#
# IPsecを使用したVPN拠点間接続 (IPv4 PPPoE + DHCP(Starlinkを利用))
#

#
# 拠点 ルーター(2) コマンド設定
#

#
# ゲートウェイの設定
#
ip route default gateway dhcp lan2
ip route 192.168.0.0/24 gateway tunnel 1

#
# LANインターフェースの設定
#（LANポートを使用）
#
ip lan1 address 192.168.1.1/24

#
# WANインターフェースの設定
# （WANポートを使用）
#
ip lan2 address dhcp
ip lan2 secure filter in 101003 101020 101021 101022 101023 101024 101025 101030 101032 101100 101101 101102
ip lan2 secure filter out 101013 101020 101021 101022 101023 101024 101025 101026 101027 101099 dynamic 101080 101081 101082 101083 101084 101085 101098 101099
ip lan2 nat descriptor 200
ip keepalive 1 icmp-echo 10 5 dhcp lan2

#
# VPN(IPsec)の設定
#
tunnel select 1
description tunnel kyoten
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on heartbeat 10 6
ipsec ike local address 1 192.168.1.1
ipsec ike local name 1 (拠点のID) key-id
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text (本社との事前共有鍵)
ipsec ike remote address 1 (本社の固定グローバルIPアドレス)
ip tunnel tcp mss limit auto
tunnel enable 1

#
# VPN(IPsec)の設定
#（共通項目）
#
ipsec auto refresh on

#
# フィルターの設定
#
ip filter 101000 reject 10.0.0.0/8 * * * *
ip filter 101001 reject 172.16.0.0/12 * * * *
ip filter 101002 reject 192.168.0.0/16 * * * *
ip filter 101003 reject 192.168.1.0/24 * * * *
ip filter 101010 reject * 10.0.0.0/8 * * *
ip filter 101011 reject * 172.16.0.0/12 * * *
ip filter 101012 reject * 192.168.0.0/16 * * *
ip filter 101013 reject * 192.168.1.0/24 * * *
ip filter 101020 reject * * udp,tcp 135 *
ip filter 101021 reject * * udp,tcp * 135
ip filter 101022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 101023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 101024 reject * * udp,tcp 445 *
ip filter 101025 reject * * udp,tcp * 445
ip filter 101026 restrict * * tcpfin * www,21,nntp
ip filter 101027 restrict * * tcprst * www,21,nntp
ip filter 101030 pass * 192.168.0.0/16 icmp * *
ip filter 101031 pass * 192.168.1.0/24 established * *
ip filter 101032 pass * 192.168.1.0/24 tcp * ident
ip filter 101033 pass * 192.168.1.0/24 tcp ftpdata *
ip filter 101034 pass * 192.168.1.0/24 tcp,udp * domain
ip filter 101035 pass * 192.168.1.0/24 udp domain *
ip filter 101036 pass * 192.168.1.0/24 udp * ntp
ip filter 101037 pass * 192.168.1.0/24 udp ntp *
ip filter 101099 pass * * * * *
ip filter 101100 pass * 192.168.1.1 udp * 500
ip filter 101101 pass * 192.168.1.1 esp
ip filter 101102 pass * 192.168.1.1 udp * 4500
ip filter 500000 restrict * * * * *
ip filter dynamic 101080 * * ftp
ip filter dynamic 101081 * * domain
ip filter dynamic 101082 * * www
ip filter dynamic 101083 * * smtp
ip filter dynamic 101084 * * pop3
ip filter dynamic 101085 * * submission
ip filter dynamic 101098 * * tcp
ip filter dynamic 101099 * * udp

#
# NATの設定
#
nat descriptor type 200 masquerade
nat descriptor address outer 200 primary
nat descriptor masquerade static 200 1 192.168.1.1 udp 500
nat descriptor masquerade static 200 2 192.168.1.1 esp
nat descriptor masquerade static 200 3 192.168.1.1 udp 4500

#
# DHCPの設定
#
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.1.2-192.168.1.191/24

#
# DNSの設定
#
dns host lan1
dns server dhcp lan2
dns server select 500201 dhcp lan2 any .
dns private address spoof on