「コマンド＞ configure ＞ vpn」の版間の差分

2015年12月14日 (月) 16:16時点における版

このページの概要

当ページでは、Configure モード設定編集系コマンドで vpn を利用する方法をご紹介します。

解説

vpn は、設定要素の一つであり、以下の形式で実行します。
# 設定編集系コマンド設定要素パラメーター...

(例) # set vpn パラメーター1 パラメーター2 ...
どの設定要素に対して、どの設定編集系コマンドを利用できるかについては、コマンド＞ configure ＞設定要素・設定編集コマンド対応一覧をご覧下さい。

vpn のパラメーター

index

vpn ipsec
VPN IP security (IPsec) parameters
vpn l2tp
Layer 2 Tunneling Protocol (L2TP) Virtual Private Network (VPN)
vpn pptp
Point to Point Tunneling Protocol (PPTP) Virtual Private Network (VPN)
vpn rsa-keys
RSA keys

vpn ipsec

set vpn ipsec
VPN IP security (IPsec) parameters
- set vpn ipsec auto-firewall-nat-exclude { enable | disable }
  Option to enable/disable auto firewall and NAT exclude (IPv4)
- set vpn ipsec auto-update {30-65535}
  Set auto-update interval for IPsec daemon.
- set vpn ipsec disable-uniqreqids
  Option to disable requirement for unique IDs in the Security Database
- set vpn ipsec esp-group {IPSec ESP グループ名}
  Name of Encapsulating Security Payload (ESP) group
  - set vpn ipsec esp-group {IPSec ESP グループ名} compression { enable | disable }
    ESP compression
  - set vpn ipsec esp-group {IPSec ESP グループ名} lifetime {30-86400}
    ESP lifetime
  - set vpn ipsec esp-group {IPSec ESP グループ名} mode
    ESP mode
    - set vpn ipsec esp-group {IPSec ESP グループ名} mode tunnel
      Tunnel mode (default)
    - set vpn ipsec esp-group {IPSec ESP グループ名} mode transport
      Transport mode
  - set vpn ipsec esp-group {IPSec ESP グループ名} pfs {IPSec ESP DH グループ}
    ESP Perfect Forward Secrecy
  - set vpn ipsec esp-group {IPSec ESP グループ名} proposal {(1-65535) : IPSec ESP グループ proposal 番号}
    ESP-group proposal [REQUIRED]
    - set vpn ipsec esp-group {IPSec ESP グループ名} proposal {(1-65535) : IPSec ESP グループ proposal 番号} encryption {暗号化アルゴリズム}
      Encryption algorithm
    - set vpn ipsec esp-group {IPSec ESP グループ名} proposal {(1-65535) : IPSec ESP グループ proposal 番号} hash {hash アルゴリズム}
      Hash algorithm
- set vpn ipsec ike-group {IPSec IKE グループ名}
  Name of Internet Key Exchange (IKE) group
  - set vpn ipsec ike-group {IPSec IKE グループ名} dead-peer-detection
    Dead Peer Detection (DPD)
    - set vpn ipsec ike-group {IPSec IKE グループ名} dead-peer-detection action
      Keep-alive failure action
      - set vpn ipsec ike-group {IPSec IKE グループ名} dead-peer-detection action hold
        Set action to hold (default)
      - set vpn ipsec ike-group {IPSec IKE グループ名} dead-peer-detection action clear
        Set action to clear
      - set vpn ipsec ike-group {IPSec IKE グループ名} dead-peer-detection action restart
        Set action to restart
    - set vpn ipsec ike-group {IPSec IKE グループ名} dead-peer-detection interval {15-86400}
      Keep-alive interval in seconds (default : 30)
    - set vpn ipsec ike-group {IPSec IKE グループ名} dead-peer-detection timeout {30-86400}
      Keep-alive timeout in seconds (default 120)
  - set vpn ipsec ike-group {IPSec IKE グループ名} key-exchange
    Key Exchange Version
    - set vpn ipsec ike-group {IPSec IKE グループ名} key-exchange ikev1
      Use IKEv1 for Key Exchange [DEFAULT]
    - set vpn ipsec ike-group {IPSec IKE グループ名} key-exchange ikev2
      Use IKEv2 for Key Exchange
  - set vpn ipsec ike-group {IPSec IKE グループ名} lifetime {30-86400}
    IKE lifetime in seconds (default 28800)
  - set vpn ipsec ike-group {IPSec IKE グループ名} proposal {(1-65535) : IPSec IKE グループ proposal 番号}
    IKE-group proposal [REQUIRED]
    - set vpn ipsec ike-group {IPSec IKE グループ名} proposal {(1-65535) : IPSec IKE グループ proposal 番号} dh-group {IPSec ESP DH グループ}
      Diffie-Hellman (DH) key exchange group
    - set vpn ipsec ike-group {IPSec IKE グループ名} proposal {(1-65535) : IPSec IKE グループ proposal 番号} encryption {暗号化アルゴリズム}
      Encryption algorithm
    - set vpn ipsec ike-group {IPSec IKE グループ名} proposal {(1-65535) : IPSec IKE グループ proposal 番号} hash {hash アルゴリズム}
      Hash algorithm
- set vpn ipsec ipsec-interfaces interface {hash アルゴリズム}
  Interface to use for VPN [REQUIRED]
- set vpn ipsec logging log-modes {IPSec log mode}
  IPsec logging
- set vpn ipsec nat-networks allowed-network {x.x.x.x/x}
  Network Address Translation (NAT) networks to allow
  - set vpn ipsec nat-networks allowed-network {x.x.x.x/x} exclude {x.x.x.x/x}
    NAT networks to exclude from allowed-networks
- set vpn ipsec nat-traversal { enable | disable }
  Network Address Translation (NAT) traversal
- set vpn ipsec site-to-site peer {IPSec peer}
  Site to site VPN
  - set vpn ipsec site-to-site peer {IPSec peer} authentication
    Peer authentication [REQUIRED]
    - set vpn ipsec site-to-site peer {IPSec peer} authentication id {IPSec Peer 認証 ID}
      ID for peer authentication
    - set vpn ipsec site-to-site peer {IPSec peer} authentication mode
      Authentication mode
    - set vpn ipsec site-to-site peer {IPSec peer} authentication mode pre-shared-secret
      Use pre-shared secret key
    - set vpn ipsec site-to-site peer {IPSec peer} authentication mode rsa
      Use RSA key
    - set vpn ipsec site-to-site peer {IPSec peer} authentication mode x509
      Use X.509 certificate
    - set vpn ipsec site-to-site peer {IPSec peer} authentication pre-shared-secret {IPSec Peer 認証事前共有秘密鍵}
      Pre-shared secret key
    - set vpn ipsec site-to-site peer {IPSec peer} authentication remote-id {IPSec Peer 認証 ID}
      ID for remote authentication
    - set vpn ipsec site-to-site peer {IPSec peer} authentication rsa-key-name {IPSec Peer 認証 RSA キー名}
      RSA key name
    - set vpn ipsec site-to-site peer {IPSec peer} authentication x509
      X.509 certificate
      - set vpn ipsec site-to-site peer {IPSec peer} authentication x509 ca-cert-file {path}
        File containing the X.509 certificate for the Certificate Authority (CA)
      - set vpn ipsec site-to-site peer {IPSec peer} authentication x509 cert-file {path}
        File containing the X.509 certificate for this host
      - set vpn ipsec site-to-site peer {IPSec peer} authentication x509 crl-file {path}
        File containing the X.509 Certificate Revocation List (CRL)
      - set vpn ipsec site-to-site peer {IPSec peer} authentication x509 key
        Key file and password to open it
        
        set vpn ipsec site-to-site peer {IPSec peer} authentication x509 key file {path}
        File containing the private key for the X.509 certificate for this host
        
        set vpn ipsec site-to-site peer {IPSec peer} authentication x509 key password {パスワード}
        Password that protects the private key
  - set vpn ipsec site-to-site peer {IPSec peer} connection-type
    Connection type
    - set vpn ipsec site-to-site peer {IPSec peer} connection-type initiate
      This endpoint can initiate or respond to a connection
    - set vpn ipsec site-to-site peer {IPSec peer} connection-type respond
      This endpoint will only respond to a connection
  - set vpn ipsec site-to-site peer {IPSec peer} default-esp-group {IPSec ESP グループ名}
    Defult ESP group name
  - set vpn ipsec site-to-site peer {IPSec peer} description {任意テキスト}
    VPN peer description
  - set vpn ipsec site-to-site peer {IPSec peer} dhcp-interface {interface}
    DHCP interface to listen on
  - set vpn ipsec site-to-site peer {IPSec peer} ike-group {IPSec IKE グループ名}
    Internet Key Exchange (IKE) group name [REQUIRED]
  - set vpn ipsec site-to-site peer {IPSec peer} local-address { IPv4/v6 アドレス | any }
    IPv4 or IPv6 address of a local interface to use for VPN
  - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号}
    Peer tunnel [REQUIRED]
    - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} allow-nat-networks { enable | disable }
      Option to allow NAT networks
    - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} allow-public-networks { enable | disable }
      Option to allow public networks
    - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} disable
      Option to disable vpn tunnel
    - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} esp-group {IPSec ESP グループ名}
      ESP group name
    - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} local
      Local parameters for interesting traffic
      - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} local port {IPv4 ポート条件式}
        Any TCP or UDP port
      - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} local prefix {x.x.x.x/x}
        Local IPv4 or IPv6 prefix
    - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} protocol {IPv4 プロトコル条件式}
      Protocol to encrypt
    - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} remote
      Remote parameters for interesting traffic
      - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} remote port {IPv4 ポート条件式}
        Any TCP or UDP port
      - set vpn ipsec site-to-site peer {IPSec peer} tunnel {(0-4294967295) : IPSec Peer Tunnel 番号} remote prefix {x.x.x.x/x}
        Local IPv4 or IPv6 prefix
  - set vpn ipsec site-to-site peer {IPSec peer} vti
    Virtual tunnel interface [REQUIRED]
    - set vpn ipsec site-to-site peer {IPSec peer} vti bind {interface/vti}
      VTI tunnel interface associated with this configuration [REQUIRED]
    - set vpn ipsec site-to-site peer {IPSec peer} vti esp-group {IPSec ESP グループ名}
      ESP group name [REQUIRED]

vpn l2tp

set vpn l2tp remote-access
Layer 2 Tunneling Protocol (L2TP) Virtual Private Network (VPN)
- set vpn l2tp remote-access authentication
  Authentication for remote access L2TP VPN
  - set vpn l2tp remote-access authentication local-users username {ユーザー名}
    Local user authentication for remote access L2TP VPN
    - set vpn l2tp remote-access authentication local-users username {ユーザー名} disable
      Option to disable L2TP remote-access user
    - set vpn l2tp remote-access authentication local-users username {ユーザー名} password {パスワード}
      Password for authentication
    - set vpn l2tp remote-access authentication local-users username {ユーザー名} static-ip {x.x.x.x}
      Static IP address
  - set vpn l2tp remote-access authentication mode
    Authentication mode for remote access L2TP VPN
    - set vpn l2tp remote-access authentication mode local
      Use username/password in the configuration
    - set vpn l2tp remote-access authentication mode radius
      Use Radius server
  - set vpn l2tp remote-access authentication radius-server {x.x.x.x}
    IP address of radius server
    - set vpn l2tp remote-access authentication radius-server {x.x.x.x} key {Radius Server アクセスキー}
      Key for accessing the specified server
- set vpn l2tp remote-access client-ip-pool
  Pool of IP address to be assigned to remote clients
  - set vpn l2tp remote-access client-ip-pool start {x.x.x.x}
    First IP address in the pool
  - set vpn l2tp remote-access client-ip-pool stop {x.x.x.x}
    Last IP address in the pool
- set vpn l2tp remote-access description {任意テキスト}
  Description for L2TP remote-access settings
- set vpn l2tp remote-access dhcp-interface {interface}
  DHCP interface to listen on
- set vpn l2tp remote-access dns-servers
  Domain Name Service (DNS) server
  - set vpn l2tp remote-access dns-servers server-1 {x.x.x.x}
    Primary DNS server
  - set vpn l2tp remote-access dns-servers server-2 {x.x.x.x}
    Secondary DNS server
- set vpn l2tp remote-access ipsec-settings
  Internet Protocol Security (IPsec) for remote access L2TP VPN
  - set vpn l2tp remote-access ipsec-settings authentication
    IPsec authentication settings
    - set vpn l2tp remote-access ipsec-settings authentication mode
      Authentication mode for IPsec
      - set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
        Use pre-shared secret for IPsec authentication
      - set vpn l2tp remote-access ipsec-settings authentication mode x509
        Use X.509 certificate for IPsec authentication
    - set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret {IPSec Peer 認証事前共有秘密鍵}
      Pre-shared secret for IPsec
    - set vpn l2tp remote-access ipsec-settings authentication x509
      X.509 certificate
      - set vpn l2tp remote-access ipsec-settings authentication x509 ca-cert-file {path}
        File containing the X.509 certificate for the Certificate Authority (CA)
      - set vpn l2tp remote-access ipsec-settings authentication x509 cert-file {path}
        File containing the X.509 certificate for this host
      - set vpn l2tp remote-access ipsec-settings authentication x509 crl-file {path}
        File containing the X.509 Certificate Revocation List (CRL)
      - set vpn l2tp remote-access ipsec-settings authentication x509 server-cert-file {path}
        File containing the X.509 certificate for the remote access VPN server (this host)
      - set vpn l2tp remote-access ipsec-settings authentication x509 server-key-file {path}
        File containing the private key for the X.509 certificate for the remote access VPN server (this host)
      - set vpn l2tp remote-access ipsec-settings authentication x509 server-key-password {パスワード}
        Password that protects the private key
  - set vpn l2tp remote-access ipsec-settings ike-lifetime {30-86400}
    IKE lifetime in seconds (default : 3600)
- set vpn l2tp remote-access local-ip {x.x.x.x}
  Optional IP address to use on the local side of the tunnel
- set vpn l2tp remote-access mtu {128-16384}
  Maximum Transmission Unit (MTU)
- set vpn l2tp remote-access outside-address {x.x.x.x}
  Outside IP address to which VPN clients will connect
- set vpn l2tp remote-access outside-nexthop {x.x.x.x}
  Nexthop IP address for reaching the VPN clients
- set vpn l2tp remote-access wins-servers
  Windows Inernet Name Service (WINS) server settings
  - set vpn l2tp remote-access wins-servers server-1 {x.x.x.x}
    Primary WINS server
  - set vpn l2tp remote-access wins-servers server-2 {x.x.x.x}
    Secondary WINS server

vpn pptp

set vpn pptp remote-access
Point to Point Tunneling Protocol (PPTP) Virtual Private Network (VPN)
- set vpn pptp remote-access authentication
  Authentication for remote access PPTP VPN
  - set vpn pptp remote-access authentication local-users username {ユーザー名}
    Local user authentication for remote access PPTP VPN
    - set vpn pptp remote-access authentication local-users username {ユーザー名} disable
      Option to disable a PPTP remote-access user
    - set vpn pptp remote-access authentication local-users username {ユーザー名} password {パスワード}
      Password for authentication
    - set vpn pptp remote-access authentication local-users username {ユーザー名} static-ip {x.x.x.x}
      Static IP address
  - set vpn pptp remote-access authentication mode
    Authentication mode for remote access PPTP VPN
    - set vpn pptp remote-access authentication mode local
      Use username/password in the configuration
    - set vpn pptp remote-access authentication mode radius
      Use Radius server
  - set vpn pptp remote-access authentication radius-server {x.x.x.x}
    IP address of radius server
    - set vpn pptp remote-access authentication radius-server {x.x.x.x} key {Radius Server アクセスキー}
      Key for accessing the specified server
- set vpn pptp remote-access client-ip-pool
  Pool of client IP address (must be within a /24)
  - set vpn pptp remote-access client-ip-pool start {x.x.x.x}
    First IP address in the pool
  - set vpn pptp remote-access client-ip-pool stop {x.x.x.x}
    Last IP address in the pool
- set vpn pptp remote-access dhcp-interface {interface}
  DHCP interface to listen on
- set vpn pptp remote-access dns-servers
  Domain Name Service (DNS) server
  - set vpn pptp remote-access dns-servers server-1 {x.x.x.x}
    Primary DNS server
  - set vpn pptp remote-access dns-servers server-2 {x.x.x.x}
    Secondary DNS server
- set vpn pptp remote-access local-ip {x.x.x.x}
  Optional IP address to use one the local side of the tunnel
- set vpn pptp remote-access mtu {128-16384}
  Maximum Transmission Unit (MTU) (default : 1492)
- set vpn pptp remote-access outside-address {x.x.x.x}
  Outside IP address to which VPN clients will connect
- set vpn pptp remote-access wins-servers
  Windows Internet Name Service (WINS) server settings
  - set vpn pptp remote-access wins-servers server-1 {x.x.x.x}
    Primary WINS server
  - set vpn pptp remote-access wins-servers server-2 {x.x.x.x}
    Secondary WINS server

vpn rsa-keys

set vpn rsa-keys
RSA keys
- set vpn rsa-keys local-key file {path}
  Local RSA key
- set vpn rsa-keys rsa-key-name {VPN RSA キー名}
  Name of remote RSA key
  - set vpn rsa-keys rsa-key-name rsa-key
    Remote RSA key

凡例

「★」は、不明であることを表しています。

注意事項

動作の確認は、EdgeRouter X : ER-X にて行っています。他のモデルでは、一部動作が異なる可能性があります。

「コマンド＞ configure ＞ vpn」の版間の差分

2015年12月14日 (月) 16:16時点における版

目次

このページの概要

解説

vpn のパラメーター

index

vpn ipsec

vpn l2tp

vpn pptp

vpn rsa-keys

関連項目

凡例

注意事項

ご意見を共有しましょう

案内メニュー

「コマンド ＞ configure ＞ vpn」の版間の差分

2015年12月14日 (月) 16:16時点における版

このページの概要

解説

vpn のパラメーター

index

vpn ipsec

vpn l2tp

vpn pptp

vpn rsa-keys

関連項目

凡例

注意事項

ご意見を共有しましょう

案内メニュー

検索

「コマンド＞ configure ＞ vpn」の版間の差分