# # L2TP/IPsecを使用したリモートアクセス (IPoE 固定IP1契約(OCNバーチャルコネクトを利用)) : Web GUI設定 # # # 本社 ルーター # ip route default gateway tunnel 1 ipv6 route default gateway dhcp lan2 ipv6 prefix 1 dhcp-prefix@lan2::/64 ipv6 source address selection rule lifetime ip lan1 address 192.168.100.1/24 ip lan1 proxyarp on ipv6 lan1 address dhcp-prefix@lan2::1/64 ipv6 lan1 prefix change log on ipv6 lan1 rtadv send 1 o_flag=on ipv6 lan1 dhcp service server switch control use lan1 on terminal=on description lan2 provider1 ip lan2 address dhcp ipv6 lan2 address dhcp ipv6 lan2 secure filter in 101000 101001 101002 101003 ipv6 lan2 secure filter out 101099 dynamic 101080 101081 101082 101083 101084 101085 101098 101099 ipv6 lan2 dhcp service client ngn type lan2 ntt pp select anonymous pp bind tunnel2-tunnel4 pp auth request mschap-v2 pp auth username (PPPユーザー名1) (PPPパスワード1) pp auth username (PPPユーザー名2) (PPPパスワード2) pp auth username (PPPユーザー名3) (PPPパスワード3) ppp ipcp ipaddress on ppp ipcp msext on ppp ccp type none ip pp remote address pool dhcp ip pp mtu 1258 pp enable anonymous tunnel select 1 tunnel encapsulation map-e tunnel map-e type ocn ip tunnel mtu 1460 ip tunnel secure filter in 400003 400020 400021 400022 400023 400024 400025 400030 400032 400100 400101 400102 400103 ip tunnel secure filter out 400013 400020 400021 400022 400023 400024 400025 400026 400027 400099 dynamic 400080 400081 400082 400083 400084 400085 400098 400099 ip tunnel nat descriptor 20000 tunnel enable 1 tunnel select 2 tunnel encapsulation l2tp ipsec tunnel 1 ipsec sa policy 1 1 esp aes-cbc sha-hmac ipsec ike keepalive use 1 off ipsec ike nat-traversal 1 on ipsec ike pre-shared-key 1 text (事前共有鍵) ipsec ike remote address 1 any l2tp tunnel disconnect time off ip tunnel tcp mss limit auto tunnel enable 2 tunnel select 3 tunnel encapsulation l2tp ipsec tunnel 2 ipsec sa policy 2 2 esp aes-cbc sha-hmac ipsec ike keepalive use 2 off ipsec ike nat-traversal 2 on ipsec ike pre-shared-key 2 text (事前共有鍵) ipsec ike remote address 2 any l2tp tunnel disconnect time off ip tunnel tcp mss limit auto tunnel enable 3 tunnel select 4 tunnel encapsulation l2tp ipsec tunnel 3 ipsec sa policy 3 3 esp aes-cbc sha-hmac ipsec ike keepalive use 3 off ipsec ike nat-traversal 3 on ipsec ike pre-shared-key 3 text (事前共有鍵) ipsec ike remote address 3 any l2tp tunnel disconnect time off ip tunnel tcp mss limit auto tunnel enable 4 ip filter 400000 reject 10.0.0.0/8 * * * * ip filter 400001 reject 172.16.0.0/12 * * * * ip filter 400002 reject 192.168.0.0/16 * * * * ip filter 400003 reject 192.168.100.0/24 * * * * ip filter 400010 reject * 10.0.0.0/8 * * * ip filter 400011 reject * 172.16.0.0/12 * * * ip filter 400012 reject * 192.168.0.0/16 * * * ip filter 400013 reject * 192.168.100.0/24 * * * ip filter 400020 reject * * udp,tcp 135 * ip filter 400021 reject * * udp,tcp * 135 ip filter 400022 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 400023 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 400024 reject * * udp,tcp 445 * ip filter 400025 reject * * udp,tcp * 445 ip filter 400026 restrict * * tcpfin * www,21,nntp ip filter 400027 restrict * * tcprst * www,21,nntp ip filter 400030 pass * 192.168.100.0/24 icmp * * ip filter 400031 pass * 192.168.100.0/24 established * * ip filter 400032 pass * 192.168.100.0/24 tcp * ident ip filter 400033 pass * 192.168.100.0/24 tcp ftpdata * ip filter 400034 pass * 192.168.100.0/24 tcp,udp * domain ip filter 400035 pass * 192.168.100.0/24 udp domain * ip filter 400036 pass * 192.168.100.0/24 udp * ntp ip filter 400037 pass * 192.168.100.0/24 udp ntp * ip filter 400099 pass * * * * * ip filter 400100 pass * 192.168.100.1 udp * 500 ip filter 400101 pass * 192.168.100.1 esp ip filter 400102 pass * 192.168.100.1 udp * 4500 ip filter 400103 pass * 192.168.100.1 udp * 1701 ip filter 500000 restrict * * * * * ip filter dynamic 400080 * * ftp ip filter dynamic 400081 * * domain ip filter dynamic 400082 * * www ip filter dynamic 400083 * * smtp ip filter dynamic 400084 * * pop3 ip filter dynamic 400085 * * submission ip filter dynamic 400098 * * tcp ip filter dynamic 400099 * * udp nat descriptor type 20000 masquerade nat descriptor address outer 20000 map-e nat descriptor masquerade static 20000 1 192.168.100.1 udp 500 nat descriptor masquerade static 20000 2 192.168.100.1 esp nat descriptor masquerade static 20000 3 192.168.100.1 udp 4500 nat descriptor masquerade static 20000 4 192.168.100.1 udp 1701 ipsec auto refresh on ipsec transport 2 1 udp 1701 ipsec transport 3 2 udp 1701 ipsec transport 4 3 udp 1701 ipv6 filter 101000 pass * * icmp6 * * ipv6 filter 101001 pass * * tcp * ident ipv6 filter 101002 pass * * udp * 546 ipv6 filter 101003 pass * * 4 ipv6 filter 101099 pass * * * * * ipv6 filter dynamic 101080 * * ftp ipv6 filter dynamic 101081 * * domain ipv6 filter dynamic 101082 * * www ipv6 filter dynamic 101083 * * smtp ipv6 filter dynamic 101084 * * pop3 ipv6 filter dynamic 101085 * * submission ipv6 filter dynamic 101098 * * tcp ipv6 filter dynamic 101099 * * udp telnetd host lan dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.100.2-192.168.100.191/24 dhcp client release linkdown on dns host lan1 dns service fallback on dns server dhcp lan2 dns server select 500000 dhcp lan2 any . dns private address spoof on schedule at 1 startup * lua emfs:/ocn_map_e.lua l2tp service on sip use on statistics traffic on embedded file ocn_map_e.lua < 0) then tmp, hostname = string.split(str[1], "=") end while true do count = 1 while hostname do req_t.url = string.format("%s?hostname=%s", SERVER_URL, hostname) rt.sleep(2) res_t = rt.httprequest(req_t) logger("Notified IPv6 address to the address resolution server.") if res_t.rtn1 then if res_t.code == 200 then if string.match(res_t.body, "good") or string.match(res_t.body, "nochg") or string.match(res_t.body, "nohost") then log = string.format("Succeeded to notify IPv6 address to the address resolution server. (code=%d)", res_t.code) logger(log) break end end log = string.format("Failed to notify IPv6 address to the address resolution server. (code=%d)", res_t.code) logger(log) else logger("Not response from the address resolution server.") end sleep_time = retry_timer(60, count) if (sleep_time > 3600) then sleep_time = 3600 else count = count * 2 end rt.sleep(sleep_time) end sleep_time = math.random(43200, 86400) rtn, str = rt.syslogwatch(PTN, 1, sleep_time) if (rtn > 0) and string.match(str[1], LOG_PTN2) then tmp, hostname = string.split(str[1], "=") elseif (rtn > 0) and string.match(str[1], LOG_PTN1) then rt.sleep(5) end end EOF