[index] AT-AR1050V コマンドリファレンス 5.5.4
NoteiOSまたはAndroidが接続端末として存在する構成(Windows端末のみの接続構成以外)の場合、IPアドレスではなくFQDNを指定してください。
ISP接続用ユーザー名 | user@isp |
ISP接続用パスワード | isppasswd |
PPPoEサービス名 | 指定なし |
WAN側IPアドレス | 10.0.0.1/32 |
接続形態 | 端末型(アドレスは動的割り当て) |
WAN側物理インターフェース | eth1 |
WAN側(ppp0)IPアドレス | 10.0.0.1/32 |
LAN側(vlan1)IPアドレス(1) | 192.168.10.1/24 |
トンネルインターフェース | tunnel0(マルチポイントIPsec) |
トンネルインターフェースIPアドレス | 192.168.20.1/24 |
サーバーのFQDN | members.dyndns.org |
サーバーのTCPポート番号 | 443 |
サーバー接続用ユーザー名 | test |
サーバー接続用パスワード | test |
ホスト名 | test01-native-vpn.dyndns.org |
IPアドレスを登録するインターフェース | ppp0 |
ユーザーA | userA | passwdA | 192.168.20.2/24 |
ユーザーB | userB | passwdB | 192.168.20.3/24 |
ユーザーC | userC | passwdC | 192.168.20.4/24 |
ddns enable
?
」をCLIから入力するには、Ctrl/V
キーを入力してから ?
を入力してください。単に ?
を入力するとCLIヘルプが表示されてしまうためご注意ください。ddns-update-method dyndns update-url https://<USERNAME>:<PASSWORD>@members.dyndns.org/nic/update?SYSTEM=dyndns&hostname=<HOST-NAME>&myip=<IPADDRESS> host-name test01-native-vpn.dyndns.org username test password test update-interval 60 retry-interval 1 maximum-retries 5
interface eth1 encapsulation ppp 0
interface ppp0 ip ddns-update-method dyndns ppp ipcp dns request keepalive ip address negotiated ppp username user@isp ppp password isppasswd ip tcp adjust-mss pmtu
interface vlan1 ip address 192.168.10.1/24
zone private network lan ip subnet 192.168.10.0/24 ip subnet 192.168.20.0/24
zone public network wan ip subnet 0.0.0.0/0 interface ppp0 host ppp0 ip address dynamic interface ppp0
application esp protocol 50
application isakmp protocol udp dport 500
application nat-t protocol udp dport 4500
firewall rule 10 permit any from private to private rule 20 permit any from private to public rule 30 permit isakmp from public.wan to public.wan.ppp0 rule 40 permit isakmp from public.wan.ppp0 to public.wan rule 50 permit esp from public.wan to public.wan.ppp0 rule 60 permit esp from public.wan.ppp0 to public.wan rule 70 permit nat-t from public.wan to public.wan.ppp0 rule 80 permit nat-t from public.wan.ppp0 to public.wan rule 90 permit https from public.wan.ppp0 to public.wan rule 100 permit dns from public.wan.ppp0 to public.wan protect
nat rule 10 masq any from private to public enable
radius-server host localhost key awplus-local-radius-server
aaa authentication isakmp default group radius
crypto pki trustpoint local subject-alt-name test01-native-vpn.dyndns.org subject-name /O=AlliedTelesis/CN=test01-native-vpn.dyndns.org
radius-server local server enable nas 127.0.0.1 key awplus-local-radius-server group userA attribute Framed-IP-Address 192.168.20.2 attribute Framed-IP-Netmask 255.255.255.0 attribute MS-Primary-DNS-Server 192.168.20.1 group userB attribute Framed-IP-Address 192.168.20.3 attribute Framed-IP-Netmask 255.255.255.0 attribute MS-Primary-DNS-Server 192.168.20.1 group userC attribute Framed-IP-Address 192.168.20.4 attribute Framed-IP-Netmask 255.255.255.0 attribute MS-Primary-DNS-Server 192.168.20.1 user userA password passwdA group userA user userB password passwdB group userB user userC password passwdC group userC
ip dns forwarding
crypto isakmp profile native-vpn version 2 local authentication certificate configuration-attribute radius remote authentication eap-radius lifetime 25200 pki trustpoint local transform 1 integrity SHA256 encryption AES256 group 14 transform 2 integrity SHA256 encryption AES256 group 2
crypto isakmp peer policy tunnel0 profile native-vpn
interface tunnel0 tunnel local name test01-native-vpn.dyndns.org tunnel protection ipsec tunnel mode ipsec multipoint ip address 192.168.20.1/24 ip tcp adjust-mss pmtu
ip route 0.0.0.0/0 ppp0
end
copy running-config startup-config
」の書式で実行します。awplus# copy running-config startup-config ↓ Building configuration... [OK]
awplus# write memory ↓ Building configuration... [OK]
awplus(config)# log buffered level informational facility local5 ↓
awplus# show log | include Firewall ↓
awplus# no crypto pki enroll local ↓ De-enrolled the server from trustpoint "local".
awplus# crypto pki enroll local ↓ Using private key "server-default"... Successfully enrolled the local server.発行したサーバー証明書の情報は、show crypto pki certificatesコマンドで確認できます。
copy running-config startup-config
」の書式で実行するか、write fileコマンド、write memoryコマンドを使用します。また、再起動はreloadコマンド、rebootコマンドで行います。awplus# copy running-config startup-config ↓ Building configuration... [OK] awplus# reload ↓ ...
awplus# crypto pki export local pem cacert.cer ↓ Copying... Successful operation
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <!-- ### 1 ### Set the name to whatever you like, it is used in the profile list on the device --> <key>PayloadDisplayName</key> <string>native-vpn</string> <!-- ### 2 ### This is a reverse-DNS style unique identifier used to detect duplicate profiles --> <key>PayloadIdentifier</key> <string>dut.example.com</string> <!-- ### 3 ### A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it, or a tool like https://www.uuidgenerator.net/ --> <key>PayloadUUID</key> <string>6d598d21-a9d2-43e9-991f-c1677afafd41</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadContent</key> <array> <!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names --> <dict> <!-- ### 4 ### This is an extension of the identifier given above --> <key>PayloadIdentifier</key> <string>dut.example.com.conf2</string> <!-- ### 5 ### A globally unique identifier for this payload --> <key>PayloadUUID</key> <string>995fb7f8-b455-42b6-9af9-fbfc3f78f403</string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadVersion</key> <integer>1</integer> <!-- ### 6 ### This is the name of the VPN connection as seen in the VPN application later --> <key>UserDefinedName</key> <string>native-vpn</string> <key>VPNType</key> <string>IKEv2</string> <key>IKEv2</key> <dict> <!-- ### 7 ### Hostname or IP address of the VPN server --> <key>RemoteAddress</key> <string>test01-native-vpn.dyndns.org</string> <!-- ### 8 ### Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty. IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN --> <key>RemoteIdentifier</key> <string>test01-native-vpn.dyndns.org</string> <!-- ### 9 ### Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used --> <key>LocalIdentifier</key> <string>userC</string> <!-- The server is authenticated using a certificate --> <key>AuthenticationMethod</key> <string>Certificate</string> <!-- The client uses EAP to authenticate --> <key>ExtendedAuthEnabled</key> <integer>1</integer> <!-- ### 10 ### User name for EAP authentication. Since iOS 9 this is optional, the user is prompted when the profile is installed --> <key>AuthName</key> <string>userC</string> <!-- ### 11 ### Optional password for EAP authentication, if it is not set the user is prompted when the profile is installed --> <key>AuthPassword</key> <string></string> <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES. IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration --> <key>IKESecurityAssociationParameters</key> <dict> <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2encryptionalgorithm --> <key>EncryptionAlgorithm</key> <string>AES-256</string><!-- Alternatives include: AES-256, AES-256-GCM, etc --> <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2integrityalgorithm --> <key>IntegrityAlgorithm</key> <string>SHA2-256</string><!-- Alternatives include: SHA2-256, SHA2-512, etc --> <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2diffiehellmangroup --> <key>DiffieHellmanGroup</key> <integer>14</integer><!-- Alternatives include 20, 21, 31, etc --> </dict> <key>ChildSecurityAssociationParameters</key> <dict> <key>EncryptionAlgorithm</key> <string>AES-256</string><!-- Alternatives include: AES-256, AES-256-GCM, etc --> <key>IntegrityAlgorithm</key> <string>SHA2-256</string><!-- Alternatives include: SHA2-256, SHA2-512, etc --> <key>DiffieHellmanGroup</key> <integer>14</integer><!-- Alternatives include 20, 21, 31, etc --> </dict> </dict> </dict> <!-- Provide the CA certificate too... --> <dict> <!-- ### 12 ### --> <key>PayloadIdentifier</key> <string>cacert.cer</string> <!-- ### 13 ### Another UUID as above, generate with uuidgen on Linux / Mac or a tool like https://www.uuidgenerator.net/ --> <key>PayloadUUID</key> <string>c6b0d13f-2aea-4420-a6f3-e4a02987ab26</string> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadVersion</key> <integer>1</integer> <!-- ### 14 ### This is the Base64 (PEM) encoded CA certificate. Ensure there are no leading spaces on each line. --> <key>PayloadContent</key> <data>MIIDdDCCAlygAwIBAgIJAMiyUsFb3mfKMA0GCSqGSIb3DQEBCwUAMEoxHTAbBgNV BAoMFEFsbGllZCBUZWxlc2lzLCBJbmMuMSkwJwYDVQQDDCBBbGxpZWRXYXJlUGx1 c0NBQTA1MDQ5MDAwMDAwMDAwMDAeFw0xNTA3MzAxMjI3NDhaFw0yNTA3MjcxMjI3 NDhaMEoxHTAbBgNVBAoMFEFsbGllZCBUZWxlc2lzLCBJbmMuMSkwJwYDVQQDDCBB bGxpZWRXYXJlUGx1c0NBQTA1MDQ5MDAwMDAwMDAwMDCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAO1PtX5iOAP8fIOwHy1Gb1D2ZnNTGDVA/6/mWE7UJCU2 RA2pk6nwcTSyKtFIHKYMW+Zfu+K07NZzoNIENwVJoPSwdI4kSAVu6NBnWvQyTd1e yOvia6saU743p7eeiAUNOBNEFHw10wjvH0bG/8XdYZ+ZsKUroIozSKrakh0uCT/H /luAEAwuTNRxWWyfyNKOjCfC7eunPREubyVeKhnVdjZOYJllzf7y62baxfFmmRx3 FhzYZ8fI7fgvsZXmOu648jlEJzZvB+NT2hIc6Zrr/OQdpvfpa1R1e84RYcdQpI84 QjzDkxKj5xXGR25PqIqbm1Hha49HbgGLP1RgfWfPircCAwEAAaNdMFswHQYDVR0O BBYEFDKQyulFnc+P+cKNyoSUq2DiBCyvMB8GA1UdIwQYMBaAFDKQyulFnc+P+cKN yoSUq2DiBCyvMAsGA1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB CwUAA4IBAQDsLgLmtZTLutmwQn9IvVxMHOZt1lR55y4Ol2gaScb2qUZ8Ow8+AxXA NfPevFPXwhs+0KwidOeJi1qrnBsbkrhea2T6AD13yHjLi+V/9xoL4QNaoP1C76e/ afYadCePY5KTcBw3J1uqZiIIZ8ZnuNLbWUEQPGoQhEwL2wbU1iQH9Xl1VfZZU477 bKgcQ/xwAn41MzH2kwbfe4iNfVhD6rcoFmFt+6x61oK/lsdyGHcJcXeR549Oaq6r a3J7+poja/k6P95uGKNq9gYIOkyATryot917Fjby16P3THmdg/eNlHPSpEExAnW0 5ZIw3kPC6CWlYqzYGLya73Ogh66h0Qra</data> </dict> </array> </dict> </plist>
1 | PayloadDisplayName | 表示名。クライアント(iOSデバイス)の詳細画面においてプロファイル名として表示されます。一意である必要はありません |
2 | PayloadIdentifier | ペイロード識別子。同一クライアント上において他のPayloadIdentifierと重複しない任意の文字列を指定します |
3 | PayloadUUID | UUID(Universally Unique Identifier)。ツール等によって生成したグローバルで一意の値を指定します |
4 | PayloadIdentifier | ペイロード識別子。同一クライアント上において他のPayloadIdentifierと重複しない任意の文字列を指定します |
5 | PayloadUUID | UUID(Universally Unique Identifier)。ツール等によって生成したグローバルで一意の値を指定します |
6 | UserDefinedName | クライアントの画面に表示されるVPN接続の名前です |
7 | RemoteAddress | FQDN形式のVPN接続先。ダイナミックDNSに登録したルーターのホスト名を指定します |
8 | RemoteIdentifier | リモート識別子。項目番号7のRemoteAddressと同じ値を設定する必要があります |
9 | LocalIdentifier | ローカル識別子。本製品上でshow isakmp sa、show ipsec saコマンドを実行した際に対向として表示されます |
10 | AuthName | VPNユーザー名。ローカルRADIUSサーバーに登録したユーザー名を記述します |
11 | AuthPassword | VPNユーザーパスワード。パスワードはコンフィグファイルのインストール時に入力するため、ここは空文字列にします |
12 | PayloadIdentifier | ペイロード識別子。同一クライアント上において他のPayloadIdentifierと重複しない任意の文字列を指定します。この例ではローカルCA証明書ファイルの名前にしています |
13 | PayloadUUID | UUID(Universally Unique Identifier)。ツール等によって生成したグローバルで一意の値を指定します |
14 | PayloadContent | ローカルCA証明書の内容。本製品から作業用PCに転送したCA証明書ファイル(cacert.cer)をテキストエディタで開き、-----BEGIN CERTIFICATE----- と -----END CERTIFICATE----- の間にある部分をコピー&ペーストしてください(BEGIN/END 行は含めません)。 (CA証明書の内容はcrypto pki export pemコマンドのterminalオプションで画面に表示させることもできます) <data>タグの直後や、後続行の行頭にスペースを入れないよう注意してください |
Noteコンフィグファイル1つに対しそれぞれ異なるUUIDが3つ必要です(項目3、5、13)。UUIDは、Linux、macOS付属のuuidgenコマンドや、その他のUUID生成ツールで生成してください。
! ddns enable ! ddns-update-method dyndns update-url https://<USERNAME>:<PASSWORD>@members.dyndns.org/nic/update?SYSTEM=dyndns&hostname=<HOST-NAME>&myip=<IPADDRESS> host-name test01-native-vpn.dyndns.org username test password test update-interval 60 retry-interval 1 maximum-retries 5 ! interface eth1 encapsulation ppp 0 ! interface ppp0 ip ddns-update-method dyndns ppp ipcp dns request keepalive ip address negotiated ppp username user@isp ppp password isppasswd ip tcp adjust-mss pmtu ! interface vlan1 ip address 192.168.10.1/24 ! zone private network lan ip subnet 192.168.10.0/24 ip subnet 192.168.20.0/24 ! zone public network wan ip subnet 0.0.0.0/0 interface ppp0 host ppp0 ip address dynamic interface ppp0 ! application esp protocol 50 ! application isakmp protocol udp dport 500 ! application nat-t protocol udp dport 4500 ! firewall rule 10 permit any from private to private rule 20 permit any from private to public rule 30 permit isakmp from public.wan to public.wan.ppp0 rule 40 permit isakmp from public.wan.ppp0 to public.wan rule 50 permit esp from public.wan to public.wan.ppp0 rule 60 permit esp from public.wan.ppp0 to public.wan rule 70 permit nat-t from public.wan to public.wan.ppp0 rule 80 permit nat-t from public.wan.ppp0 to public.wan rule 90 permit https from public.wan.ppp0 to public.wan rule 100 permit dns from public.wan.ppp0 to public.wan protect ! nat rule 10 masq any from private to public enable ! radius-server host localhost key awplus-local-radius-server ! aaa authentication isakmp default group radius ! crypto pki trustpoint local subject-alt-name test01-native-vpn.dyndns.org subject-name /O=AlliedTelesis/CN=test01-native-vpn.dyndns.org ! radius-server local server enable nas 127.0.0.1 key awplus-local-radius-server group userA attribute Framed-IP-Address 192.168.20.2 attribute Framed-IP-Netmask 255.255.255.0 attribute MS-Primary-DNS-Server 192.168.20.1 group userB attribute Framed-IP-Address 192.168.20.3 attribute Framed-IP-Netmask 255.255.255.0 attribute MS-Primary-DNS-Server 192.168.20.1 group userC attribute Framed-IP-Address 192.168.20.4 attribute Framed-IP-Netmask 255.255.255.0 attribute MS-Primary-DNS-Server 192.168.20.1 user userA password passwdA group userA user userB password passwdB group userB user userC password passwdC group userC ! ip dns forwarding ! crypto isakmp profile native-vpn version 2 local authentication certificate configuration-attribute radius remote authentication eap-radius lifetime 25200 pki trustpoint local transform 1 integrity SHA256 encryption AES256 group 14 transform 2 integrity SHA256 encryption AES256 group 2 ! crypto isakmp peer policy tunnel0 profile native-vpn ! interface tunnel0 tunnel local name test01-native-vpn.dyndns.org tunnel protection ipsec tunnel mode ipsec multipoint ip address 192.168.20.1/24 ip tcp adjust-mss pmtu ! ip route 0.0.0.0/0 ppp0 ! end
(C) 2019 - 2024 アライドテレシスホールディングス株式会社
PN: 613-002735 Rev.AD