モバイル接続の設定｜設定例｜ルータ・ネットワーク機器

	対象装置	設定例（txt）
モバイル接続（内蔵LTE）を使う	F71/F221/F221 EX
モバイル接続（内蔵5Gモジュール）を使う	F225
IPsecで冗長～イベントアクションで切り替え：メインはPPPoE、バックアップはモバイル	F71/F221/F221 EX
IPsec/LTEデュアルSIM～イベントアクションで切り替え	F71/F221/F221 EX

<pre>
access-list 100 permit udp any 192.0.2.1 0.0.0.0 eq 500
access-list 100 permit udp any 192.0.2.1 0.0.0.0 eq 4500
access-list 100 permit 50 any 192.0.2.1 0.0.0.0
access-list 111 deny udp any eq 135 any
access-list 111 deny udp any any eq 135
access-list 111 deny tcp any eq 135 any
access-list 111 deny tcp any any eq 135
access-list 111 deny udp any range 137 139 any
access-list 111 deny udp any any range 137 139
access-list 111 deny tcp any range 137 139 any
access-list 111 deny tcp any any range 137 139
access-list 111 deny udp any eq 445 any
access-list 111 deny udp any any eq 445
access-list 111 deny tcp any eq 445 any
access-list 111 deny tcp any any eq 445
access-list 112 deny ip 192.168.0.0 0.0.0.255 any
access-list 112 permit icmp any 192.168.0.0 0.0.0.255
access-list 113 spi tcp any any eq ftp
access-list 113 spi tcp any any eq ftp-data
access-list 113 spi tcp any any eq www
access-list 113 spi udp any any eq domain
access-list 113 spi tcp any any eq smtp
access-list 113 spi tcp any any eq pop3
access-list 113 spi tcp any any eq 587
access-list 113 spi tcp any any
access-list 113 spi udp any any
access-list 114 permit ip any any
access-list 115 deny ip any any
ip route 0.0.0.0 0.0.0.0 tunnel 2
ip route 192.168.1.0 255.255.255.0 tunnel 1
ip route 192.168.1.0 255.255.255.0 null 0 150
ip nat list 1 192.168.0.0 0.0.0.255
!
hardware-fault-detection action reboot
!
logging buffer level informational
!
aaa authentication login default local
aaa authorization exec default local
!
username guest password guest-secret
!
hostname CENTER
!
crypto ipsec udp-encapsulation nat-t
!
crypto ipsec policy IPsec_POLICY
set pfs group14
set security-association lifetime seconds 1800
set security-association transform-keysize aes 256 256 256
set security-association transform esp-aes esp-sha256-hmac
set mtu 1454
set ip df-bit 0
set ip fragment post
exit
!
crypto ipsec selector SELECTOR1
src 1 ipv4 any
dst 1 ipv4 any
exit
!
crypto isakmp keepalive interval 35
crypto isakmp log sa
crypto isakmp log session
crypto isakmp log negotiation-fail
!
crypto isakmp policy ISAKMP_POLICY
authentication pre-share
encryption aes
encryption-keysize aes 256 256 256
group 14
lifetime 3600
hash sha-256
initiate-mode aggressive
exit
!
crypto isakmp profile PROF1
match identity host id-kyoten
local-address 192.0.2.1
self-identity address 192.0.2.1
set isakmp-policy ISAKMP_POLICY
set ipsec-policy IPsec_POLICY
ike-version 1
local-key SECRET-VPN
exit
!
crypto map MAP1 ipsec-isakmp
match address SELECTOR1
set isakmp-profile PROF1
exit
!
interface GigaEthernet 1/1
vlan-id 1
bridge-group 1
channel-group 1
exit
!
interface GigaEthernet 2/1
vlan-id 2
bridge-group 2
pppoe enable
exit
!
interface Port-channel 1
ip address 192.168.0.1 255.255.255.0
exit
!
interface Tunnel 1
tunnel mode ipsec map MAP1
link-state sync-sa
exit
!
interface Tunnel 2
ip address 192.0.2.1 255.255.255.255
ip nat inside source list 1 interface
tunnel mode pppoe profile PPPOE_PROF
pppoe interface gigaethernet 2/1
ip access-group 100 in
ip access-group 111 out
ip access-group 112 in
ip access-group 113 out
ip access-group 114 out
ip access-group 115 in
ip access-group spi ftp-data enable
exit
!
pppoe profile PPPOE_PROF
account user@xxxx.ne.jp secret
exit
!
!
end
</pre>

<pre>
access-list 100 permit udp any eq 67 any eq 68
access-list 100 permit udp 192.0.2.1 0.0.0.0 eq 500 any eq 500
access-list 100 permit udp 192.0.2.1 0.0.0.0 eq 4500 any eq 4500
access-list 100 permit 50 192.0.2.1 0.0.0.0 any
access-list 111 deny udp any eq 135 any
access-list 111 deny udp any any eq 135
access-list 111 deny tcp any eq 135 any
access-list 111 deny tcp any any eq 135
access-list 111 deny udp any range 137 139 any
access-list 111 deny udp any any range 137 139
access-list 111 deny tcp any range 137 139 any
access-list 111 deny tcp any any range 137 139
access-list 111 deny udp any eq 445 any
access-list 111 deny udp any any eq 445
access-list 111 deny tcp any eq 445 any
access-list 111 deny tcp any any eq 445
access-list 112 deny ip 192.168.0.0 0.0.0.255 any
access-list 112 permit icmp any 192.168.0.0 0.0.0.255
access-list 113 spi tcp any any eq ftp
access-list 113 spi tcp any any eq ftp-data
access-list 113 spi tcp any any eq www
access-list 113 spi udp any any eq domain
access-list 113 spi tcp any any eq smtp
access-list 113 spi tcp any any eq pop3
access-list 113 spi tcp any any eq 587
access-list 113 spi tcp any any
access-list 113 spi udp any any
access-list 114 permit ip any any
access-list 115 deny ip any any
!
ip route 0.0.0.0 0.0.0.0 dhcp port-channel 1
ip route 192.168.0.0 255.255.255.0 tunnel 1
ip route 192.168.0.0 255.255.255.0 null 0 150
ip nat list 1 192.168.1.0 0.0.0.255
!
logging buffer level informational
!
aaa authentication login default local
aaa authorization exec default local
!
username guest password guest-secret
!
hostname KYOTEN
!
monitor signal-quality logging lte-module interval 600
!
syslog filter LTE_LIMIT
message Call count reached limit
exit
!
event-action 1
event syslog filter LTE_LIMIT
action 1.1 cli exec command crypto isakmp discard
action 2.1 cli exec command clear crypto sa
action 3.1 cli exec command lte-module disconnect moff
action 4.1 cli exec command lte-module connect reverse moff
action 5.1 cli exec command no crypto isakmp discard
exit
!
hardware-fault-detection action reboot
!
logging filter 1 LTE_LIMIT event-action
!
crypto ipsec udp-encapsulation nat-t
!
crypto ipsec policy IPsec_POLICY
set pfs group14
set security-association always-up
set security-association rekey always
set security-association lifetime seconds 1800
set security-association transform-keysize aes 256 256 256
set security-association transform esp-aes esp-sha256-hmac
set mtu 1454
set ip df-bit 0
set ip fragment post
exit
!
crypto ipsec selector SELECTOR1
src 1 ipv4 any
dst 1 ipv4 any
exit
!
crypto isakmp keepalive always-send interval 30
crypto isakmp log sa
crypto isakmp log session
crypto isakmp log negotiation-fail
!
crypto isakmp policy ISAKMP_POLICY
authentication pre-share
encryption aes
encryption-keysize aes 256 256 256
group 14
lifetime 3600
hash sha-256
initiate-mode aggressive
exit
!
crypto isakmp profile PROF1
match identity address 192.0.2.1
local-address source-interface port-channel 1
self-identity fqdn id-kyoten
set isakmp-policy ISAKMP_POLICY
set ipsec-policy IPsec_POLICY
set peer 192.0.2.1
ike-version 1
local-key SECRET-VPN
exit
!
crypto map MAP1 ipsec-isakmp
match address SELECTOR1
set isakmp-profile PROF1
exit
!
interface GigaEthernet 1/1
vlan-id 2
bridge-group 2
channel-group 2
exit
!
interface Port-channel 1
ip dhcp service client
ip nat inside source list 1 interface
exit
!
interface Port-channel 2
ip address 192.168.1.1 255.255.255.0
exit
!
!
interface Tunnel 1
tunnel mode ipsec map MAP1
link-state sync-sa
exit
!
interface LTE-Module 1
channel-group 1
sim-profile 1 SIM1 default
sim-profile 2 SIM2
ip access-group 100 in
ip access-group 111 out
ip access-group 112 in
ip access-group 113 out
ip access-group 114 out
ip access-group 115 in
ip access-group spi ftp-data enable
exit
!
sim-profile SIM1
account xxx123yyy@xxxxx.xx.jp XXX123
pdp ipv4
apn-name lte-ocn.ntt.com
max-call 5
exit
!
sim-profile SIM2
account xxx456yyy@xxxxx.xx.jp XXX456
pdp ipv4
apn-name lte-ocn.ntt.com
max-call 5
exit
!
!
end

</pre>

ページの先頭へ

機能モバイル接続の設定