今回Hawaiiに来ました。
Hawaiiへ住んでみてみたい。
ということで、YAMAHA NVR700Wを持ってきました。
ハワイはちょうど日本とアメリカの中間あたりにありますので、ハワイ経由で日本とアメリカをIPSec VPNでつなぐハワイ中継出張所を構築してみてみます。
■構成
あらかじめ、Transit RoutingなどVCN Network, Instance等の設定を以前の記事を参考に構築しておきます。ここでは、YAMAHA NVR700Wの設定メインに記載していきます。
・参考: Transit Routing + IPSec VPN / FastConnectで Object Storage, Autonomous Databaseへ接続してみてみた
■ハワイでSIMカード取得
NVR700WはSIMカードでInternetにつながります。
ハワイの空港ではSIMカード売ってないので、買いに行きます。
今回は、Pokeで有名なMaguro Brothersの隣のほうにあるここで書いました。
一ヶ月 $50でUnlimited Dataなのでこれにしときます。
IPhoneへのInstall設定もしてくれて、親切なお店でした。
そしてついでに、Pokeも買っときます。
・Maguro Brothers: https://www.yelp.com/biz/maguro-brothers-hawaii-honolulu-6
購入したSIMカードは LycaMobileです。
APN設定は以下な感じです。
・参考:
- LycaMobile APN Settings
- AT&T APN Settings
ただ、、このSIMはNVR700wで設定すると海外SIMだからか「圏外」状態になり、AT&TのSIMでも疎通する事ができなかったため、、SIM接続は今回断念します。
Internet接続はHotelのルーターからLANケーブルを差してInternet接続することにしました。
■ハワイの電圧
ハワイの電圧は110/120V、日本は100Vなので、変圧されないアダプターのNVR700Wは電源をつけることができません。
ですので、変圧器が必要です。しかしながら、日本から持ってきてないので、、まずは買いに行きます。
ハワイには電気店がないので、ABC Store, Don Quijote, Walmartなど回りましたが売っていないので、ちょっと遠い Best Buyへ買いに行きました。
・Best Buy Honolulu
・Don Quijote Hawaii
・Walmart Honoklulu
ついでに、変圧器の他にLANケーブルと MACに接続するためのUSB-C to Gigabit Ethernet Adapterとかも買っときます。
そして、近くにPokeで有名なNico’s Pier 38 があるので歩いて食べに行ってみてみます。
・Nico’s Pier 38: https://nicospier38.com/
■Yamaha NVR700Wセットアップ
準備も整いましたので、設定していきます。
●初期化
まずは初期化します
シリアルコンソールケーブルはちゃんともってきているので、コマンドラインで設定していきます。
① cold start 実行
cold startコマンドで初期化がされます
# cold start
Password:
RTFS formatting... Done.
Restarting ...
NVR700W BootROM Ver. 1.00
Copyright (c) 2016 Yamaha Corporation. All Rights Reserved.
Press 'Enter' or 'Return' to select a firmware and a configuration.
Default settings : exec0 and config0
Starting with default settings.
Starting with exec0 and config0 ...
NVR700W Rev.15.00.16 (Thu Jun 20 19:48:42 2019)
Copyright (c) 1994-2019 Yamaha Corporation. All Rights Reserved.
To display the software copyright statement, use 'show copyright' command.
00:a0:cd:a2:c1, 00:a0:cd:a2:c2
Memory 256Mbytes, 2LAN, 1ONU, 1WWAN
●初期化コンフィグ確認
①ユーザー名無し でLogin
初期状態はユーザー名無し でLoginしてユーザーをつくっていきます。
# Password:
NVR700W Rev.15.00.16 (Thu Jun 20 19:48:42 2019)
Copyright (c) 1994-2019 Yamaha Corporation. All Rights Reserved.
To display the software copyright statement, use 'show copyright' command.
00:a0:cd:a2:c1, 00:a0:cd:a2:c2
Memory 256Mbytes, 2LAN, 1ONU, 1WWAN
The login password is factory default setting. Please request an administrator to change the password by the 'login password' command.
② 管理ユーザーへ移行
> administrator
Password:
The administrator password is factory default setting. Please change the password by the 'administrator password' command.
#
③ 初期コンフィグ確認
# show config
# NVR700W Rev.15.00.16 (Thu Jun 20 19:48:42 2019)
# MAC Address : 00:a0:cd:a2:c1, 00:a0:cd:a2:c2
# Memory 256Mbytes, 2LAN, 1ONU, 1WWAN
# main: NVR700W ver=00 serial=TESTSERIAL MAC-Address=00:a0:cd:a2:c1 MAC-Address=00:a0:cd:a2:c2
# Reporting Date: Mar 11 14:09:42 2020
ip lan1 address 192.168.100.1/24
telnetd host lan
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.100.2-192.168.100.191/24
dns private name setup.netvolante.jp
analog supplementary-service pseudo call-waiting
analog extension dial prefix sip prefix="9#"
●Internet接続
Internet接続はWebコンソールから設定してみてみます
① 簡単接続画面
デフォルトIP 192.168.100.1 へHTTPブラウザ接続して、[かんたん設定]タブから[プロバイダい接続]を選択し、[新規]をクリック
②インターフェースの選択画面
接続インターフェース: WANを選択し、[次へ]をクリック
③回線自動判別画面
[次へ]をクリック
④接続種別の選択画面
「DHCP、又は固定IPアドレスによる接続」をクリック
⑤プロバイダ情報の設定画面
ここでは、HotelのLANに接続するので、DHCPで変動されないように固定とするため「IPアドレスを選択」し以下を入力し[次へ]をクリック
WAN側IPアドレス: 任意のアドレス
ネットマスク: 任意のネットマスク
デフォルトゲートウェイ: 任意のデフォルトゲートウェイ
⑥DNSサーバーの設定画面
任意の設定を行い、[次へ]をクリック
⑦IPフィルタの設定
ここでは、IPSec通信できなくならないように、「設定しない」を選択し、[次へ]をクリック
⑧設定内容の確認画面
設定内容を確認し、[次へ]をクリック
⑨プロバイダー接続画面
[接続状態]の項目から接続が確立されていることを確認
⑩ Config確認
# show config
# NVR700W Rev.15.00.16 (Thu Jun 20 19:48:42 2019)
# MAC Address : 00:a0:cd:a2:c1, 00:a0:cd:a2:c2
# Memory 256Mbytes, 2LAN, 1ONU, 1WWAN
# main: NVR700W ver=00 serial=TESTSERIAL MAC-Address=00:a0:cd:a2:c1 MAC-Address=00:a0:cd:a2:c2
# Reporting Date: Mar 11 14:34:26 2020
ip route default gateway 192.168.1.1
ip keepalive 1 icmp-echo 10 5 192.168.1.1
ip lan1 address 192.168.100.1/24
description lan2 Hawaii-Hotel01
ip lan2 address 192.168.1.254/24
ip lan2 nat descriptor 200
ip filter 500000 restrict * * * * *
nat descriptor type 200 masquerade
nat descriptor address outer 200 primary
telnetd host lan
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.100.2-192.168.100.191/24
dns host lan1
dns server 192.168.1.1
dns server select 500201 192.168.1.1 any .
dns private address spoof on
dns private name setup.netvolante.jp
httpd host lan1
analog supplementary-service pseudo call-waiting
analog extension dial prefix sip prefix="9#"
statistics traffic on
●Global IP確認
https://www.myglobalip.com/ へアクセスしてIntanetにアクセスできることと、OCIのCPEリソース作成時に必要なGlobal IPを確認しておきます
■OCI TokyoとのIPSec接続
●OCI IPSec接続設定
以前の記事を参考にIPSec作成を行い、以下画面から、OracleからIPSec接続用に払い出された2つのVPN IP Adressをメモして、NCR700WのConfigを作成します
●IPSec接続設定
以下Configを流し込みます
tunnel select 1
description tunnel OCI-VPN1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 1 3600
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 aes256-cbc
ipsec ike group 1 modp1536
ipsec ike hash 1 sha256
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on dpd 5 4
ipsec ike local address 1 192.168.1.254
ipsec ike local id 1 0.0.0.0/0
ipsec ike nat-traversal 1 on
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text IPSecSharedSecret01
ipsec ike remote address 1 140.204.100.101
ipsec ike remote id 1 0.0.0.0/0
ip tunnel address 192.168.255.201/30
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select 2
description tunnel OCI-VPN2
ipsec tunnel 2
ipsec sa policy 2 2 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 2 3600
ipsec ike duration isakmp-sa 2 28800
ipsec ike encryption 2 aes256-cbc
ipsec ike group 2 modp1536
ipsec ike hash 2 sha256
ipsec ike keepalive log 2 off
ipsec ike keepalive use 2 on dpd 5 4
ipsec ike local address 2 192.168.1.254
ipsec ike local id 2 0.0.0.0/0
ipsec ike nat-traversal 2 on
ipsec ike pfs 2 on
ipsec ike pre-shared-key 2 text IPSecSharedSecret02
ipsec ike remote address 2 140.204.100.102
ipsec ike remote id 2 0.0.0.0/0
ip tunnel address 192.168.255.205/30
ip tunnel tcp mss limit auto
tunnel enable 2
●IPSec SA確立確認
# show ipsec sa
Total: isakmp:2 send:2 recv:3
sa sgw isakmp connection dir life[s] remote-id
----------------------------------------------------------------------------
1 1 - isakmp - 28769 140.204.100.101
2 2 - isakmp - 28729 140.204.100.102
3 1 1 tun[0001]esp send 3571 140.204.100.101
4 1 - tun[0001]esp recv 3530 140.204.100.101
5 2 2 tun[0002]esp send 3531 140.204.100.102
6 2 2 tun[0002]esp recv 3531 140.204.100.102
7 1 1 tun[0001]esp recv 3571 140.204.100.101
●BGP設定
以下Configを流し込みます
tunnel select 1
ip tunnel address 192.168.255.201/30
ip tunnel remote address 192.168.255.202
tunnel select 2
ip tunnel address 192.168.255.205/30
ip tunnel remote address 192.168.255.206
bgp use on
bgp autonomous-system 65000
bgp log neighbor
bgp neighbor 1 31898 192.168.255.202 hold-time=180 local-address=192.168.255.201
bgp neighbor 2 31898 192.168.255.206 hold-time=180 local-address=192.168.255.205
bgp import filter 1 equal 0.0.0.0/0
bgp import 31898 static filter 1
●OCI IPSec接続ステータス確認
IPSec、BGP共にUPしてグリーンになっていることを確認
■OCI PhoenixとのIPSec接続
上記 OCI TokyoとのIPSec接続同様に設定します。
●OCI IPSec接続設定
Tokyo Region同様以下画面から、OracleからIPSec接続用に払い出された2つのVPN IP Adressをメモして、NCR700WのConfigを作成します
●IPSec接続設定
以下Configを流し込みます
tunnel select 11
description tunnel OCI-VPN11
ipsec tunnel 11
ipsec sa policy 11 11 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 11 3600
ipsec ike duration isakmp-sa 11 28800
ipsec ike encryption 11 aes256-cbc
ipsec ike group 11 modp1536
ipsec ike hash 11 sha256
ipsec ike keepalive log 11 off
ipsec ike keepalive use 11 on dpd 5 4
ipsec ike local address 11 192.168.1.254
ipsec ike local id 11 0.0.0.0/0
ipsec ike nat-traversal 11 on
ipsec ike pfs 11 on
ipsec ike pre-shared-key 11 text IPSecSharedSecret01
ipsec ike remote address 11 129.146.200.201
ipsec ike remote id 11 0.0.0.0/0
ip tunnel address 192.168.255.213/30
ip tunnel tcp mss limit auto
tunnel enable 11
tunnel select 12
description tunnel OCI-VPN12
ipsec tunnel 12
ipsec sa policy 12 12 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 12 3600
ipsec ike duration isakmp-sa 12 28800
ipsec ike encryption 12 aes256-cbc
ipsec ike group 12 modp1536
ipsec ike hash 12 sha256
ipsec ike keepalive log 12 off
ipsec ike keepalive use 12 on dpd 5 4
ipsec ike local address 12 192.168.1.254
ipsec ike local id 12 0.0.0.0/0
ipsec ike nat-traversal 12 on
ipsec ike pfs 12 on
ipsec ike pre-shared-key 12 text IPSecSharedSecret02
ipsec ike remote address 12 129.146.200.202
ipsec ike remote id 12 0.0.0.0/0
ip tunnel address 192.168.255.217/30
ip tunnel tcp mss limit auto
tunnel enable 12
●IPSec SA確立確認
# ipsec auto refresh on
# show ipsec sa
Total: isakmp:4 send:6 recv:7
sa sgw isakmp connection dir life[s] remote-id
----------------------------------------------------------------------------
1 1 - isakmp - 25300 140.204.100.101
2 2 - isakmp - 25260 140.204.100.102
3 1 1 tun[0001]esp send 101 140.204.100.101
4 1 - tun[0001]esp recv 60 140.204.100.101
5 2 2 tun[0002]esp send 61 140.204.100.102
6 2 2 tun[0002]esp recv 61 140.204.100.102
7 1 1 tun[0001]esp recv 101 140.204.100.101
8 2 2 tun[0002]esp send 2769 140.204.100.102
9 2 2 tun[0002]esp recv 2769 140.204.100.102
10 1 1 tun[0001]esp send 2809 140.204.100.101
11 1 1 tun[0001]esp recv 2809 140.204.100.101
12 12 16 tun[0012]esp send 3482 129.146.200.202
13 11 - isakmp - 28605 129.146.200.201
14 11 13 tun[0011]esp send 3410 129.146.200.201
15 11 13 tun[0011]esp recv 3410 129.146.200.201
16 12 - isakmp - 28677 129.146.200.202
17 12 16 tun[0012]esp recv 3482 129.146.200.202
●BGP設定
tunnel select 11
ip tunnel address 192.168.255.213/30
ip tunnel remote address 192.168.255.214
tunnel select 12
ip tunnel address 192.168.255.217/30
ip tunnel remote address 192.168.255.218
bgp use on
bgp autonomous-system 65000
bgp log neighbor
bgp neighbor 11 31898 192.168.255.214 hold-time=180 local-address=192.168.255.213
bgp neighbor 12 31898 192.168.255.218 hold-time=180 local-address=192.168.255.217
bgp import filter 1 equal 0.0.0.0/0
bgp import 31898 static filter 1
●BGP伝搬確認
① BGP設定反映
# bgp configure refresh
②neighbor確認
# show status bgp neighbor
BGP neighbor is 192.168.255.202, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.255.202
BGP state = Established, up for 00:07:01
Last read 00:00:34, hold time is 180, keepalive interval is 60 seconds
Received 9 messages, 0 notifications, 0 in queue
Sent 12 messages, 0 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.255.201, Local port: 179
Foreign host: 192.168.255.202, Foreign port: 52226
BGP neighbor is 192.168.255.206, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.255.206
BGP state = Established, up for 00:06:55
Last read 00:00:20, hold time is 180, keepalive interval is 60 seconds
Received 8 messages, 0 notifications, 0 in queue
Sent 10 messages, 0 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.255.205, Local port: 1024
Foreign host: 192.168.255.206, Foreign port: 179
BGP neighbor is 192.168.255.214, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.255.214
BGP state = Established, up for 00:06:52
Last read 00:00:16, hold time is 180, keepalive interval is 60 seconds
Received 9 messages, 0 notifications, 0 in queue
Sent 11 messages, 0 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.255.213, Local port: 179
Foreign host: 192.168.255.214, Foreign port: 56551
BGP neighbor is 192.168.255.218, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.255.218
BGP state = Established, up for 00:06:48
Last read 00:00:10, hold time is 180, keepalive interval is 60 seconds
Received 8 messages, 0 notifications, 0 in queue
Sent 10 messages, 0 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.255.217, Local port: 1026
Foreign host: 192.168.255.218, Foreign port: 179
●OCI IPSec接続ステータス確認
IPSec、BGP共にUPしてグリーンになっていることを確認
■Route確認
下記のように OCI TokyoとPhoenixの VCN内Subnetと Object Storage Autonomous DBのある Oracle Services Network(OSN)のアドレスが伝搬されていれば接続完了です!
# show ip route
Destination Gateway Interface Kind Additional Info.
default 192.168.1.1 LAN2 static
10.0.0.0/24 192.168.255.202 TUNNEL[1] BGP path=31898
10.20.0.0/24 192.168.255.214 TUNNEL[11] BGP path=31898
129.146.12.128/25 192.168.255.214 TUNNEL[11] BGP path=31898
129.146.13.128/25 192.168.255.214 TUNNEL[11] BGP path=31898
129.146.14.128/25 192.168.255.214 TUNNEL[11] BGP path=31898
130.35.0.0/22 192.168.255.214 TUNNEL[11] BGP path=31898
130.35.128.0/22 192.168.255.214 TUNNEL[11] BGP path=31898
134.70.8.0/21 192.168.255.214 TUNNEL[11] BGP path=31898
134.70.16.0/22 192.168.255.214 TUNNEL[11] BGP path=31898
134.70.80.0/23 192.168.255.202 TUNNEL[1] BGP path=31898
134.70.82.0/23 192.168.255.202 TUNNEL[1] BGP path=31898
138.1.32.0/21 192.168.255.214 TUNNEL[11] BGP path=31898
140.91.4.0/22 192.168.255.214 TUNNEL[11] BGP path=31898
140.91.8.0/23 192.168.255.214 TUNNEL[11] BGP path=31898
140.91.32.0/23 192.168.255.202 TUNNEL[1] BGP path=31898
140.204.8.128/25 192.168.255.202 TUNNEL[1] BGP path=31898
147.154.96.0/20 192.168.255.214 TUNNEL[11] BGP path=31898
192.29.36.0/22 192.168.255.202 TUNNEL[1] BGP path=31898
192.29.40.0/22 192.168.255.202 TUNNEL[1] BGP path=31898
192.29.44.0/25 192.168.255.202 TUNNEL[1] BGP path=31898
192.29.96.0/21 192.168.255.214 TUNNEL[11] BGP path=31898
192.168.1.0/24 192.168.1.254 LAN2 implicit
192.168.100.0/24 192.168.100.1 LAN1 implicit
192.168.255.200/30 - TUNNEL[1] implicit
192.168.255.204/30 - TUNNEL[2] implicit
192.168.255.212/30 - TUNNEL[11] implicit
192.168.255.216/30 - TUNNEL[12] implicit
※OCIからBGPで伝搬されるOCNのCIDRはPublic IP Address RangesのJSONに記載ある"OSN"と"OBJECT_STORAGE"項目部分のCIDRです。
・参考:VCNおよびOracle Services Network用のパブリックIPアドレス
https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Concepts/addressranges.htm#osn-ranges
■疎通確認テスト
●Tokyo -> Phoenix
①ping確認
[opc@tokyo-inst01 ~]$ ping 10.20.0.2 -c 3
PING 10.20.0.2 (10.20.0.2) 56(84) bytes of data.
64 bytes from 10.20.0.2: icmp_seq=1 ttl=61 time=238 ms
64 bytes from 10.20.0.2: icmp_seq=2 ttl=61 time=249 ms
64 bytes from 10.20.0.2: icmp_seq=3 ttl=61 time=242 ms
--- 10.20.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/a
② traceroute確認
[opc@tokyo-inst01 ~]$ traceroute 10.20.0.2
traceroute to 10.20.0.2 (10.20.0.2), 30 hops max, 60 byte packets
1 140.91.206.7 (140.91.206.7) 0.096 ms 0.062 ms 140.91.206.1 (140.91.206.1) 0.062 ms
2 192.168.255.201 (192.168.255.201) 167.812 ms 173.649 ms 167.697 ms
3 * * *
4 10.20.0.2 (10.20.0.2) 240.176 ms !X 245.285 ms !X 239.150 ms !X
③ iperf3確認
[root@tokyo-inst01 opc]# iperf3 -c 10.20.0.2
Connecting to host 10.20.0.2, port 5201
[ 4] local 10.0.0.2 port 50752 connected to 10.20.0.2 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 275 KBytes 2.25 Mbits/sec 0 76.8 KBytes
[ 4] 1.00-2.00 sec 583 KBytes 4.77 Mbits/sec 0 193 KBytes
[ 4] 2.00-3.00 sec 699 KBytes 5.73 Mbits/sec 0 223 KBytes
[ 4] 3.00-4.00 sec 1017 KBytes 8.33 Mbits/sec 0 258 KBytes
[ 4] 4.00-5.00 sec 826 KBytes 6.77 Mbits/sec 0 299 KBytes
[ 4] 5.00-6.00 sec 890 KBytes 7.29 Mbits/sec 0 344 KBytes
[ 4] 6.00-7.00 sec 1017 KBytes 8.33 Mbits/sec 2 241 KBytes
[ 4] 7.00-8.00 sec 445 KBytes 3.64 Mbits/sec 0 285 KBytes
[ 4] 8.00-9.00 sec 1017 KBytes 8.33 Mbits/sec 0 319 KBytes
[ 4] 9.00-10.00 sec 445 KBytes 3.64 Mbits/sec 0 332 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 7.04 MBytes 5.91 Mbits/sec 2 sender
[ 4] 0.00-10.00 sec 6.61 MBytes 5.54 Mbits/sec receiver
iperf Done.
●Phoenix -> Tokyo
① ping確認
[opc@phoeinx-inst01 ~]$ ping 10.0.0.2 -c 3
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=61 time=240 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=61 time=237 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=61 time=237 ms
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 237.468/238.691/240.616/1.488 ms
② traceroute確認
[opc@phoeinx-inst01 ~]$ traceroute 10.0.0.2
traceroute to 10.0.0.2 (10.0.0.2), 30 hops max, 60 byte packets
1 140.91.194.7 (140.91.194.7) 0.078 ms 140.91.194.6 (140.91.194.6) 0.058 ms 140.91.194.5 (140.91.194.5) 0.057 ms
2 192.168.255.213 (192.168.255.213) 75.008 ms 74.983 ms *
3 * * *
4 10.0.0.2 (10.0.0.2) 243.052 ms !X 247.195 ms !X 239.075 ms !X
③ iperf3確認
[root@phoeinx-inst01 opc]# iperf3 -c 10.0.0.2
Connecting to host 10.0.0.2, port 5201
[ 4] local 10.20.0.2 port 35834 connected to 10.0.0.2 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 321 KBytes 2.63 Mbits/sec 0 95.9 KBytes
[ 4] 1.00-2.00 sec 1.30 MBytes 10.9 Mbits/sec 0 433 KBytes
[ 4] 2.00-3.00 sec 1.37 MBytes 11.5 Mbits/sec 5 332 KBytes
[ 4] 3.00-4.00 sec 1.12 MBytes 9.37 Mbits/sec 0 373 KBytes
[ 4] 4.00-5.00 sec 1.18 MBytes 9.89 Mbits/sec 7 191 KBytes
[ 4] 5.00-6.00 sec 1.12 MBytes 9.37 Mbits/sec 1 142 KBytes
[ 4] 6.00-7.00 sec 636 KBytes 5.21 Mbits/sec 1 106 KBytes
[ 4] 7.00-8.00 sec 0.00 Bytes 0.00 bits/sec 0 120 KBytes
[ 4] 8.00-9.00 sec 572 KBytes 4.69 Mbits/sec 0 126 KBytes
[ 4] 9.00-10.00 sec 572 KBytes 4.69 Mbits/sec 0 127 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 8.13 MBytes 6.82 Mbits/sec 14 sender
[ 4] 0.00-10.00 sec 7.04 MBytes 5.90 Mbits/sec receiver
iperf Done.
●Hawaii-> Tokyo
①ping確認
[root@onp-inst01:~]$ ping 10.0.0.2 -c 3
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=62 time=175.013 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=62 time=168.506 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=62 time=168.111 ms
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 168.111/170.543/175.013/3.165 ms
②traceroute確認
[root@onp-inst01:~]$ traceroute -I 10.0.0.2
traceroute to 10.0.0.2 (10.0.0.2), 64 hops max, 72 byte packets
1 * * *
2 * * *
3 10.0.0.2 (10.0.0.2) 168.008 ms 167.699 ms 168.381 ms
●Hawaii-> Phoenix
①ping確認
[root@onp-inst01:~]$ ping 10.20.0.2 -c 3
PING 10.20.0.2 (10.20.0.2): 56 data bytes
64 bytes from 10.20.0.2: icmp_seq=0 ttl=62 time=68.881 ms
64 bytes from 10.20.0.2: icmp_seq=1 ttl=62 time=71.827 ms
64 bytes from 10.20.0.2: icmp_seq=2 ttl=62 time=72.269 ms
--- 10.20.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 68.881/70.992/72.269/1.504 ms
②traceroute確認
[root@onp-inst01:~]$ traceroute -I 10.20.0.2
traceroute to 10.20.0.2 (10.20.0.2), 64 hops max, 72 byte packets
1 * * *
2 * * *
3 10.20.0.2 (10.20.0.2) 70.350 ms 70.649 ms 70.574 ms
■最終Config
# show config
# NVR700W Rev.15.00.16 (Thu Jun 20 19:48:42 2019)
# MAC Address : 00:a0:cd:a2:c1, 00:a0:cd:a2:c2
# Memory 256Mbytes, 2LAN, 1ONU, 1WWAN
# main: NVR700W ver=00 serial=TESTSERIAL MAC-Address=00:a0:cd:a2:c1 MAC-Addr
ess=00:a0:cd:a2:c2
# Reporting Date: Mar 11 15:48:06 2020
console character en.ascii
ip route default gateway 192.168.1.1
ip keepalive 1 icmp-echo 10 5 192.168.1.1
ip lan1 address 192.168.100.1/24
description lan2 Hawaii-Hotel01
ip lan2 address 192.168.1.254/24
ip lan2 nat descriptor 200
tunnel select 1
description tunnel OCI-VPN1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 1 3600
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 aes256-cbc
ipsec ike group 1 modp1536
ipsec ike hash 1 sha256
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on dpd 5 4
ipsec ike local address 1 192.168.1.254
ipsec ike local id 1 0.0.0.0/0
ipsec ike nat-traversal 1 on
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text IPSecSharedSecret01
ipsec ike remote address 1 140.204.100.101
ipsec ike remote id 1 0.0.0.0/0
ip tunnel address 192.168.255.201/30
ip tunnel remote address 192.168.255.202
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select 2
description tunnel OCI-VPN2
ipsec tunnel 2
ipsec sa policy 2 2 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 2 3600
ipsec ike duration isakmp-sa 2 28800
ipsec ike encryption 2 aes256-cbc
ipsec ike group 2 modp1536
ipsec ike hash 2 sha256
ipsec ike keepalive log 2 off
ipsec ike keepalive use 2 on dpd 5 4
ipsec ike local address 2 192.168.1.254
ipsec ike local id 2 0.0.0.0/0
ipsec ike nat-traversal 2 on
ipsec ike pfs 2 on
ipsec ike pre-shared-key 2 text IPSecSharedSecret02
ipsec ike remote address 2 140.204.100.102
ipsec ike remote id 2 0.0.0.0/0
ip tunnel address 192.168.255.205/30
ip tunnel remote address 192.168.255.206
ip tunnel tcp mss limit auto
tunnel enable 2
tunnel select 11
description tunnel OCI-VPN11
ipsec tunnel 11
ipsec sa policy 11 11 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 11 3600
ipsec ike duration isakmp-sa 11 28800
ipsec ike encryption 11 aes256-cbc
ipsec ike group 11 modp1536
ipsec ike hash 11 sha256
ipsec ike keepalive log 11 off
ipsec ike keepalive use 11 on dpd 5 4
ipsec ike local address 11 192.168.1.254
ipsec ike local id 11 0.0.0.0/0
ipsec ike nat-traversal 11 on
ipsec ike pfs 11 on
ipsec ike pre-shared-key 11 text IPSecSharedSecret01
ipsec ike remote address 11 129.146.200.201
ipsec ike remote id 11 0.0.0.0/0
ip tunnel address 192.168.255.213/30
ip tunnel remote address 192.168.255.214
ip tunnel tcp mss limit auto
tunnel enable 11
tunnel select 12
description tunnel OCI-VPN12
ipsec tunnel 12
ipsec sa policy 12 12 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 12 3600
ipsec ike duration isakmp-sa 12 28800
ipsec ike encryption 12 aes256-cbc
ipsec ike group 12 modp1536
ipsec ike hash 12 sha256
ipsec ike keepalive log 12 off
ipsec ike keepalive use 12 on dpd 5 4
ipsec ike local address 12 192.168.1.254
ipsec ike local id 12 0.0.0.0/0
ipsec ike nat-traversal 12 on
ipsec ike pfs 12 on
ipsec ike pre-shared-key 12 text IPSecSharedSecret02
ipsec ike remote address 12 129.146.200.202
ipsec ike remote id 12 0.0.0.0/0
ip tunnel address 192.168.255.217/30
ip tunnel remote address 192.168.255.218
ip tunnel tcp mss limit auto
tunnel enable 12
ip filter 500000 restrict * * * * *
nat descriptor type 200 masquerade
nat descriptor address outer 200 primary
bgp use on
bgp autonomous-system 65000
bgp log neighbor
bgp neighbor 1 31898 192.168.255.202 hold-time=180 local-address=192.168.255.201
bgp neighbor 2 31898 192.168.255.206 hold-time=180 local-address=192.168.255.205
bgp neighbor 11 31898 192.168.255.214 hold-time=180 local-address=192.168.255.213
bgp neighbor 12 31898 192.168.255.218 hold-time=180 local-address=192.168.255.217
bgp import filter 1 equal 0.0.0.0/0
bgp import 31898 static filter 1
ipsec auto refresh on
telnetd host lan
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.100.2-192.168.100.191/24
dns host lan1
dns server 192.168.1.1
dns server select 500201 192.168.1.1 any .
dns private address spoof on
dns private name setup.netvolante.jp
httpd host lan1
analog supplementary-service pseudo call-waiting
analog extension dial prefix sip prefix="9#"
statistics traffic on
■Config保存
SAVEコマンドで保存して完了です
# save
Saving ... CONFIG0 Done .