在四个据点之间进行连接

在四个据点之间进行连接

在这个结构中,说明多种连接形态的Internet-VPN的设置范例。
据点1通过PPPoE连接,不固定的IP地址。
据点2通过CATV连接,DHCP的方式获得IP地址。
据点3通过ADSL进行连接,路由器被分配到的是私有地址。
分配私有地址的CATV中也是同样的设置。
据点4是LAN网络中有IPsec客户端连接中心端的例子,
这时,RTX800(4)中需要进行通过IKE及ESP的设置。
据点5是IPsec客户端直接连接互联网。

并且,这个设置范例种,假设YMS-VPN1作为IPsec客户端。

RTX1200的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
ip lan1 address 192.168.0.1/24
ip lan3 address 192.168.10.1/24
WAN的
接口的设置
ip lan2 address (ISP6提供的IP地址)
ip lan2 nat descriptor 1
ip route default gateway (ISP6提供的网关地址)
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 (全局地址1)
nat descriptor masquerade static 1 1 192.168.0.1 udp 500
nat descriptor masquerade static 1 2 192.168.0.1 esp
nat descriptor masquerade static 1 3 192.168.0.1 udp 4500
nat descriptor masquerade static 1 4 192.168.10.2 tcp www
DHCP的设置 dhcp service server
dhcp scope 1 192.168.0.2-192.168.0.100/24
DNS的设置 dns server (ISP6所指定的DNS服务器的IP地址)
dns private address spoof on
VPN(IPsec)的设置 ipsec auto refresh on
VPN(IPsec)的设置
(据点1)
ipsec ike pre-shared-key 1 text (密码1)
ipsec ike remote address 1 any
ipsec ike remote name 1 kyoten1
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.0.1
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.1.0/24 gateway tunnel 1
VPN(IPsec)的设置
(据点2)
ipsec ike pre-shared-key 2 text (密码2)
ipsec ike remote address 2 any
ipsec ike remote name 2 kyoten2
ipsec ike keepalive use 2 on
ipsec ike local address 2 192.168.0.1
ipsec sa policy 102 2esp 3des-cbc sha-hmac
tunnel select 2
ipsec tunnel 102
ipsec ike hash 2 sha
tunnel enable 2
ip route 192.168.2.0/24 gateway tunnel 2
VPN(IPsec)的设置
(据点3)
ipsec ike pre-shared-key 3 text (密码3)
ipsec ike remote address 3 any
ipsec ike remote name 3 kyoten3
ipsec ike keepalive use 3 on
ipsec ike local address 3 192.168.0.1
ipsec ike nat-traversal 3 on # 注释1
ipsec sa policy 103 3 esp 3des-cbc sha-hmac
tunnel select 3
ipsec tunnel 103
ipsec ike hash 3 sha
tunnel enable 3
ip route 192.168.3.0/24 gateway tunnel 3
VPN(IPsec)的设置
(据点4)
ipsec ike encryption 4 aes-cbc
ipsec ike group 4 modp1024
ipsec ike pre-shared-key 4 text (密码4)
ipsec ike remote address 4 any
ipsec ike remote name 4 (YMS-VPN1中设置的“这个客户端的名称”)
ipsec ike local address 4 192.168.0.1
ipsec sa policy 104 4 esp aes-cbc sha-hmac
tunnel select 4
ipsec tunnel 104
ipsec ike hash 4 sha
tunnel enable 4
ip route 192.168.14.0/24 gateway tunnel 4 # 注释2
VPN(IPsec)的设置
(据点5)
ipsec ike encryption 5 aes-cbc
ipsec ike group 5 modp1024
ipsec ike pre-shared-key 5 text (密码5)
ipsec ike remote address 5 any
ipsec ike remote name 5 (YMS-VPN1中设置的“这个客户端的名称”)
ipsec ike local address 5 192.168.0.1
ipsec sa policy 105 5 esp aes-cbc sha-hmac
tunnel select 5
ipsec tunnel 105
ipsec ike hash 5 sha
tunnel enable 5
ip route 192.168.5.1 gateway tunnel 5 # 注释2
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.0.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
ip lan2 inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.0.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp udp/4500
ip policy filter 1 reject-nolog lan3 * * * *
ip policy filter 2 pass-nolog * lan3 * 192.168.10.2 www
ip policy filter 3 pass-nolog * lan3 * 192.168.10.2 telnet
ip policy filter 4 static-pass-nolog * lan3 * * *
ip policy filter 5 pass-nolog * lan3 * * *
ip policy filter 6 static-pass-nolog * local * * *
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 2300 reject-nolog tunnel* * * * *
ip policy filter 2330 pass-nolog * tunnel* * * *
ip policy filter 2340 pass-nolog * local * * *
ip policy filter 2350 pass-nolog * lan1 * * *
ip policy filter 2360 reject-nolog * lan2 * * *
ip policy filter 2400 pass-nolog local * * * *
ip policy filter 2410 static-pass-nolog * lan1 * * *
ip policy filter 2430 static-pass-nolog * lan2 * * 104
ip policy filter 2600 pass-nolog * lan2 * * *
ip policy filter 2650 reject-nolog lan2 * * * *
ip policy filter 2660 static-pass-nolog * local * * 104
ip policy filter 2670 pass-log * lan1 * * 101
ip policy filter 3000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 1122 2600 3 1130] 2650 [2670 2 2660] 1 [6] 2300 [2340 2350 2360 5 2330] 2400 [2410 2430 4] 3000
ip policy filter set enable 101

RTX800(1)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
ip lan1 address 192.168.1.1/24
WAN(ISP1)的
接口的设置
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP1的ID) (连接ISP1的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ppp ipcp ipaddress on
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
ip route default gateway pp 1
NAT的设置 nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.1.1 udp 500
nat descriptor masquerade static 1 2 192.168.1.1 esp
VPN(IPsec)的设置
(共通项目)
ipsec auto refresh on
VPN(IPsec)的设置 ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.1.1
ipsec ike local name 1 kyoten1
ipsec ike pre-shared-key 1 text (密码1)
ipsec ike remote address 1 (全局地址1)
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.0.0/24 gateway tunnel 1
DHCP的设置 dhcp service server
dhcp scope 1 192.168.1.2-192.168.1.100/24
DNS的设置 dns server (ISP1所指定的DNS服务器的IP地址)
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.1.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.1.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.1.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101

RTX800(2)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
ip lan1 address 192.168.2.1/24
WAN(ISP2)的
接口的设置
ip lan2 address dhcp
ip lan2 nat descriptor 1
ip route default gateway dhcp lan2
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor masquerade static 1 1 192.168.2.1 udp 500
nat descriptor masquerade static 1 2 192.168.2.1 esp
VPN(IPsec)的设置
(共通项目)
ipsec auto refresh on
VPN(IPsec)的设置 ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.2.1
ipsec ike local name 1 kyoten2
ipsec ike pre-shared-key 1 text (密码2)
ipsec ike remote address 1 (全局地址1)
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.0.0/24 gateway tunnel 1
DHCP的设置 dhcp service server
dhcp scope 1 192.168.2.2-192.168.2.100/24
DNS的设置 dns server dhcp lan2
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.2.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
ip lan2 inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.2.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.2.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1660 reject-nolog * lan2 * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1730 static-pass-nolog * lan2 * * 104
ip policy filter 1900 pass-nolog * lan2 * * *
ip policy filter 1950 reject-nolog lan2 * * * *
ip policy filter 1960 static-pass-nolog * local * * 104
ip policy filter 1970 pass-log * lan1 * * 101
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1900 1130] 1950 [1970 1960] 1600 [1640 1650 1660 1630] 1700 [1710 1730] 2000
ip policy filter set enable 101

RTX800(3)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
ip lan1 address 192.168.3.1/24
ip lan2 address dhcp
ip lan2 nat descriptor 1
ip route default gateway dhcp lan2
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor masquerade static 1 1 192.168.3.1 udp 500
nat descriptor masquerade static 1 2 192.168.3.1 esp
nat descriptor masquerade static 1 3 192.168.3.1 udp 4500
VPN(IPsec)的设置
(共通项目)
ipsec auto refresh on
VPN(IPsec)的设置 ipsec ike keepalive use 1 on
ipsec ike local name 1 kyoten3
ipsec ike pre-shared-key 1 text (密码3)
ipsec ike remote address 1 (全局地址1)
ipsec ike nat-traversal 1 on
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.0.0/24 gateway tunnel 1
DHCP的设置 dhcp service server
dhcp scope 1 192.168.3.2-192.168.3.100/24
DNS的设置 dns server dhcp lan2
dns private address spoof on

RTX800(4)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
ip lan1 address 192.168.4.1/24
WAN(ISP4)的
接口的设置
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP4的ID) (连接ISP4的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ppp ipcp ipaddress on
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
ip route default gateway pp 1
NAT的设置 nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.4.2 udp 500
nat descriptor masquerade static 1 2 192.168.4.2 esp
DHCP的设置 dhcp service server
dhcp scope 1 192.168.4.3-192.168.4.100/24
DNS的设置 dns server (ISP4所指定的DNS服务器的IP地址)
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.4.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.4.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.4.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101
■关于IPsec客户端

关于雅马哈产的IPsec客户端软件,正在讨论近日发售事宜。
决定发售后即会在本主页介绍。

[注释的说明]

注释1:
本设置用于NAT穿透的情况。

注释2:
路由设置YMS-VPN1中设置的PC端的虚拟IP地址。

返回顶部