# # L2TP/IPsecを使用したリモートアクセス : FWX120 Web GUI設定 # ip route default gateway pp 1 filter 500000 gateway pp 1 ip lan1 address 192.168.100.1/24 ip lan1 proxyarp on provider type isdn-terminal provider filter routing connection provider lan1 name LAN: provider lan2 name PPPoE/0/1/5/0/0/0: pp select 1 pp name PRV/1/1/5/0/0/0: pp keepalive interval 30 retry-interval=30 count=12 pp always-on on pppoe use lan2 pppoe auto disconnect off pp auth accept pap chap pp auth myname (ISPに接続するID) (ISPに接続するパスワード) ppp lcp mru on 1454 ppp ipcp ipaddress on ppp ipcp msext on ppp ccp type none ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1099 ip pp nat descriptor 1000 netvolante-dns hostname host pp server=1 (NetvolanteDNSに設定した名前) pp enable 1 provider set 1 provider dns server pp 1 1 provider select 1 pp select anonymous pp name vpn pp bind tunnel1-tunnel3 pp auth request chap-pap pp auth username (PPPユーザー名1) (PPPパスワード1) pp auth username (PPPユーザー名2) (PPPパスワード2) pp auth username (PPPユーザー名3) (PPPパスワード3) ppp ipcp ipaddress on ppp ipcp msext on ip pp remote address pool 192.168.100.200-192.168.100.210 ip pp mtu 1258 pp enable anonymous tunnel select 1 tunnel encapsulation l2tp ipsec tunnel 1 ipsec sa policy 1 1 esp aes-cbc sha-hmac ipsec ike keepalive log 1 off ipsec ike keepalive use 1 off ipsec ike nat-traversal 1 on ipsec ike pre-shared-key 1 text (事前共有鍵) ipsec ike remote address 1 any l2tp tunnel auth off l2tp keepalive use on ip tunnel tcp mss limit auto tunnel enable 1 tunnel select 2 tunnel encapsulation l2tp ipsec tunnel 2 ipsec sa policy 2 2 esp aes-cbc sha-hmac ipsec ike keepalive log 2 off ipsec ike keepalive use 2 off ipsec ike nat-traversal 2 on ipsec ike pre-shared-key 2 text (事前共有鍵) ipsec ike remote address 2 any l2tp tunnel auth off l2tp keepalive use on ip tunnel tcp mss limit auto tunnel enable 2 tunnel select 3 tunnel encapsulation l2tp ipsec tunnel 3 ipsec sa policy 3 3 esp aes-cbc sha-hmac ipsec ike keepalive log 3 off ipsec ike keepalive use 3 off ipsec ike nat-traversal 3 on ipsec ike pre-shared-key 3 text (事前共有鍵) ipsec ike remote address 3 any l2tp tunnel auth off l2tp keepalive use on ip tunnel tcp mss limit auto tunnel enable 3 ip filter 500000 restrict * * * * * ip inbound filter 1001 reject-nolog * * tcp,udp * 135 ip inbound filter 1002 reject-nolog * * tcp,udp 135 * ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn * ip inbound filter 1005 reject-nolog * * tcp,udp * 445 ip inbound filter 1006 reject-nolog * * tcp,udp 445 * ip inbound filter 1007 reject-nolog 192.168.100.0/24 * * * * ip inbound filter 1099 pass-nolog * * * * * ip policy interface group 101 name=Private local lan1 ip policy address group 101 name=Private 192.168.100.0/24 ip policy address group 102 name=Any * ip policy service group 101 name="Open Services" ip policy service group 102 name=General dns ip policy service group 103 name=Mail pop3 smtp submission ip policy service group 111 name=L2TP-NAT-T ike esp l2tp ipsec-nat-t ip policy filter 1100 reject-nolog lan1 * * * * ip policy filter 1110 pass-nolog * * * * 102 ip policy filter 1122 static-pass-nolog * lan1 * * * ip policy filter 1123 static-pass-nolog * local * * * ip policy filter 1124 static-pass-log * * 192.168.100.0/24 * http ip policy filter 1130 pass-nolog * tunnel* * * * ip policy filter 1140 pass-nolog * ppanonymous * * * ip policy filter 1150 pass-nolog * pp1 * * * ip policy filter 1500 reject-nolog pp* * * * * ip policy filter 1520 pass-log * lan1 * * 101 ip policy filter 1560 static-pass-nolog * local * * 111 ip policy filter 1600 reject-nolog tunnel* * * * * ip policy filter 1610 pass-nolog * 101 * * * ip policy filter 1630 pass-nolog * tunnel* * * * ip policy filter 1660 reject-nolog * pp* * * * ip policy filter 1700 pass-nolog local * * * * ip policy filter 1710 static-pass-nolog * lan1 * * * ip policy filter 1750 static-pass-nolog * pp* * * 111 ip policy filter 3000 reject-nolog * * * * * ip policy filter 9300 reject-nolog ppanonymous * * * * ip policy filter 9301 pass-nolog * 101 * * * ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1150 1140 1130] 1600 [1630 1610 1660] 1500 [1520 9300 [9301] 1560] 1700 [1710 1750] 3000 ip policy filter set enable 101 nat descriptor type 1000 masquerade nat descriptor masquerade static 1000 1 192.168.100.1 udp 1701 nat descriptor masquerade static 1000 2 192.168.100.1 udp 500 nat descriptor masquerade static 1000 3 192.168.100.1 esp nat descriptor masquerade static 1000 4 192.168.100.1 udp 4500 ipsec auto refresh on ipsec transport 1 1 udp 1701 ipsec transport 2 2 udp 1701 ipsec transport 3 3 udp 1701 dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.100.2-192.168.100.191/24 dns server pp 1 dns server select 500001 pp 1 any . restrict pp 1 dns private address spoof on l2tp service on