Soliton Net’Attest EPS + AR router series L2TP+IPsec RADIUS 設定例

Transcription

1 Soliton Net Attest EPS + AR router series L2TP+IPsec RADIUS 設定例 2011/June アライドテレシス株式会社 Revision 1.1

2 1. Net Attest EPS AR VPN 2

3 AR AR (RADIUS ) Net Attest EPS iphone/ipad Android Intranet Server IP /24 Net Attest EPS AR560S 3G 3G IP /24 LAN IP /24 PPPoE IP /32 Net Attest EPS AR-Router iphone/ipad/android iphone ipad Apple Inc. iphone Android Google Inc. iphone / ipad, Android (L2TP IP Pool ) 3

4 4

5 1. AR CLI ID/» ID : manager» : friend AR415S/AR550S/AR560S/AR570S AR260S V

6 1. AR IP Security Officer 1. IP ENABLE IP 2. LAN IP ADD IP INT=VLAN1 IP= MASK= Security Officer secoff secoff ADD USER=secoff PASSWORD=secoff PRIVILEGE=SECURITYOFFICER Note - IPsec 6

7 1. AR PPP 4. WAN Ethernet eth0 PPP OVER=eth0-XXXX XXXX ISP PPPoE ISP ANY CREATE PPP=0 OVER=eth0-ANY 5. ISP PPP LQR LCP Echo PPP ISDN BAP SET PPP=0 OVER=eth0-ANY PASSWORD=isppasswd LQR=OFF BAP=OFF ECHO=ON 6. WAN ppp0 IP ADD IP INT=ppp0 IP= MASK= ADD IP ROUTE= INT=ppp0 NEXTHOP=

8 1. AR RADIUS IP 8. RADIUS ADD RADIUS SERVER= SECRET="PASSWORD" PORT= IP VPNC VPN 100 CREATE IP POOL=VPNC IP=

9 1. AR L2TP PPP TEMPLATE 10. L2TP VPN PPP PPP 1 CHAP CHAP OFF VJ IP VPNC CREATE PPP TEMPLATE=1 IPPOOL=VPNC AUTHENTICATION=CHAP BAP=OFF ECHO=30 RECHALLENGE=OFF VJC=ON 11. L2TP ENABLE L2TP 12. L2TP BOTH ENABLE L2TP SERVER=BOTH 13. L2TP VPN PPP ADD L2TP IP= PPPTEMPLATE=1 9

10 1. AR DNS 14. DNS ENABLE IP DNSRELAY 15. ISP DNS DNS IPCP ppp0 SET IP DNSRELAY INT=ppp0 10

11 1. AR DHCP Server 16. DHCP ENABLE DHCP 17. DHCP DHCP IP 3,600 1 CREATE DHCP POLI="DHCP" LEASE= DNS LAN IP DNS DNS ISP DNS ADD DHCP POLICY="DHCP" SUBNET= ROUTER= DNSSERVER= IP CREATE DHCP RAN="CLIENT" POLI="DHCP" IP= NUM=16 11

12 1. AR Firewall 20. ENABLE FIREWALL 21. CREATE FIREWALL POLICY=net 22. ICMP Ping Echo/Echo Reply Unreachable ENABLE FIREWALL POLICY=net ICMP_F=UNRE,PING Note - ICMP 23. ident SMTP ident TCP RST DISABLE FIREWALL POLICY=net IDENTPROXY 12

13 1. AR Firewall ( ) 24. VPN L2TP PPP vpnif CREATE FIREWALL POLICY=net DYNAMIC=vpnif 25. vpnif USER PPP ADD FIREWALL POLICY INTERFACE DYN-templatename templatename ANY PPP ADD FIREWALL POLICY=net DYNAMIC=vpnif USER=ANY 26. LAN vlan1 PRIVATE ADD FIREWALL POLICY=net INT=vlan1 TYPE=PRIVATE WAN ppp0 PUBLIC ADD FIREWALL POLICY=net INT=ppp0 TYPE=PUBLIC L2TP PPP vpnif PRIVATE ADD FIREWALL POLICY=net INT=DYN-vpnif TYPE=PRIVATE 13

14 1. AR Firewall ( ) 27. LAN ENAT ppp0 IP ADD FIREWALL POLICY=net NAT=ENHANCED INT=vlan1 GBLINT=ppp0 28. VPN ENAT ppp0 IP ADD FIREWALL POLICY=net NAT=ENHANCED INT=DYN-vpnif GBLINT=ppp0 29. VPN IKE UDP500 NAT-T UDP4500 ADD FIREWALL POLICY=net RULE=1 AC=ALLOW INT=ppp0 PROT=UDP GBLPORT=500 GBLIP= PORT=500 IP= ADD FIREWALL POLICY=net RULE=2 AC=ALLOW INT=ppp0 PROT=UDP GBLPORT=4500 GBLIP= PORT=4500 IP=

15 1. AR Firewall ( ) 30. IPsec ENCAP=IPSEC IPsec UDP 1701 L2TP ADD FIREWALL POLICY=net RULE=3 AC=ALLOW INT=ppp0 PROT=UDP GBLPORT=1701 GBLIP= PORT=1701 IP= ENCAP=IPSEC 15

16 1. AR ISAKMP 31. ISAKMP pre-shared key 1 secret VPN CREATE ENCO KEY=1 TYPE=GENERAL VALUE="secret" Note -CREATE ENCO KEY EDIT.CFG 32. VPN IKE ISAKMP i ISAKMP 3DES SHA Oakley 2 VPN 1 IP PEER ANY NAT-Traversal CREATE ISAKMP POLICY="i" PEER=ANY KEY=1 SENDN=TRUE NATTRAVERSAL=TRUE SET ISAKMP POLICY="i" ENCALG=3DESOUTER HASHALG=SHA GROUP=2 33. DPD SET ISAKMP POLICY="i" DPDMODE=both 16

17 1. AR IPsec 34. IPsec SA 1 ISAKMP ESP AES256bit SHA L2TP UDP1701 L2TP CREATE IPSEC SASPEC=1 KEYMAN=ISAKMP PROTOCOL=ESP ENCALG=AES256 HASHALG=SHA MODE=TRANSPORT 35. IPsec SA 2 ISAKMP ESP AES128bit SHA CREATE IPSEC SASPEC=2 KEYMAN=ISAKMP PROTOCOL=ESP ENCALG=AES128 HASHALG=SHA MODE=TRANSPORT 36. IPsec SA 3 ISAKMP ESP 3DES SHA CREATE IPSEC SASPEC=3 KEYMAN=ISAKMP PROTOCOL=ESP ENCALG=3DESOUTER HASHALG=SHA MODE=TRANSPORT 37. SA SA 1 ISAKMP CREATE IPSEC BUNDLE=1 KEYMAN=ISAKMP STRING="1 or 2 or 3" 17

18 1. AR IPsec ) 38. IKE UDP500 NAT-T UDP4500 IPsec isa nat CREATE IPSEC POLICY=isa INT=ppp0 ACTION=PERMIT LPORT=500 TRANSPORT=UDP CREATE IPSEC POLICY=nat INT=ppp0 ACTION=PERMIT LPORT=4500 TRANSPORT=UDP Note -NAT-Traversal IKE NAT-T Note - IPsec SHOW IPSEC POLICY SET IPSEC POLICY POSITION 39. L2TP IPsec L2 PPP 0 ISAKMP VPN IP PEER ISAKMP DYNAMIC BUNDLE SA 1 LPORT TRANSPORT L2TP CREATE IPSEC POLICY=L2 INT=ppp0 ACTION=IPSEC KEYMAN=ISAKMP BUNDLE=1 PEER=DYNAMIC SET IPSEC POLICY=L2 LPORT=1701 TRANSPORT=UDP 40. IPsec inet PPP 0 CREATE IPSEC POLICY="inet" INT=ppp0 ACTION=PERMIT Note- IPsec IPsec VPN 18

19 1. AR IPsec ) 41. IPsec ENABLE IPSEC 42. ISAKMP ENABLE ISAKMP 43. Security Officer LOGIN secoff 44. ENABLE SYSTEM SECURITY_MODE Note - Security Officer Telnet Security Officer Telnet RSO Remote Security Officer 45. SET CONFIG CREATE CONFIG=router.cfg SET CONFIG=router.cfg 19

20 20

21 2. Net Attest EPS Net Attest EPS IP LDAP LDAP Net Attest EPS V4.2 21

22 2. Net Attest EPS RADIUS RADIUS RADIUS AR560S RADIUS 22

23 2. Net Attest EPS RADIUS AR560S IP RADIUS RADIUS ( 7 AR560S ) 23

24 2. Net Attest EPS RADIUS 24

25 2. Net Attest EPS RADIUS 25

26 2. Net Attest EPS ID OK 26

27 27

28 3. iphone/ipad iphone 3GS/iOS

29 3-1. iphone/ipad 29

30 3-1. iphone/ipad 30

31 3-1. iphone/ipad 31

32 3-1. iphone/ipad VPN 32

33 3-1. iphone/ipad VPN VPN 33

34 3-1. iphone/ipad L2TP RSA SecureID AR_VPN (Net Attest EPS ) (Net Attest EPS ) secret 34

35 3-1. iphone/ipad 35

36 3-1. iphone/ipad AR-VPN VPN 36

37 3-1. iphone/ipad VPN 37

38 38

39 3-2. Android Galaxy Tab Android

40 3-2. Android 40

41 3-2. Android 41

42 3-2. Android VPN 42

43 3-2. Android VPN VPN 43

44 3-2. Android VPN L2TP/IPsec PSK VPN Note 44

45 3-2. Android L2TP/IPsec PSK VPN VPN IPsec L2TP DNS AR_VPN secret ( ) 45

46 3-2. Android VPN AR-VPN 46

47 3-2. Android Net Attest EPS PPP 47

48 3-2. Android AR-VPN 48

49 THANK YOU. Please visit us online at