在两个据点之间进行连接

本例中使用了基于internet的Ipsec-VPN功能,它是雅马哈路由器的基本功能之一。可以安全地在两个远程据点之间进行通信。
传统的IPsec-VPN要使用固定IP地址才能运用。不过,如果使用了雅马哈的免费的动态DNS服务的“NetVolante DNS服务”,用动态IP地址也能够实现连接。

两个办公室之间连接

据点1 RTX800(1)

能够只导出下述的设置部分。

ConfigDownload

路由的设置 ip route default gateway pp 1
ip route 192.168.2.0/24 gateway tunnel 1
LAN接口
的设置
ip lan1 address 192.168.1.1/24
WAN接口
的设置
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP1的ID) (连接ISP1的密码)
ppp lcp mru on 1454
ppp ipcp ipaddress on
ip pp mtu 1454
ip pp nat descriptor 1
netvolante-dns hostname host pp (NetvolanteDNS中设置的名称) # 注释1
pp enable 1
VPN(IPsec)的设置 tunnel select 1
ipsec tunnel 1
ipsec sa policy 1 1 esp 3des-cbc sha-hmac # 注释2
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.1.1
ipsec ike pre-shared-key 1 text hoge # 注释2
ipsec ike remote address 1 (对方路由器的NetvolanteDNS中设置的名称)
ipsec ike hash 1 sha
tunnel enable 1
ipsec auto refresh on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.1.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.1.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.1.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101
NAT的设置 nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.1.1 udp 500
nat descriptor masquerade static 1 2 192.168.1.1 esp
DNS的设置 dns server (ISP1所指定的DNS服务器的地址)
dns private address spoof on
DHCP的设置 dhcp scope 1 192.168.1.2-192.168.1.100/24
dhcp service server

据点2 RTX800(2)

路由的设置 ip route default gateway pp 1
ip route 192.168.1.0/24 gateway tunnel 1
LAN接口
的设置
ip lan1 address 192.168.2.1/24
WAN接口
接口的设置
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP2的ID) (连接ISP2的密码)
ppp lcp mru on 1454
ppp ipcp ipaddress on
ip pp mtu 1454
ip pp nat descriptor 1
netvolante-dns hostname host pp (NetvolanteDNS中设置的名称) # 注释1
pp enable 1
VPN(IPsec)的设置 tunnel select 1
ipsec tunnel 1
ipsec sa policy 1 1 esp 3des-cbc sha-hmac # 注释2
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.2.1
ipsec ike pre-shared-key 1 text hoge # 注释2
ipsec ike remote address 1 (对方路由器的NetvolanteDNS中设置的名称)
ipsec ike hash 1 sha
tunnel enable 1
ipsec auto refresh on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.2.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.2.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.2.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101
NAT的设置 nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.2.1 udp 500
nat descriptor masquerade static 1 2 192.168.2.1 esp
DNS的设置 dns server (由ISP2所指定的DNS服务器的地址)
dns private address spoof on
[注释的说明]

注释1:
向Netvolante DNS注册名称的步骤

  1. 名称的设置
    首先要进入相应的PP接口,请执行以下命令。
    pp select 1
    然后设置注册的域名,请执行以下命令。
    netvolante-dns hostname host pp HOSTNAME
    请将HOSTNAME设置想要注册的名称。
  2. 向NetVolante DNS的注册
    请执行以下命令。
    netvolante-dns go pp 1
    这时,路由器将会对NetVolante DNS进行注册。
    注册成功后,将返回一个域名,如:HOSTNAME.aa0.netvolante.jp。
    请记录下此域名,然后确认是否保存更改的设置,
    请输入'y',确定设置。

注释2:
此处设置IPsec-VPN的相关参数,如加密方式,验证方式,密钥等,两边需设置相同的参数。

返回顶部