ident
ip filter 200033 pass * 192.168.1.0/24 tcp ftpdata *
ip filter 200034 pass * 192.168.1.0/24 tcp,udp * domain
ip filter 200035 pass * 192.168.1.0/24 udp domain *
ip filter 200036 pass * 192.168.1.0/24 udp * ntp
ip filter 200037 pass * 192.168.1.0/24 udp ntp *
ip filter 200098 reject-nolog * * established
ip filter 200099 pass * * * * *
ip filter 201000 reject 10.0.0.0/8 * * * *
ip filter 201001 reject 172.16.0.0/12 * * * *
ip filter 201002 reject 192.168.0.0/16 * * * *
ip filter 201003 reject 192.168.1.0/24 * * * *
ip filter 201010 reject * 10.0.0.0/8 * * *
ip filter 201011 reject * 172.16.0.0/12 * * *
ip filter 201012 reject * 192.168.0.0/16 * * *
ip filter 201013 reject * 192.168.1.0/24 * * *
ip filter 201020 reject * * udp,tcp 135 *
ip filter 201021 reject * * udp,tcp * 135
ip filter 201022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 201023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 201024 reject * * udp,tcp 445 *
ip filter 201025 reject * * udp,tcp * 445
ip filter 201026 restrict * * tcpfin * www,21,nntp
ip filter 201027 restrict * * tcprst * www,21,nntp
ip filter 201030 pass * 192.168.1.0/24 icmp * *
ip filter 201031 pass * 192.168.1.0/24 established * *
ip filter 201032 pass * 192.168.1.0/24 tcp * ident
ip filter 201033 pass * 192.168.1.0/24 tcp ftpdata *
ip filter 201034 pass * 192.168.1.0/24 tcp,udp * domain
ip filter 201035 pass * 192.168.1.0/24 udp domain *
ip filter 201036 pass * 192.168.1.0/24 udp * ntp
ip filter 201037 pass * 192.168.1.0/24 udp ntp *
ip filter 201080 pass * 192.168.1.1 4 * *
ip filter 201098 reject-nolog * * established
ip filter 201099 pass * * * * *
ip filter 500000 restrict * * * * *
ip filter dynamic 200080 * * ftp
ip filter dynamic 200081 * * domain
ip filter dynamic 200082 * * www
ip filter dynamic 200083 * * smtp
ip filter dynamic 200084 * * pop3
ip filter dynamic 200098 * * tcp
ip filter dynamic 200099 * * udp
ip filter dynamic 201080 * * ftp
ip filter dynamic 201081 * * domain
ip filter dynamic 201082 * * www
ip filter dynamic 201083 * * smtp
ip filter dynamic 201084 * * pop3
ip filter dynamic 201098 * * tcp
ip filter dynamic 201099 * * udp
nat descriptor type 1000 masquerade
nat descriptor type 1100 masquerade
nat descriptor masquerade static 1100 1 192.168.1.1 4
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.1.2-192.168.1.191/24
dns server pp 1
dns server select 500001 pp 1 any . restrict pp 1
dns private address spoof on
dns private name setup.netvolante.jp
analog supplementary-service pseudo call-waiting
analog extension dial prefix line
analog extension dial prefix sip prefix="9#"

●PPTP（両方固定ｱﾄﾞﾚｽ）
本社側
ip lan1 address 192.168.0.254/24
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname （プロバイダに接続するID）（プロバイダに接続するパスワード）
ppp lcp mru on 1454
ppp ccp type none
ip pp address 172.17.0.1/32
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
pp select 2
pp bind tunnel1
pp auth request mschap-v2
pp auth username test1 test1
ppp ccp type mppe-any
ip pp mtu 1280
pptp service type server
pp enable 2
pptp service on
tunnel select 1
tunnel encapsulation pptp
tunnel endpoint address 172.18.0.1
tunnel enable 1
ip route 192.168.10.0/24 gateway pp 2
ip route default gateway pp 1
nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.0.254 tcp 1723
nat descriptor masquerade static 1 2 192.168.0.254 gre

支社側
ip lan1 address 192.168.10.254/24
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname （プロバイダに接続するID） （プロバイダに接続するパスワード）
ppp lcp mru on 1454
ppp ccp type none
ip pp address 172.18.0.1/32
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
pp select 2
pp bind tunnel1
pp keepalive use lcp-echo
pp auth accept mschap-v2
pp auth myname test1 test1
ppp ccp type mppe-any
ip pp mtu 1280
pptp service type client
pp enable 2
pptp service on
tunnel select 1
tunnel encapsulation pptp
tunnel endpoint address 172.17.0.1
tunnel enable 1
ip route 192.168.0.0/24 gateway pp 2
ip route default gateway pp 1
nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.10.254 tcp 1723
nat descriptor masquerade static 1 2 192.168.10.254 gre

●ﾛｰｶﾙﾙｰﾀ
ip lan1 address 192.168.0.1/24
ip lan2 address 192.168.1.1/24
dhcp service server dhcp scope 1 192.168.0.2-192.168.0.254/24
dhcp scope 2 192.168.1.2-192.168.1.254/24

●# ｾﾝﾀｰﾙｰﾀ　拠点(VPNﾜｲﾄﾞ IPIP)と拠点(ｲﾝﾀｰﾈｯﾄVPN PPTP)拠点間通信有
#
ip route default gateway pp 2
ip route 192.168.11.0/24 gateway tunnel 2
ip route 192.168.12.0/24 gateway pp anonymous name=kobe
ip route 192.168.101.3 gateway pp 1
ip lan1 address 192.168.1.1/24
pp select 1
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname cug pass
ppp lcp mru on 1454
ppp ccp type none
ip pp address 192.168.101.1/32
ip pp mtu 1454
pp enable 1
pp select 2
pp always-on on
pppoe use lan3
pp auth accept pap chap
pp auth myname isp pass
ppp lcp mru on 1454
ip pp address 61.214.229.123/32
ip pp mtu 1454
ip pp secure filter out 110 111 112 113 114 115 199
ip pp nat descriptor 1
pp enable 2
pp select anonymous
pp bind tunnel1
pp auth request mschap
pp auth username kobe kobe
ppp ipcp ipaddress on
ppp ccp type mppe-any
ppp ipv6cp use off
ip pp mtu 1280
ip pp tcp mss limit auto
pptp service type server
pp enable anonymous
tunnel select 1
tunnel encapsulation pptp
pptp tunnel disconnect time off
tunnel enable 1
tunnel select 2
tunnel encapsulation ipip
tunnel endpoint address 192.168.101.1 192.168.101.3
ip tunnel tcp mss limit 1280
tunnel enable 2
ip filter 110 reject * * udp,tcp 135 *
ip filter 111 reject * * udp,tcp * 135
ip filter 112 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 113 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 114 reject * * udp,tcp 445 *
ip filter 115 reject * * udp,tcp * 445
ip filter 199 pass * * * * *
nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.1.1 tcp 1723
nat descriptor masquerade static 1 2 192.168.1.1 gre
tftp host any
dhcp service server
dhcp scope 1 192.168.1.11-192.168.1.50/24
dns server 203.139.161.40
dns server pp 2
pptp service on

● ｲﾝﾀｰﾈｯﾄVPN PPTP clinet側
#
# 拠点間通信有り

ip route default gateway pp 1 filter 500 gateway pp 1
ip route 192.168.1.0/24 gateway tunnel 1
ip route 192.168.11.0/24 gateway tunnel 1
ip lan1 address 192.168.12.1/24
pp select 1
pp name kobe
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname ｉｓｐ pass
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type none
ip pp secure filter in 299
ip pp secure filter out 220 221 222 223 224 225 299
ip pp nat descriptor 1
pp enable 1
pp select 2
pp bind tunnel1
pp always-on on
pp auth accept mschap
pp auth myname kobe kobe
ppp ipcp ipaddress on
ppp ccp type mppe-any
ppp ipv6cp use off
pptp service type client
pp enable 2
tunnel select 1
tunnel encapsulation pptp
tunnel endpoint address 61.214.229.123
pptp keepalive interval 30 12
tunnel enable 1
ip filter 220 reject * * udp,tcp 135 *
ip filter 221 reject * * udp,tcp * 135
ip filter 222 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 223 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 224 reject * * udp,tcp 445 *
ip filter 225 reject * * udp,tcp * 445
ip filter 299 pass * * * * *
ip filter 500 restrict * * * * *
nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.12.1 tcp 1723
nat descriptor masquerade static 1 2 192.168.12.1 gre
dhcp service server
dhcp scope 1 192.168.12.10-192.168.12.30/24
dns server pp 1
pptp service on

#
● IPIP通信(VPNﾜｲﾄﾞ)　ｾﾝﾀｰ経由でｲﾝﾀｰﾈｯﾄ　(拠点用)
#
# 拠点間通信有り
#
ip route default gateway tunnel 1
ip route 192.168.1.0/24 gateway tunnel 1
ip route 192.168.12.0/24 gateway tunnel 1
ip route 192.168.101.1 gateway pp 1
ip keepalive 1 icmp-echo 10 6 192.168.101.1
ip lan1 address 192.168.11.1/24
pp select 1
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname cug pass
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type none
ip pp address 192.168.101.3/32
ip pp mtu 1438
ip pp nat descriptor 1
pp enable 1
tunnel select 1
tunnel encapsulation ipip
tunnel endpoint address 192.168.101.3 192.168.101.1
ip tunnel tcp mss limit auto
tunnel enable 1
nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.11.1 4
dhcp service server
dhcp scope 1 192.168.11.11-192.168.11.50/24
dns server 192.168.1.1
dns private address spoof on