Cycle N' Craft

vpn

自宅と実家でIX2015でVPNを構築してみた

Posted on Fri 15 May 2015 ( 2018-07-25 update ) in computing

自宅と実家でVPNを構築したいなと思いまして、中古で出回っているNECのルータ、IX2015を購入してみました。販売終了してからしばらく経つ製品ですのでファームウェアの更新も止まっています。具合がよかったらIX2105あたりにでも乗り換えたいところ。

これまでは10年もののBUFFALO BHR-4RVを使っていましたが、自宅ネットワークを利用する端末が増え、以前に比べるとセッションを多く消費しているような気がしておりまして、たまに引っ掛かりを感じなくもない。そもそもギガネットの時代なのでルータの交換をと調べていたら、業務用ルータであるIX2015にいきあたりました。

ギガネット対応ではありませんが、官公庁を中心に大量導入されており実績は十分。おまけにリースアップ品が大量に出回っており、オークションですと500円程度から入手可能です。ファームウェアが最新であることと設定に利用するシリアルケーブルが付属していることを条件に探しても、1,500円ほどで十分です。いきなりIX2105を購入するよりお試しということで導入しました。

設定のポイント

自宅はNTT系の光回線でIPアドレスは非固定。実家はAU系の光回線でIPアドレスは実質固定。ということで、実家側を固定IPアドレスとみなした上でIPsecネットワークを構築してみました。

自宅LANはセグメントを2つ用意しています。優先で繋がれているコンピュータ類でひとつと無線経由で利用している情報家電向けのネットワーク。分ける必要があるかと言われると微妙だけどとりあえず。

他方で、自宅LANもセグメントは2つ。宅内のネットワークと公開サーバ用のネットワーク。

それぞれ接続試験用にSSHなんかができるような設定を組み込みつつ構築しました。しばらく使ってみて問題なく機能しているので、余計なポートの解放は閉じてしまいました。

設定にあたっては、NECが公開しているコマンドリファレンスと設定事例集を参考にするのが一番の近道ですね。特に設定事例についてはじっくり一読すると理解がだいぶ深まりました。

次は両拠点をイーサネットとして括ってしまおうかなと検討中。ファイルサーバとかより使いやすいし。

自宅のコンフィグ

! NEC Portable Internetwork Core Operating System Software
! IX Series IX2010 (magellan-sec) Software, Version 8.3.49, RELEASE SOFTWARE
! Compiled Nov 25-Fri-2011 10:29:23 JST #1
! Current time Apr 16-Thu-2015 22:48:27 JST!
!
hostname ix2015-1
timezone +09 00
!
syslog ip host 192.168.11.5
!
username admin password plain パスワード administrator
!
ntp ip enable
ntp server 133.243.238.242 priority 50
ntp server 131.107.1.10 priority 40
ntp server 210.173.160.27 priority 30
ntp server 210.173.160.57 priority 20
ntp server 210.173.162.106 priority 10
ntp retry 3
ntp interval 3600
!
logging buffered 4096
logging subsystem all error
logging subsystem ike debug
logging subsystem sec debug
logging timestamp datetime
!
ip ufs-cache max-entries 13000
ip ufs-cache enable
ip route default FastEthernet0/1.1 
ip route 192.168.12.0/24 Tunnel0.0
ip dhcp enable
ip access-list all-block deny ip src any dest any
ip access-list all-forward permit ip src any dest any
ip access-list block-illegal deny ip src 0.0.0.0/8 dest any
ip access-list block-illegal deny ip src 10.0.0.0/8 dest any
ip access-list block-illegal deny ip src 127.0.0.0/8 dest any
ip access-list block-illegal deny ip src 169.254.0.0/16 dest any
ip access-list block-illegal deny ip src 172.16.0.0/12 dest any
ip access-list block-illegal deny ip src 192.0.2.0/24 dest any
ip access-list block-illegal deny ip src 192.168.0.0/16 dest any
ip access-list block-illegal deny ip src 224.0.0.0/4 dest any
ip access-list block-netbios deny tcp src any sport any dest any dport eq 135
ip access-list block-netbios deny udp src any sport any dest any dport eq 135
ip access-list block-netbios deny tcp src any sport eq 135 dest any dport any
ip access-list block-netbios deny udp src any sport eq 135 dest any dport any
ip access-list block-netbios deny tcp src any sport any dest any dport range 137 139
ip access-list block-netbios deny udp src any sport any dest any dport range 137 139
ip access-list block-netbios deny tcp src any sport range 137 139 dest any dport any
ip access-list block-netbios deny udp src any sport range 137 139 dest any dport any
ip access-list block-netbios deny tcp src any sport any dest any dport eq 445
ip access-list block-netbios deny udp src any sport any dest any dport eq 445
ip access-list block-netbios deny tcp src any sport eq 445 dest any dport any
ip access-list block-netbios deny udp src any sport eq 445 dest any dport any
ip access-list console-list permit ip src 192.168.11.0/24 dest 192.168.11.1/32
ip access-list ipsec-host-0 permit ip src 192.168.11.0/24 dest 192.168.12.0/24 
ip access-list local-forward permit ip src 192.168.11.0/24  dest any
ip access-list pass-aapl  permit tcp  src any sport any     dest any dport eq 4488
ip access-list pass-icmp  permit icmp src any               dest any
ip access-list pass-ike   permit udp  src any sport any     dest any dport eq 500
ip access-list pass-ipsec permit 50   src any               dest any
ip access-list pass-ipsec permit 51   src any               dest any
ip access-list pass-ntp   permit udp  src any sport any     dest any dport eq 123
ip access-list pass-pop3  permit tcp  src any sport any     dest any dport eq 110
ip access-list pass-pptp  permit tcp  src any sport any     dest any dport eq 1723
ip access-list pass-pptp  permit tcp  src any sport eq 1723 dest any dport any
ip access-list pass-pptp  permit 47   src any               dest any
ip access-list pass-smtp  permit tcp  src any sport any     dest any dport eq 25
ip access-list pass-smtp  permit tcp  src any sport any     dest any dport eq 587
ip access-list pass-snmp  permit udp  src any sport any     dest any dport eq 161
ip access-list pass-ssh   permit tcp  src any sport any     dest any dport eq 22
ip access-list pass-tcp   permit tcp  src any sport any     dest any dport any
ip access-list pass-udp   permit udp  src any sport any     dest any dport any
ip access-list pass-xbox  permit udp  src any sport any     dest any dport eq 3074
ip access-list dynamic out-net dns src any dest any
ip access-list dynamic out-net ftp src any dest any
ip access-list dynamic out-net http src any dest any
ip access-list dynamic out-net sip src any dest any
ip access-list dynamic out-net telnet src any dest any
ip access-list dynamic out-net access pass-aapl
ip access-list dynamic out-net access pass-icmp
ip access-list dynamic out-net access pass-ike
ip access-list dynamic out-net access pass-ipsec
ip access-list dynamic out-net access pass-ntp 
ip access-list dynamic out-net access pass-pop3
ip access-list dynamic out-net access pass-pptp
ip access-list dynamic out-net access pass-smtp
ip access-list dynamic out-net access pass-snmp
ip access-list dynamic out-net access pass-ssh
ip access-list dynamic out-net access pass-tcp 
ip access-list dynamic out-net access pass-udp 
ip access-list dynamic out-net access pass-xbox
!
arp auto-refresh
!
ike proposal ike-proposal-0 encryption 3des hash sha group 1024-bit lifetime 3600
!
ike policy ike-policy-0 peer 実家IPアドレス key パスワード mode aggressive ike-proposal-0
ike keepalive ike-policy-0 10 3
ike local-id ike-policy-0 keyid ix-router
ike suppress-dangling ike-policy-0
!
ipsec autokey-proposal ipsec-prop-0 esp-3des esp-sha lifetime time 1800
ipsec local-id ike-policy-0 192.168.11.0/24
ipsec remote-id ike-policy-0 192.168.12.0/24
ipsec autokey-map ipsec-map-0 ipsec-host-0 peer 実家IPアドレス ipsec-prop-0
!
ip name-server DNS-SERVER-IP-1
ip name-server DNS-SERVER-IP-2
ip name-server 8.8.8.8
dns cache enable
dns cache max-records 2048
!
proxy-dns ip enable
proxy-dns ip query-response 20
proxy-dns ip query-retries 3
proxy-dns ip query-interval 1
proxy-dns server DNS-SERVER-IP-1 priority 50
proxy-dns server DNS-SERVER-IP-2 priority 40
proxy-dns server 8.8.8.8 priority 30
!
telnet-server ip enable
telnet-server ip access-list console-list 
!
!
ppp profile ntt
  authentication myname IPSアカウント
  authentication password IPSアカウント パスワード
  exit
!
ip dhcp profile 自宅LAN-1
  assignable-range 192.168.11.16 192.168.11.56
  subnet-mask 255.255.255.0
  default-gateway 192.168.11.1
  dns-server DNS-SERVER-IP-1 DNS-SERVER-IP-2
  lease-time 28800
  exit
!
ip dhcp profile 自宅LAN-2
  assignable-range 192.168.11.80 192.168.11.119
  subnet-mask 255.255.255.0
  default-gateway 192.168.11.1
  dns-server DNS-SERVER-IP-1 DNS-SERVER-IP-2
  lease-time 14400
  exit
!
!
interface FastEthernet0/0.0
  description local network 自宅LAN-1
  ip address 192.168.11.1/24
  ip proxy-arp
  no shutdown
  exit
!
interface FastEthernet0/1.0
  description internet ppoe via ntt
  no ip address
  shutdown
  exit
!
interface FastEthernet1/0.0
  description local network 自宅LAN-2
  no ip address
  ip dhcp binding 自宅LAN-2
  ip proxy-arp
  no shutdown
  exit
!
interface FastEthernet0/1.1
  encapsulation pppoe
  auto-connect
  ppp binding ntt
  ip address ipcp
  ip napt enable
  ip napt translation max-entries 65000
  ip napt translation max-entries per-address 6500
  ip napt static FastEthernet0/1.1 udp 500
  ip napt static FastEthernet0/1.1 50
  ip napt static 192.168.11.80 tcp 22
  ip napt service SRVSSH 192.168.11.80 none tcp 22
  ip filter block-illegal 10 in
  ip filter block-netbios 20 in
  ip filter pass-ike 110 in
  ip filter pass-ipsec 120 in
  ip filter pass-ssh 1000 in
  ip filter all-block 65000 in
  ip filter out-net 10 out
  ip filter all-block 65000 out
  no shutdown
  exit
!
!
interface Tunnel0.0
  description tunnel from 自宅LAN-1 to 実家LAN-1
  tunnel mode ipsec
  ip unnumbered FastEthernet0/0.0
  ip tcp adjust-mss auto
  ip mtu 1382
  ipsec policy tunnel ipsec-map-0 out
  no shutdown
  exit
!

実家のコンフィグ

! NEC Portable Internetwork Core Operating System Software
! IX Series IX2010 (magellan-sec) Software, Version 8.3.49, RELEASE SOFTWARE
! Compiled Nov 25-Fri-2011 10:29:23 JST #1
! Last updated Apr 12-Sun-2015 15:54:46 JST
!
hostname ix2015-2
timezone +09 00
!
username admin password plain パスワード administrator
!
ntp ip enable
ntp server 133.243.238.242 priority 50
ntp server 131.107.1.10 priority 40
ntp server 210.173.160.27 priority 30
ntp server 210.173.160.57 priority 20
ntp server 210.173.162.106 priority 10
ntp retry 3
ntp interval 3600
!
logging buffered 4096
logging subsystem all error
logging subsystem ike debug
logging subsystem sec debug
logging timestamp datetime
!
ip ufs-cache max-entries 13000
ip ufs-cache enable
ip route default 192.168.107.1 
ip route 192.168.11.0/24 Tunnel0.0
ip dhcp enable
ip access-list all-block deny ip src any dest any
ip access-list all-forward permit ip src any dest any
ip access-list block-illegal deny ip src 0.0.0.0/8 dest any
ip access-list block-illegal deny ip src 10.0.0.0/8 dest any
ip access-list block-illegal deny ip src 127.0.0.0/8 dest any
ip access-list block-illegal deny ip src 169.254.0.0/16 dest any
ip access-list block-illegal deny ip src 172.16.0.0/12 dest any
ip access-list block-illegal deny ip src 192.0.2.0/24 dest any
ip access-list block-illegal deny ip src 192.168.0.0/16 dest any
ip access-list block-illegal deny ip src 224.0.0.0/4 dest any
ip access-list block-netbios deny tcp src any sport any dest any dport eq 135
ip access-list block-netbios deny udp src any sport any dest any dport eq 135
ip access-list block-netbios deny tcp src any sport eq 135 dest any dport any
ip access-list block-netbios deny udp src any sport eq 135 dest any dport any
ip access-list block-netbios deny tcp src any sport any dest any dport range 137 139
ip access-list block-netbios deny udp src any sport any dest any dport range 137 139
ip access-list block-netbios deny tcp src any sport range 137 139 dest any dport any
ip access-list block-netbios deny udp src any sport range 137 139 dest any dport any
ip access-list block-netbios deny tcp src any sport any dest any dport eq 445
ip access-list block-netbios deny udp src any sport any dest any dport eq 445
ip access-list block-netbios deny tcp src any sport eq 445 dest any dport any
ip access-list block-netbios deny udp src any sport eq 445 dest any dport any
ip access-list console-list permit ip src 192.168.12.0/24   dest 192.168.12.1/32
ip access-list console-list permit ip src 192.168.11.0/24   dest 192.168.12.1/32
ip access-list ipsec-host-0 permit ip src 192.168.12.0/24 dest 192.168.11.0/24 
ip access-list local-forward permit ip src 192.168.12.0/24  dest any
ip access-list local-forward permit ip src 192.168.14.0/24  dest any
ip access-list local-separate deny ip  src 192.168.14.0/24  dest 192.168.12.0/24
ip access-list pass-aapl  permit tcp  src any sport any     dest any dport eq 4488
ip access-list pass-icmp  permit icmp src any               dest any
ip access-list pass-ike   permit udp  src any sport any     dest any dport eq 500
ip access-list pass-ipsec permit 50   src any               dest any
ip access-list pass-ipsec permit 51   src any               dest any
ip access-list pass-ntp   permit udp  src any sport any     dest any dport eq 123
ip access-list pass-pop3  permit tcp  src any sport any     dest any dport eq 110
ip access-list pass-pptp  permit tcp  src any sport any     dest any dport eq 1723
ip access-list pass-pptp  permit tcp  src any sport eq 1723 dest any dport any
ip access-list pass-pptp  permit 47   src any               dest any
ip access-list pass-smtp  permit tcp  src any sport any     dest any dport eq 25
ip access-list pass-smtp  permit tcp  src any sport any     dest any dport eq 587
ip access-list pass-snmp  permit udp  src any sport any     dest any dport eq 161
ip access-list pass-ssh   permit tcp  src any sport any     dest any dport eq 22
ip access-list pass-tcp   permit tcp  src any sport any     dest any dport any
ip access-list pass-udp   permit udp  src any sport any     dest any dport any
ip access-list pass-xbox  permit udp  src any sport any     dest any dport eq 3074
ip access-list dynamic out-net dns src any dest any
ip access-list dynamic out-net ftp src any dest any
ip access-list dynamic out-net http src any dest any
ip access-list dynamic out-net sip src any dest any
ip access-list dynamic out-net telnet src any dest any
ip access-list dynamic out-net access pass-aapl
ip access-list dynamic out-net access pass-icmp
ip access-list dynamic out-net access pass-ike
ip access-list dynamic out-net access pass-ipsec
ip access-list dynamic out-net access pass-ntp 
ip access-list dynamic out-net access pass-pop3
ip access-list dynamic out-net access pass-pptp
ip access-list dynamic out-net access pass-smtp
ip access-list dynamic out-net access pass-snmp
ip access-list dynamic out-net access pass-ssh
ip access-list dynamic out-net access pass-tcp 
ip access-list dynamic out-net access pass-udp 
ip access-list dynamic out-net access pass-xbox
!
arp auto-refresh
!
ike proposal ike-proposal-0 encryption 3des hash sha group 1024-bit lifetime 3600
!
ike policy ike-policy-0 peer any key パスワード mode aggressive ike-proposal-0
ike keepalive ike-policy-0 10 3
ike local-id ike-policy-0 keyid ix-router
ike suppress-dangling ike-policy-0
!
ipsec autokey-proposal ipsec-prop-0 esp-3des esp-sha lifetime time 1800
ipsec local-id ike-policy-0 192.168.12.0/24
ipsec remote-id ike-policy-0 192.168.11.0/24
ipsec dynamic-map ipsec-map-0 ipsec-host-0 ipsec-prop-0
!
ip name-server DNS-SERVER-IP-3
ip name-server DNS-SERVER-IP-4
ip name-server 8.8.8.8
!
proxy-dns ip enable
proxy-dns ip query-response 20
proxy-dns ip query-retries 3
proxy-dns ip query-interval 1
proxy-dns server DNS-SERVER-IP-3 priority 50
proxy-dns server DNS-SERVER-IP-4 priority 40
proxy-dns server 8.8.8.8 priority 30
dns cache enable
dns cache max-records 2048
!
telnet-server ip access-list console-list 
telnet-server ip enable
!
!
ip dhcp profile 実家LAN-1
  assignable-range 192.168.12.32 192.168.12.64
  subnet-mask 255.255.255.0
  default-gateway 192.168.12.1
  dns-server DNS-SERVER-IP-3 DNS-SERVER-IP-4
  lease-time 14400
  exit
!
ip dhcp profile 実家LAN-2
  assignable-range 192.168.14.32 192.168.14.64
  subnet-mask 255.255.255.0
  default-gateway 192.168.14.1
  dns-server DNS-SERVER-IP-3 DNS-SERVER-IP-4
  lease-time 14400
  exit
!
!
interface FastEthernet0/0.0
  description local network 実家LAN2
  ip address 192.168.14.1/24
  ip proxy-arp
  no shutdown
  exit
!
interface FastEthernet0/1.0
  description internet ppoe via au hikari
  ip address 192.168.107.2/24
  ip tcp adjust-mss auto
  ip napt enable
  ip napt translation max-entries 65000
  ip napt translation max-entries per-address 6500
  ip napt static FastEthernet0/1.0 udp 500
  ip napt static FastEthernet0/1.0 50
  ip napt static 192.168.12.35 tcp 22
  ip napt service ssh 192.168.12.35 none tcp 22
  ip napt service SRVSSH 192.168.12.35 none tcp 22
  ip filter block-illegallan 10 in
  ip filter block-netbios 20 in
  ip filter pass-ike 110 in
  ip filter pass-ipsec 120 in
  ip filter pass-ssh 1000 in
  ip filter local-forward 10000 in
  ip filter all-forward 60000 in
  ip filter all-block 65000 in
  ip filter out-net 10 out
  ip filter pass-ssh 1000 out
  ip filter local-forward 60000 out
  ip filter all-block 65000 out
  no shutdown
  exit
!
interface FastEthernet1/0.0
  description local network 実家LAN1
  ip address 192.168.12.1/24
  ip dhcp binding 実家LAN-1
  ip proxy-arp
  no shutdown
  exit
!
!
interface Tunnel0.0
  description tunnel from 実家LAN-1 to 自宅LAN-1
  tunnel mode ipsec
  ip unnumbered FastEthernet1/0.0
  ip tcp adjust-mss auto
  ip mtu 1382
  ipsec policy tunnel ipsec-map-0 out
  no shutdown
  exit
!