*目標 [#qfaf9fd5] +家庭内でVPN接続を利用する +移動先3GからVPN接続を利用する +みんなの家と繋ぐ *設計 [#j56a6774] -774宅にVPNサーバ設置 -それぞれのルータに設定 -そんくらい? *サーバOS [#r412fbcc] -Vyos -EdgeOS -Cisco -Yamaha *設定 [#f457853d] ** 福岡(EdgeRouter-X)用 Config [#tae65780] set interfaces vti vti0 mtu '1436' set interfaces loopback lo address '234.0.0.1/32' commit save set interfaces vti vti0 address '192.168.250.234/30' set vpn ipsec site-to-site peer 49.212.160.127 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 49.212.160.127 authentication pre-shared-secret 'Sekiken!' set vpn ipsec site-to-site peer 49.212.160.127 connection-type 'initiate' set vpn ipsec site-to-site peer 49.212.160.127 default-esp-group 'ESP_SAKURA' set vpn ipsec site-to-site peer 49.212.160.127 ike-group 'IKE_SAKURA' set vpn ipsec site-to-site peer 49.212.160.127 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 49.212.160.127 local-address any set vpn ipsec site-to-site peer 49.212.160.127 vti bind 'vti0' set vpn ipsec site-to-site peer 49.212.160.127 vti esp-group 'ESP_SAKURA' set vpn ipsec esp-group ESP_SAKURA compression 'disable' set vpn ipsec esp-group ESP_SAKURA lifetime '86400' set vpn ipsec esp-group ESP_SAKURA mode 'tunnel' set vpn ipsec esp-group ESP_SAKURA pfs 'dh-group2' set vpn ipsec esp-group ESP_SAKURA proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP_SAKURA proposal 1 hash 'sha256' set vpn ipsec ike-group IKE_SAKURA dead-peer-detection action 'hold' set vpn ipsec ike-group IKE_SAKURA dead-peer-detection interval '30' set vpn ipsec ike-group IKE_SAKURA dead-peer-detection timeout '120' set vpn ipsec ike-group IKE_SAKURA ikev2-reauth 'no' set vpn ipsec ike-group IKE_SAKURA key-exchange 'ikev1' set vpn ipsec ike-group IKE_SAKURA lifetime '10800' set vpn ipsec ike-group IKE_SAKURA proposal 1 dh-group '14' set vpn ipsec ike-group IKE_SAKURA proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE_SAKURA proposal 1 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec logging log-modes 'all' set vpn ipsec nat-networks allowed-network '0.0.0.0/0' set vpn ipsec nat-networks allowed-network '192.168.250.0/24' set vpn ipsec nat-traversal 'enable' set protocols bgp 65234 neighbor 192.168.254.2 password 'Bgp64600!' set protocols bgp 65234 neighbor 192.168.254.2 remote-as '64600' set protocols bgp 65234 neighbor 192.168.254.2 update-source 'lo' set protocols bgp 65234 network '192.168.XX.0/24' ★ EdgeRouter-X がいるLANのネットワークを指定 set protocols bgp 65234 network '192.168.250.0/24' set protocols bgp 65234 parameters confederation identifier '65000' set protocols bgp 65234 parameters confederation peers '64600' commit save ** 東京(Vyos)用 Config [#sd9ef7b3] set interfaces vti vti0 address '192.168.250.230/30' set interfaces vti vti0 mtu '1436' set protocols bgp 65230 neighbor 192.168.254.2 password 'Bgp64600!' set protocols bgp 65230 neighbor 192.168.254.2 remote-as '64600' set protocols bgp 65230 neighbor 192.168.254.2 update-source 'lo' set protocols bgp 65230 neighbor 192.168.250.1 password 'Bgp64600!' set protocols bgp 65230 neighbor 192.168.250.1 remote-as '64600' set protocols bgp 65230 neighbor 192.168.250.1 update-source 'lo' set protocols bgp 65230 network '192.168.50.0/24' set protocols bgp 65230 network '192.168.252.0/24' set protocols bgp 65230 network '192.168.254.0/24' set protocols bgp 65230 parameters confederation identifier '65000' set protocols bgp 65230 parameters confederation peers '64600' set protocols bgp 65230 redistribute static route-map 'Disable-Redist-table-1' set vpn ipsec esp-group ESP_SAKURA compression 'disable' set vpn ipsec esp-group ESP_SAKURA lifetime '86400' set vpn ipsec esp-group ESP_SAKURA mode 'tunnel' set vpn ipsec esp-group ESP_SAKURA pfs 'dh-group2' set vpn ipsec esp-group ESP_SAKURA proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP_SAKURA proposal 1 hash 'sha256' set vpn ipsec ike-group IKE_SAKURA dead-peer-detection action 'hold' set vpn ipsec ike-group IKE_SAKURA dead-peer-detection interval '30' set vpn ipsec ike-group IKE_SAKURA dead-peer-detection timeout '120' set vpn ipsec ike-group IKE_SAKURA ikev2-reauth 'no' set vpn ipsec ike-group IKE_SAKURA key-exchange 'ikev1' set vpn ipsec ike-group IKE_SAKURA lifetime '10800' set vpn ipsec ike-group IKE_SAKURA proposal 1 dh-group '14' set vpn ipsec ike-group IKE_SAKURA proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE_SAKURA proposal 1 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec logging log-modes 'all' set vpn ipsec nat-networks allowed-network '0.0.0.0/0' set vpn ipsec nat-networks allowed-network '192.168.250.0/24' set vpn ipsec nat-networks allowed-network '192.168.252.0/24' set vpn ipsec nat-traversal 'enable' set vpn ipsec site-to-site peer 49.212.160.127 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 49.212.160.127 authentication pre-shared-secret 'Sekiken!' set vpn ipsec site-to-site peer 49.212.160.127 connection-type 'initiate' set vpn ipsec site-to-site peer 49.212.160.127 default-esp-group 'ESP_SAKURA' set vpn ipsec site-to-site peer 49.212.160.127 ike-group 'IKE_SAKURA' set vpn ipsec site-to-site peer 49.212.160.127 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 49.212.160.127 local-address '192.168.50.230' set vpn ipsec site-to-site peer 49.212.160.127 vti bind 'vti0' set vpn ipsec site-to-site peer 49.212.160.127 vti esp-group 'ESP_SAKURA' [[SekikenWiki]]