VPN Regel für Zugriff auf bestimmt IPs

Forum zum Thema allgemeinen Fragen zu VPN

Moderator: Lancom-Systems Moderatoren

Antworten
kay_ausderkiste
Beiträge: 14
Registriert: 14 Nov 2019, 11:38

VPN Regel für Zugriff auf bestimmt IPs

Beitrag von kay_ausderkiste »

Moin,

Habe einen 1900EF mit 10.40.0142 installiert ( IP 192.168.16.10).

Es handelt sich um meinen Testrouter. Auf diesem ist nichts außer DSL und eine VPN Verbindung konfiguriert.

Die Einwahl erfolgt über den Shewsoft VPN Client.
Der Client bekommt die 192.168.16.9 als IP zugewiesen.

Zu Testzwecken soll die VPN Verbindung nur auf die iP 192.168.16.10 zugreifen können.

Jegliche Regeln / Tests meinerseits führen nicht zum gewünschten Ergebnis.
Später sollen 1-2 bestimmt IP Adresse über diese VPN erreicht werden können. Der Rest vom Netz soll durch die VPN Verbindung nicht erreicht werden können.


Hier die config:

Code: Alles auswählen

# Script (10.40.0142 / 12.02.2020) 

lang English
flash No

set /Setup/Name "TestRouter"
cd /Setup/WAN/Layer 
del *
#    WAN-layer  Encaps.   Lay-3     Lay-2     L2-Opt.   Lay-1     
#    ===========--------------------------------------------------
add  "DEFAULT" {Encaps.}  TRANS    {Lay-3}  PPP      {Lay-2}  PPPoE    {L2-Opt.}  none     {Lay-1}  ETH
add  "T-DSL"   {Encaps.}  TRANS    {Lay-3}  PPP      {Lay-2}  PPPoE    {L2-Opt.}  none     {Lay-1}  ETH
add  "PPPOE"   {Encaps.}  TRANS    {Lay-3}  PPP      {Lay-2}  PPPoE    {L2-Opt.}  none     {Lay-1}  ETH
add  "IPOE"    {Encaps.}  ETHER    {Lay-3}  TRANS    {Lay-2}  TRANS    {L2-Opt.}  none     {Lay-1}  ETH
add  "DHCPOE"  {Encaps.}  ETHER    {Lay-3}  DHCP     {Lay-2}  TRANS    {L2-Opt.}  none     {Lay-1}  ETH
add  "V.24_DEF" {Encaps.}  TRANS    {Lay-3}  APPP     {Lay-2}  TRANS    {L2-Opt.}  none     {Lay-1}  SERIAL
add  "UMTS"    {Encaps.}  TRANS    {Lay-3}  APPP     {Lay-2}  TRANS    {L2-Opt.}  none     {Lay-1}  SERIAL
add  "WWAN"    {Encaps.}  TRANS    {Lay-3}  APPP     {Lay-2}  TRANS    {L2-Opt.}  none     {Lay-1}  SERIAL
add  "INTERNET" {Encaps.}  ETHER    {Lay-3}  TRANS    {Lay-2}  TRANS    {L2-Opt.}  none     {Lay-1}  ETH
add  "INET_2"  {Encaps.}  ETHER    {Lay-3}  TRANS    {Lay-2}  TRANS    {L2-Opt.}  none     {Lay-1}  ETH
cd /
cd /Setup/WAN/DSL-Broadband-Peers 
del *
#    Peer              SH-Time  AC-name                                                           Servicename                       WAN-layer  MAC-Type   user-def.-MAC  DSL-ifc(s)                                                       VLAN-ID  Prio-Mapping  IPv6            
#    ==================----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "INTERNET"       {SH-Time}  0       {AC-name}  ""                                                               {Servicename}  ""                               {WAN-layer}  "INTERNET" {MAC-Type}  global    {user-def.-MAC}  000000000000  {DSL-ifc(s)}  ""                                                              {VLAN-ID}  0       {Prio-Mapping}  off          {IPv6}  ""
add  "INET_2"         {SH-Time}  9999    {AC-name}  ""                                                               {Servicename}  ""                               {WAN-layer}  "INET_2"  {MAC-Type}  local     {user-def.-MAC}  000000000000  {DSL-ifc(s)}  ""                                                              {VLAN-ID}  0       {Prio-Mapping}  off          {IPv6}  ""
cd /
cd /Setup/WAN/IP-List 
del *
#    Peer              IP-Address       IP-Netmask       Masq.-IP-Addr.   Gateway          DNS-Default      DNS-Backup       NBNS-Default     NBNS-Backup    
#    ==================--------------------------------------------------------------------------------------------------------------------------------------
add  "INTERNET"       {IP-Address}  xxx.xxx.xxx.xxx   {IP-Netmask}  255.255.255.248 {Masq.-IP-Addr.}  0.0.0.0         {Gateway}  yyy.yyy.yyy.yyy   {DNS-Default}  8.8.8.8         {DNS-Backup}  8.8.4.4         {NBNS-Default}  0.0.0.0         {NBNS-Backup}  0.0.0.0
add  "INET_2"         {IP-Address}  xxx.xxx.xxx.xxx   {IP-Netmask}  255.255.255.248 {Masq.-IP-Addr.}  0.0.0.0         {Gateway}  yyy.yyy.yyy.yyy   {DNS-Default}  8.8.8.8         {DNS-Backup}  8.8.8.8         {NBNS-Default}  0.0.0.0         {NBNS-Backup}  0.0.0.0
cd /
cd /Setup/WAN/MTU-List 
del *
#    Peer                MTU            
#    ====================---------------
add  "INET_2"           {MTU}  1024
cd /
set /Setup/WAN/SSL-for-Action-Table/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/WAN/SSL-for-Action-Table/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
# VPN
set /Setup/VPN/Operating yes
cd /Setup/VPN/VPN-Peers 
del *
#    Peer              SH-Time       Extranet-Address  Remote-Gw                                                        Rtg-tag  Layer             dynamic     IKE-Exchange     Rule-creation  DPD-Inact-Timeout  IKE-CFG  XAUTH   SSL-Encaps.   OCSP-Check   IPv4-Rules                                                       IPv6-Rules                                                       IPv6            
#    ==================-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "VAGUAR2"      {SH-Time}  0            {Extranet-Address}  0.0.0.0          {Remote-Gw}  "0.0.0.0"                                                       {Rtg-tag}  0       {Layer}  "P-VAGUAR2"    {dynamic}  No         {IKE-Exchange}  Aggressive-Mode {Rule-creation}  manually      {DPD-Inact-Timeout}  90                {IKE-CFG}  Server  {XAUTH}  Off    {SSL-Encaps.}  No           {OCSP-Check}  No          {IPv4-Rules}  ""                                                              {IPv6-Rules}  ""                                                              {IPv6}  "DEFAULT"
cd /
cd /Setup/VPN/Layer 
del *
#    Name              PFS-Grp   IKE-Grp   IKE-Prop-List      IPSEC-Prop-List    IKE-Key         
#    ==================--------------------------------------------------------------------------
add  "P-VAGUAR2"    {PFS-Grp}  0        {IKE-Grp}  2        {IKE-Prop-List}  "IKE_PRESH_KEY"   {IPSEC-Prop-List}  "IPS-VAGUAR2"   {IKE-Key}  "KEY-VAGUAR2"
cd /
cd /Setup/VPN/Proposals/IKE 
del *
#    Name               IKE-Crypt-Alg     IKE-Crypt-Keylen  IKE-Auth-Alg      IKE-Auth-Mode     Lifetime-Sec      Lifetime-KB     
#    ===================----------------------------------------------------------------------------------------------------------
add  "PSK-AES256-SHA"  {IKE-Crypt-Alg}  AES-CBC          {IKE-Crypt-Keylen}  256              {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-AES256-MD5"  {IKE-Crypt-Alg}  AES-CBC          {IKE-Crypt-Keylen}  256              {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-AES-SHA"     {IKE-Crypt-Alg}  AES-CBC          {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-AES-MD5"     {IKE-Crypt-Alg}  AES-CBC          {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-BLOW-SHA"    {IKE-Crypt-Alg}  BLOWFISH-CBC     {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-BLOW-MD5"    {IKE-Crypt-Alg}  BLOWFISH-CBC     {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-CAST-SHA"    {IKE-Crypt-Alg}  CAST128-CBC      {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-CAST-MD5"    {IKE-Crypt-Alg}  CAST128-CBC      {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-3DES-SHA"    {IKE-Crypt-Alg}  3DES-CBC         {IKE-Crypt-Keylen}  168              {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-3DES-MD5"    {IKE-Crypt-Alg}  3DES-CBC         {IKE-Crypt-Keylen}  168              {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-DES-SHA"     {IKE-Crypt-Alg}  DES-CBC          {IKE-Crypt-Keylen}  56               {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "PSK-DES-MD5"     {IKE-Crypt-Alg}  DES-CBC          {IKE-Crypt-Keylen}  56               {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  Preshared-Key    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-AES256-SHA"  {IKE-Crypt-Alg}  AES-CBC          {IKE-Crypt-Keylen}  256              {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-AES256-MD5"  {IKE-Crypt-Alg}  AES-CBC          {IKE-Crypt-Keylen}  256              {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-AES-SHA"     {IKE-Crypt-Alg}  AES-CBC          {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-AES-MD5"     {IKE-Crypt-Alg}  AES-CBC          {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-BLOW-SHA"    {IKE-Crypt-Alg}  BLOWFISH-CBC     {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-BLOW-MD5"    {IKE-Crypt-Alg}  BLOWFISH-CBC     {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-CAST-SHA"    {IKE-Crypt-Alg}  CAST128-CBC      {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-CAST-MD5"    {IKE-Crypt-Alg}  CAST128-CBC      {IKE-Crypt-Keylen}  128              {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-3DES-SHA"    {IKE-Crypt-Alg}  3DES-CBC         {IKE-Crypt-Keylen}  168              {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-3DES-MD5"    {IKE-Crypt-Alg}  3DES-CBC         {IKE-Crypt-Keylen}  168              {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-DES-SHA"     {IKE-Crypt-Alg}  DES-CBC          {IKE-Crypt-Keylen}  56               {IKE-Auth-Alg}  SHA1             {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
add  "RSA-DES-MD5"     {IKE-Crypt-Alg}  DES-CBC          {IKE-Crypt-Keylen}  56               {IKE-Auth-Alg}  MD5              {IKE-Auth-Mode}  RSA-Signature    {Lifetime-Sec}  108000           {Lifetime-KB}  0
cd /
cd /Setup/VPN/Proposals/IPSEC 
del *
#    Name               ESP-Crypt-Alg     ESP-Crypt-Keylen  ESP-Auth-Alg      Lifetime-Sec      Lifetime-KB     
#    ===================----------------------------------------------------------------------------------------
add  "TN-AES256-SHA"   {ESP-Crypt-Alg}  AES-CBC          {ESP-Crypt-Keylen}  256              {ESP-Auth-Alg}  HMAC-SHA1        {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-AES256-MD5"   {ESP-Crypt-Alg}  AES-CBC          {ESP-Crypt-Keylen}  256              {ESP-Auth-Alg}  HMAC-MD5         {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-AES-SHA-96"   {ESP-Crypt-Alg}  AES-CBC          {ESP-Crypt-Keylen}  128              {ESP-Auth-Alg}  HMAC-SHA1        {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-AES-MD5-96"   {ESP-Crypt-Alg}  AES-CBC          {ESP-Crypt-Keylen}  128              {ESP-Auth-Alg}  HMAC-MD5         {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-BLOW-SHA-96"  {ESP-Crypt-Alg}  BLOWFISH-CBC     {ESP-Crypt-Keylen}  128              {ESP-Auth-Alg}  HMAC-SHA1        {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-BLOW-MD5-96"  {ESP-Crypt-Alg}  BLOWFISH-CBC     {ESP-Crypt-Keylen}  128              {ESP-Auth-Alg}  HMAC-MD5         {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-CAST-SHA-96"  {ESP-Crypt-Alg}  CAST128-CBC      {ESP-Crypt-Keylen}  128              {ESP-Auth-Alg}  HMAC-SHA1        {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-CAST-MD5-96"  {ESP-Crypt-Alg}  CAST128-CBC      {ESP-Crypt-Keylen}  128              {ESP-Auth-Alg}  HMAC-MD5         {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-3DES-SHA-96"  {ESP-Crypt-Alg}  3DES-CBC         {ESP-Crypt-Keylen}  168              {ESP-Auth-Alg}  HMAC-SHA1        {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-3DES-MD5-96"  {ESP-Crypt-Alg}  3DES-CBC         {ESP-Crypt-Keylen}  168              {ESP-Auth-Alg}  HMAC-MD5         {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-DES-SHA-96"   {ESP-Crypt-Alg}  DES-CBC          {ESP-Crypt-Keylen}  56               {ESP-Auth-Alg}  HMAC-SHA1        {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "TN-DES-MD5-96"   {ESP-Crypt-Alg}  DES-CBC          {ESP-Crypt-Keylen}  56               {ESP-Auth-Alg}  HMAC-MD5         {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "WIZ-TN-AES256-SHA" {ESP-Crypt-Alg}  AES-CBC          {ESP-Crypt-Keylen}  256              {ESP-Auth-Alg}  HMAC-SHA1        {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "WIZ-TN-AES-MD5-96" {ESP-Crypt-Alg}  AES-CBC          {ESP-Crypt-Keylen}  256              {ESP-Auth-Alg}  HMAC-MD5         {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "WIZ-TN-AES128-SHA" {ESP-Crypt-Alg}  AES-CBC          {ESP-Crypt-Keylen}  128              {ESP-Auth-Alg}  HMAC-SHA1        {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "WIZ-TN-AES128-MD5" {ESP-Crypt-Alg}  AES-CBC          {ESP-Crypt-Keylen}  128              {ESP-Auth-Alg}  HMAC-MD5         {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "WIZ-TN-BLW-SHA-96" {ESP-Crypt-Alg}  BLOWFISH-CBC     {ESP-Crypt-Keylen}  128              {ESP-Auth-Alg}  HMAC-SHA1        {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "WIZ-TN-BLW-MD5-96" {ESP-Crypt-Alg}  BLOWFISH-CBC     {ESP-Crypt-Keylen}  128              {ESP-Auth-Alg}  HMAC-MD5         {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "WIZ-TN-3DS-SHA-96" {ESP-Crypt-Alg}  3DES-CBC         {ESP-Crypt-Keylen}  168              {ESP-Auth-Alg}  HMAC-SHA1        {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
add  "WIZ-TN-3DS-MD5-96" {ESP-Crypt-Alg}  3DES-CBC         {ESP-Crypt-Keylen}  168              {ESP-Auth-Alg}  HMAC-MD5         {Lifetime-Sec}  28800            {Lifetime-KB}  2000000
cd /
cd /Setup/VPN/Proposals/IKE-Proposal-Lists 
del *
#    IKE-Proposal-Lists   IKE-Proposal-1     IKE-Proposal-2     IKE-Proposal-3     IKE-Proposal-4     IKE-Proposal-5     IKE-Proposal-6     IKE-Proposal-7     IKE-Proposal-8   
#    =====================------------------------------------------------------------------------------------------------------------------------------------------------------
add  "IKE_PRESH_KEY"     {IKE-Proposal-1}  "PSK-AES256-SHA"  {IKE-Proposal-2}  "PSK-AES256-MD5"  {IKE-Proposal-3}  "PSK-AES-SHA"     {IKE-Proposal-4}  "PSK-AES-MD5"     {IKE-Proposal-5}  "PSK-BLOW-SHA"    {IKE-Proposal-6}  "PSK-BLOW-MD5"    {IKE-Proposal-7}  "PSK-3DES-SHA"    {IKE-Proposal-8}  "PSK-3DES-MD5"
add  "IKE_RSA_SIG"       {IKE-Proposal-1}  "RSA-AES256-SHA"  {IKE-Proposal-2}  "RSA-AES256-MD5"  {IKE-Proposal-3}  "RSA-AES-SHA"     {IKE-Proposal-4}  "RSA-AES-MD5"     {IKE-Proposal-5}  "RSA-BLOW-SHA"    {IKE-Proposal-6}  "RSA-BLOW-MD5"    {IKE-Proposal-7}  "RSA-3DES-SHA"    {IKE-Proposal-8}  "RSA-3DES-MD5"
cd /
cd /Setup/VPN/Proposals/IPSEC-Proposal-Lists 
del *
#    IPSEC-Proposal-Lists   IPSEC-Proposal-1   IPSEC-Proposal-2   IPSEC-Proposal-3   IPSEC-Proposal-4   IPSEC-Proposal-5   IPSEC-Proposal-6   IPSEC-Proposal-7   IPSEC-Proposal-8 
#    =======================------------------------------------------------------------------------------------------------------------------------------------------------------
add  "ESP_TN"              {IPSEC-Proposal-1}  "TN-AES256-SHA"   {IPSEC-Proposal-2}  "TN-AES256-MD5"   {IPSEC-Proposal-3}  "TN-AES-SHA-96"   {IPSEC-Proposal-4}  "TN-AES-MD5-96"   {IPSEC-Proposal-5}  "TN-BLOW-SHA-96"  {IPSEC-Proposal-6}  "TN-BLOW-MD5-96"  {IPSEC-Proposal-7}  "TN-3DES-SHA-96"  {IPSEC-Proposal-8}  "TN-3DES-MD5-96"
add  "IPS-VAGUAR2"       {IPSEC-Proposal-1}  "WIZ-TN-AES256-SHA" {IPSEC-Proposal-2}  "WIZ-TN-AES-MD5-96" {IPSEC-Proposal-3}  "WIZ-TN-AES128-SHA" {IPSEC-Proposal-4}  "WIZ-TN-AES128-MD5" {IPSEC-Proposal-5}  "WIZ-TN-BLW-SHA-96" {IPSEC-Proposal-6}  "WIZ-TN-BLW-MD5-96" {IPSEC-Proposal-7}  "WIZ-TN-3DS-SHA-96" {IPSEC-Proposal-8}  "WIZ-TN-3DS-MD5-96"
cd /
cd /Setup/VPN/Certificates-and-Keys/IKE-Keys 
del *
#    Name              Local-ID-Type       Local-Identity                                                                                                                                                                                                                                                  Remote-ID-Type      Remote-Identity                                                                                                                                                                                                                                                 Shared-Sec                                                        Shared-Sec-File     
#    ==================--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "KEY-VAGUAR2"  {Local-ID-Type}  No-Identity        {Local-Identity}  ""                                                                                                                                                                                                                                                             {Remote-ID-Type}  Domain-Name        {Remote-Identity}  "VAGUAR2"                                                                                                                                                                                                                                                    {Shared-Sec}  "xxxxxxxxxxxx"                                                     {Shared-Sec-File}  ""
cd /
set /Setup/VPN/SSL-Encaps.-Allowed Yes
cd /Setup/VPN/IKEv2/Auth/Addit.-Remote-ID-List 
del *
#    Name                  Addit.-Remote-IDs                                                                                                                                                                                                                                             
#    ======================--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "DEFAULT"            {Addit.-Remote-IDs}  "DEFAULT-RSA-PKCS,DEFAULT-RSA-PSS"
cd /
cd /Setup/VPN/IKEv2/Auth/Addit.-Remote-IDs 
del *
#    Name                  Remote-Auth           Remote-Dig-Sig-Profile     Remote-EAP-Profile   Remote-ID-Type        Remote-ID                                                                                                                                                                                                                                                       Remote-Password                                                   Remote-Cert-ID-Check    OCSP-Check       CRL-Check      
#    ======================--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "DEFAULT-RSA-PKCS"   {Remote-Auth}  Digital-Signature    {Remote-Dig-Sig-Profile}  "DEFAULT-RSA-PKCS"        {Remote-EAP-Profile}  ""                  {Remote-ID-Type}  No-Identity          {Remote-ID}  ""                                                                                                                                                                                                                                                             {Remote-Password}  ""                                                               {Remote-Cert-ID-Check}  No                     {OCSP-Check}  No              {CRL-Check}  Yes
add  "DEFAULT-RSA-PSS"    {Remote-Auth}  Digital-Signature    {Remote-Dig-Sig-Profile}  "DEFAULT-RSA-PSS"         {Remote-EAP-Profile}  ""                  {Remote-ID-Type}  No-Identity          {Remote-ID}  ""                                                                                                                                                                                                                                                             {Remote-Password}  ""                                                               {Remote-Cert-ID-Check}  No                     {OCSP-Check}  No              {CRL-Check}  Yes
cd /
cd /Setup/VPN/IKEv2/Auth/Digital-Signature-Profiles 
del *
#    Name                  Auth-Method                Hash-Algorithms                     
#    ======================---------------------------------------------------------------
add  "DEFAULT-RSA-PSS"    {Auth-Method}  RSASSA-PSS                {Hash-Algorithms}  SHA-512,SHA-384,SHA-256
add  "DEFAULT-RSA-PKCS"   {Auth-Method}  RSASSA-PKCS1-v1_5         {Hash-Algorithms}  SHA-512,SHA-384,SHA-256
cd /
cd /Setup/VPN/Load-Balancer/Message-Profiles 
del *
#    Profile-Name      Interface         Address          Port   Interval   Holdtime   Replay-Window   Max-Time-Skew       Secret     Cipher       HMAC      Comment                                                        
#    ==================-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "DEFAULT"        {Interface}  "INTRANET"       {Address}  "239.255.22.11" {Port}  1987  {Interval}  2000      {Holdtime}  3000      {Replay-Window}  5              {Max-Time-Skew}  15                 {Secret}  ""        {Cipher}  None        {HMAC}  96-Bits  {Comment}  ""
cd /
cd /Setup/Charges/Volume-Budgets 
del *
#    Peer              Limit-MB         Action                     
#    ==================--------------------------------------------
add  "INET_2"         {Limit-MB}  0               {Action}  none
cd /
cd /Setup/TCP-IP/Network-list 
del *
#    Network-name      IP-Address       IP-Netmask       VLAN-ID  Interface           Src-check      Type      Rtg-tag  Comment                                                         
#    ==================-----------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "INTRANET"       {IP-Address}  192.168.16.10   {IP-Netmask}  255.255.248.0   {VLAN-ID}  0       {Interface}  LAN-1              {Src-check}  loose         {Type}  Intranet {Rtg-tag}  0       {Comment}  "local intranet"
add  "DMZ"            {IP-Address}  0.0.0.0         {IP-Netmask}  255.255.255.0   {VLAN-ID}  0       {Interface}  LAN-2              {Src-check}  loose         {Type}  DMZ      {Rtg-tag}  0       {Comment}  "demilitarized zone"
cd /
cd /Setup/IP-Router/IP-Routing-Table 
del *
#    IP-Address       IP-Netmask       Rtg-tag  Admin-Distance  Peer-or-IP             Distance  Masquerade  Active   Comment                                                         
#    ===========================================================----------------------------------------------------------------------------------------------------------------------
add  192.168.16.9     255.255.255.255  0        0              {Peer-or-IP}  "VAGUAR2"           {Distance}  0        {Masquerade}  No         {Active}  Yes     {Comment}  ""
add  192.168.0.0      255.255.0.0      0        0              {Peer-or-IP}  "0.0.0.0"             {Distance}  0        {Masquerade}  No         {Active}  No      {Comment}  "template: block private networks: 192.168.x.y"
add  172.16.0.0       255.240.0.0      0        0              {Peer-or-IP}  "0.0.0.0"             {Distance}  0        {Masquerade}  No         {Active}  No      {Comment}  "template: block private networks: 172.16-31.x.y"
add  10.0.0.0         255.0.0.0        0        0              {Peer-or-IP}  "0.0.0.0"             {Distance}  0        {Masquerade}  No         {Active}  No      {Comment}  "template: block private network: 10.x.y.z"
add  255.255.255.255  0.0.0.0          0        0              {Peer-or-IP}  "INET_2"              {Distance}  0        {Masquerade}  on         {Active}  Yes     {Comment}  "Diese Route wurde durch den Internet-Assistenten erzeugt"
cd /
set /Setup/IP-Router/Proxy-ARP Yes
cd /Setup/IP-Router/RIP/LAN-Sites 
del *
#    Network-name      RIP-Type    RIP-Send    RIP-Accept  Propagate    Poisoned-Reverse  Dft-Rtg-Tag  Rtg-Tag-List                       Ignore-Tags      Rx-Filter         Tx-Filter       
#    ==================----------------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "INTRANET"       {RIP-Type}  Off        {RIP-Send}  No         {RIP-Accept}  No         {Propagate}  No          {Poisoned-Reverse}  No               {Dft-Rtg-Tag}  0           {Rtg-Tag-List}  ""                                {Ignore-Tags}  No              {Rx-Filter}  ""               {Tx-Filter}  ""
add  "DMZ"            {RIP-Type}  Off        {RIP-Send}  No         {RIP-Accept}  No         {Propagate}  No          {Poisoned-Reverse}  No               {Dft-Rtg-Tag}  0           {Rtg-Tag-List}  ""                                {Ignore-Tags}  No              {Rx-Filter}  ""               {Tx-Filter}  ""
cd /
set /Setup/IP-Router/1-N-NAT/UDP-Aging-Seconds 20
cd /Setup/IP-Router/Firewall/Actions 
del *
#    Name                              Description                                                     
#    ==================================----------------------------------------------------------------
add  "ACCEPT"                         {Description}  "%A"
add  "REJECT"                         {Description}  "%R %N"
add  "DROP"                           {Description}  "%D %N"
add  "CONNECT-FILTER"                 {Description}  "@c %R"
add  "INTERNET-FILTER"                {Description}  "@i %R"
add  "CONTENT-FILTER-BASIC"           {Description}  "%Lcds0 %xcCF-BASIC-PROFILE"
add  "CONTENT-FILTER-WORK"            {Description}  "%Lcds0 %xcCF-WORK-PROFILE"
add  "CONTENT-FILTER-PARENTAL-CONTROL" {Description}  "%Lcds0 %xcCF-PARENTAL-CONTROL-PROFILE"
cd /
cd /Setup/IP-Router/Firewall/Objects 
del *
#    Name                              Description                                                     
#    ==================================----------------------------------------------------------------
add  "ANY"                            {Description}  ""
add  "ANYHOST"                        {Description}  "%A0.0.0.0 %M0.0.0.0"
add  "LOCALNET"                       {Description}  "%L"
add  "ICMP"                           {Description}  "%P1"
add  "TCP"                            {Description}  "%P6"
add  "UDP"                            {Description}  "%P17"
add  "ESP"                            {Description}  "%P50"
add  "AH"                             {Description}  "%P51"
add  "IPCOMP"                         {Description}  "%P108"
add  "FTP"                            {Description}  "TCP %S21"
add  "MAIL"                           {Description}  "TCP %S25,110,143"
add  "SECURE-MAIL"                    {Description}  "TCP %S587,993,995"
add  "HTTP"                           {Description}  "TCP %S80"
add  "HTTPS"                          {Description}  "TCP %S443"
add  "WEB"                            {Description}  "TCP %S80,443"
add  "NEWS"                           {Description}  "TCP %S119"
add  "TFTP"                           {Description}  "UDP %S69"
add  "IPSEC"                          {Description}  "UDP %S500,4500"
add  "SSH"                            {Description}  "TCP %S22"
add  "TELNET"                         {Description}  "TCP %S23"
add  "DNS"                            {Description}  "TCP UDP %S53"
add  "NETBIOS"                        {Description}  "TCP UDP %S137-139"
add  "PPTP"                           {Description}  "TCP %S1723"
add  "ELSTER"                         {Description}  "TCP %S8000"
add  "RDP"                            {Description}  "TCP %S3389"
add  "SNMP"                           {Description}  "UDP %S161-162"
add  "NTP"                            {Description}  "UDP %S123"
add  "PC-ANYWHERE"                    {Description}  "TCP UDP %S5631-5632"
add  "HBCI-ONLINE-BANKING"            {Description}  "TCP %S3000"
add  "KAAZAA-MORPHEUS"                {Description}  "TCP %S1214"
add  "SAP-GUI"                        {Description}  "TCP %S515,3200,3600"
add  "ECHO"                           {Description}  "TCP UDP %S7"
add  "SYSLOG"                         {Description}  "UDP %S514"
cd /
cd /Setup/IP-Router/Firewall/Rules 
del *
#    Name                              Prot.       Source                                    Destination                               Action                                    Linked      Prio   Firewall-Rule  VPN-Rule   Stateful  Src-Tag    Rtg-tag  Comment                                                         
#    ==================================-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "WINS"                           {Prot.}  "TCP UDP"  {Source}  "NETBIOS ANYHOST"                        {Destination}  "ANYHOST"                                {Action}  "INTERNET-FILTER"                        {Linked}  No         {Prio}  0     {Firewall-Rule}  Yes           {VPN-Rule}  No        {Stateful}  Yes      {Src-Tag}  0         {Rtg-tag}  0       {Comment}  "block NetBIOS/WINS name resolution via DNS"
add  "WIZ_VPN-VAGUAR2"              {Prot.}  "ANY"      {Source}  "%A192.168.16.10"                        {Destination}  "%HVAGUAR2"                            {Action}  "%Lcds0 %A %N"                           {Linked}  No         {Prio}  0     {Firewall-Rule}  No            {VPN-Rule}  Yes       {Stateful}  Yes      {Src-Tag}  0         {Rtg-tag}  0       {Comment}  "Created by Setup Wizard"
add  "CONTENT-FILTER"                 {Prot.}  "TCP"      {Source}  "LOCALNET"                               {Destination}  "WEB ANYHOST"                            {Action}  "CONTENT-FILTER-BASIC"                   {Linked}  No         {Prio}  9999  {Firewall-Rule}  No            {VPN-Rule}  No        {Stateful}  Yes      {Src-Tag}  0         {Rtg-tag}  0       {Comment}  "pass web traffic to Content-Filter"
cd /
# DHCP
cd /Setup/DHCP/Network-list 
del *
#    Network-name      Start-Address-Pool  End-Address-Pool    Netmask             Broadcast-Address   Gateway-Address     DNS-Default      DNS-Backup       NBNS-Default     NBNS-Backup      Operating  Broadcast-Bit  Master-Server    2nd-Master-Server   3rd-Master-Server   4th-Master-Server   Loopback-Address  Cache   Adaption   Cluster  Max.-Lease        Def.-Lease        Suppress-ARP-check
#    ==================-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "INTRANET"       {Start-Address-Pool}  0.0.0.0            {End-Address-Pool}  0.0.0.0            {Netmask}  0.0.0.0            {Broadcast-Address}  0.0.0.0            {Gateway-Address}  0.0.0.0            {DNS-Default}  0.0.0.0         {DNS-Backup}  0.0.0.0         {NBNS-Default}  0.0.0.0         {NBNS-Backup}  0.0.0.0         {Operating}  No        {Broadcast-Bit}  No            {Master-Server}  0.0.0.0         {2nd-Master-Server}  0.0.0.0            {3rd-Master-Server}  0.0.0.0            {4th-Master-Server}  0.0.0.0            {Loopback-Address}  ""               {Cache}  No     {Adaption}  No        {Cluster}  No      {Max.-Lease}  0                {Def.-Lease}  0                {Suppress-ARP-check}  No
add  "DMZ"            {Start-Address-Pool}  0.0.0.0            {End-Address-Pool}  0.0.0.0            {Netmask}  0.0.0.0            {Broadcast-Address}  0.0.0.0            {Gateway-Address}  0.0.0.0            {DNS-Default}  0.0.0.0         {DNS-Backup}  0.0.0.0         {NBNS-Default}  0.0.0.0         {NBNS-Backup}  0.0.0.0         {Operating}  No        {Broadcast-Bit}  No            {Master-Server}  0.0.0.0         {2nd-Master-Server}  0.0.0.0            {3rd-Master-Server}  0.0.0.0            {4th-Master-Server}  0.0.0.0            {Loopback-Address}  ""               {Cache}  No     {Adaption}  No        {Cluster}  No      {Max.-Lease}  0                {Def.-Lease}  0                {Suppress-ARP-check}  No
cd /
cd /Setup/NetBIOS/Networks 
del *
#    Network-name      Operating  NT-Domain      
#    ==================--------------------------
add  "INTRANET"       {Operating}  No        {NT-Domain}  ""
add  "DMZ"            {Operating}  No        {NT-Domain}  ""
cd /
set /Setup/Config/TFTP-Operating Yes
set /Setup/Config/Telnet-SSL/Versions TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
set /Setup/Config/Telnet-SSL/Keyex-Algorithms RSA,DHE,ECDHE
set /Setup/Config/Telnet-SSL/Crypto-Algorithms 3DES,AES-128,AES-256,AESGCM-128,AESGCM-256,Chacha20-Poly1305
set /Setup/Config/Telnet-SSL/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/Config/Telnet-SSL/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
set /Setup/Config/SSL-for-Cron-Table/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/Config/SSL-for-Cron-Table/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
set /Setup/Config/Rollout-Agent/SSL/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/Config/Rollout-Agent/SSL/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
set /Setup/Config/SSH/Cipher-Algorithms 3des-cbc,3des-ctr,blowfish-cbc,blowfish-ctr,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305,aes128-gcm,aes256-gcm
set /Setup/Config/SSH/MAC-Algorithms hmac-sha1,hmac-sha2-256,hmac-sha2-512
set /Setup/Config/SSH/Key-Exchange-Algorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2,curve25519-sha256
set /Setup/Config/SSH/DH-Groups Group-1,Group-5,Group-14
set /Setup/Config/SSH/Min-Hostkey-Length 512
set /Setup/HTTP/SSL/Versions TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
set /Setup/HTTP/SSL/Keyex-Algorithms RSA,DHE,ECDHE
set /Setup/HTTP/SSL/Crypto-Algorithms 3DES,AES-128,AES-256,AESGCM-128,AESGCM-256,Chacha20-Poly1305
set /Setup/HTTP/SSL/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/HTTP/SSL/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
set /Setup/HTTP/SSL/Renegotiations allowed
cd /Setup/HTTP/Show-device-information 
del *
#    Device-Information                                Position  
#    ==================================================----------
add  Systeminfo                                       {Position}  1
add  Firmware                                         {Position}  2
add  CPU                                              {Position}  4
add  Memory                                           {Position}  5
add  WAN                                              {Position}  8
add  Mobile-Modem-Interface                           {Position}  10
add  Ethernet-Ports                                   {Position}  11
add  Throughput(Ethernet)                             {Position}  14
add  Router                                           {Position}  15
add  Firewall                                         {Position}  16
add  DHCP                                             {Position}  17
add  DNS                                              {Position}  18
add  VPN                                              {Position}  19
add  Connections                                      {Position}  20
add  SCEP-CA                                          {Position}  21
add  WLAN-Controller                                  {Position}  22
add  Time                                             {Position}  23
add  IPv4-Addresses                                   {Position}  24
add  IPv6-Addresses                                   {Position}  25
add  IPv6-Prefixes                                    {Position}  26
add  DHCPv6-Client                                    {Position}  27
add  DHCPv6-Server                                    {Position}  28
add  Operating-Time                                   {Position}  29
add  TR069                                            {Position}  31
cd /
set /Setup/HTTP/HTTP-Compression Activated
cd /Setup/HTTP/Keep-Server-Ports-Open
#    Ifc.        Keep-Server-Ports-Open          
#    ============--------------------------------
set  LAN        {Keep-Server-Ports-Open}  automatic
set  WAN        {Keep-Server-Ports-Open}  automatic
set  WLAN       {Keep-Server-Ports-Open}  automatic
cd /
set /Setup/HTTP/Automatic-Redirect-to-HTTPS No
set /Setup/HTTP/Rollout-Wizard/SSL/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/HTTP/Rollout-Wizard/SSL/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
set /Setup/HTTP/Rollout-Wizard/SSL/Renegotiations allowed
cd /Setup/Interfaces/Ethernet-Ports
#    Port       Assignment   Connector   MDI-Mode    Private-Mode        Downshift    Clock-Role         Power-Saving      Flow-Control    
#    ===========---------------------------------------------------------------------------------------------------------------------------
set  ETH-1     {Assignment}  LAN-1       {Connector}  Auto       {MDI-Mode}  Auto       {Private-Mode}  No                 {Downshift}  Yes         {Clock-Role}  Master-Preferred  {Power-Saving}  No               {Flow-Control}  Auto
set  ETH-2     {Assignment}  LAN-1       {Connector}  Auto       {MDI-Mode}  Auto       {Private-Mode}  No                 {Downshift}  Yes         {Clock-Role}  Master-Preferred  {Power-Saving}  No               {Flow-Control}  Auto
set  ETH-3     {Assignment}  LAN-1       {Connector}  Auto       {MDI-Mode}  Auto       {Private-Mode}  No                 {Downshift}  Yes         {Clock-Role}  Master-Preferred  {Power-Saving}  No               {Flow-Control}  Auto
set  ETH-4     {Assignment}  LAN-1       {Connector}  Auto       {MDI-Mode}  Auto       {Private-Mode}  No                 {Downshift}  Yes         {Clock-Role}  Master-Preferred  {Power-Saving}  No               {Flow-Control}  Auto
set  WAN-1     {Assignment}  DSL-1       {Connector}  Auto       {MDI-Mode}  Auto       {Private-Mode}  No                 {Downshift}  Yes         {Clock-Role}  Master-Preferred  {Power-Saving}  No               {Flow-Control}  Auto
set  WAN-2     {Assignment}  DSL-1       {Connector}  Auto       {MDI-Mode}  Auto       {Private-Mode}  No                 {Downshift}  Yes         {Clock-Role}  Master-Preferred  {Power-Saving}  No               {Flow-Control}  Auto
cd /
cd /Setup/Public-Spot-Module/Page-Table
#    Page                            URL                                                                                                                                                                                                                                                           Type         Fallback    Loopback-Addr.    Template-Cache 
#    ================================------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
set  Welcome                        {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Login                          {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Error                          {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Start                          {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Status                         {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Logoff                         {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Help                           {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  No-Proxy                       {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Voucher                        {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  GTC                            {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Fallback-Error                 {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Registration-(e-mail)          {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Login-(e-mail)                 {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Registration-(SMS)             {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
set  Login-(SMS)                    {URL}  ""                                                                                                                                                                                                                                                           {Type}  Template    {Fallback}  No         {Loopback-Addr.}  ""               {Template-Cache}  No
cd /
set /Setup/Public-Spot-Module/SSL-for-Page-Table/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/Public-Spot-Module/SSL-for-Page-Table/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
set /Setup/Public-Spot-Module/Authentication-Modules/e-mail2Sms-Authentication/SSL/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/Public-Spot-Module/Authentication-Modules/e-mail2Sms-Authentication/SSL/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
set /Setup/Public-Spot-Module/Authentication-Modules/e-mail2Sms-Authentication/SSL/Renegotiations allowed
set /Setup/Public-Spot-Module/Authentication-Modules/Radius-Server/SSL/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/Public-Spot-Module/Authentication-Modules/Radius-Server/SSL/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
set /Setup/Public-Spot-Module/Authentication-Modules/Radius-Server/SSL/Renegotiations allowed
set /Setup/RADIUS/Server/EAP/EAP-TLS/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
set /Setup/RADIUS/RADSEC/Versions TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
set /Setup/RADIUS/RADSEC/Keyex-Algorithms RSA,DHE,ECDHE
set /Setup/RADIUS/RADSEC/Crypto-Algorithms 3DES,AES-128,AES-256,AESGCM-128,AESGCM-256,Chacha20-Poly1305
set /Setup/RADIUS/RADSEC/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/RADIUS/RADSEC/Signature-Hash-Algorithms SHA1-RSA,SHA224-RSA,SHA256-RSA,SHA384-RSA,SHA512-RSA
set /Setup/NTP/BC-Mode Yes
cd /Setup/NTP/RQ-Address 
del *
#    RQ-Address                                                        Loopback-Addr.                           Authentication-Enabled  Key-ID          
#    ==================================================================---------------------------------------------------------------------------------
add  "192.168.20.10"                                                  {Loopback-Addr.}  ""                                      {Authentication-Enabled}  No                     {Key-ID}  0
cd /
cd /Setup/NTP/Networklist 
del *
#    Network-name      Server-Operating                                                
#    ==================----------------------------------------------------------------
add  "INTRANET"       {Server-Operating}  Yes
add  "DMZ"            {Server-Operating}  Yes
cd /

#    Network-Name      Port-List                                                                                                                                                                                                                                                  
#    ==================-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
add  "INTRANET"       {Port-List}  "*-*"                                                                                                                                                                                                                                                      
add  "DMZ"            {Port-List}  "*-*"                                                                                                                                                                                                                                                      
cd /
set /Setup/Certificates/SCEP-CA/Encryption-Algorithm DES
set /Setup/Automatic-Firmware-Update/Mode manual
set /Setup/CWMP/Data-Model TR-181
set /Setup/CWMP/SSL/Hash-Algorithms SHA1,SHA-256,SHA-384
set /Setup/CWMP/SSL/Signature-Hash-Algorithms SHA256-RSA,SHA384-RSA,SHA512-RSA
flash Yes

# done
exit



Fehler: Entweder ich erreiche das ganze Netz, oder ich erreiche nichts.
Komme da leider nicht weiter.



Code: Alles auswählen

[VPN-Status] 2020/02/25 13:03:55,952
IKE info: Phase-2 failed for peer VAGUAR2: no rule matches the phase-2 ids  192.168.16.9 <->  0.0.0.0/0.0.0.0
IKE log: 130355.952565 Default message_negotiate_sa: no compatible proposal found
IKE log: 130355.952585 Default dropped message from aaa.aaa.aaa.aaa port 500 due to notification type NO_PROPOSAL_CHOSEN


[VPN-Debug] 2020/02/25 13:03:55,954
QUB-DATA: xxx.xxx.xxx.xxx:500<---aaa.aaa.aaa.aaa:500 rtg_tag 0 physical-channel WAN(1) vpn-channel 10
transport: [id: 16477, UDP (17) {incoming unicast, fixed source address}, dst: aaa.aaa.aaa.aaa, tag 0 (U), src: 62.159.75.130, hop limit: 64, DSCP: CS6, ECN: Not-ECT, pmtu: 1024, iface: INET_2 (4), mac address: 4c:5e:0, port 0], local port: 500, remote port: 500
Peer VANGUARD2: Looking for a matching rule for IPV4_ADDR(0, 0, 192.168.16.9)<->IPV4_ADDR_SUBNET(0, 0, 0.0.0.0/0.0.0.0) (IDci<->IDcr)
Trying exact match:
  'IPSEC-0-VAGUAR2-PR0-L0-R0': IPV4_ADDR(0, 0, 192.168.16.9)<->IPV4_ADDR(0, 0, 192.168.16.9)...Not found
  'IPSEC-0-VAGUAR2-PR0-L1-R0': IPV4_ADDR(0, 0, 192.168.16.10)<->IPV4_ADDR(0, 0, 192.168.16.9)...Not found
Trying not exact match:
  'IPSEC-0-VAGUAR2-PR0-L0-R0': IPV4_ADDR(0, 0, 192.168.16.9)<->IPV4_ADDR(0, 0, 192.168.16.9)...Not found
  'IPSEC-0-VAGUAR2-PR0-L1-R0': IPV4_ADDR(0, 0, 192.168.16.10)<->IPV4_ADDR(0, 0, 192.168.16.9)...Not found

[VPN-Status] 2020/02/25 13:03:55,954
Phase-2 SA ('', '') entered to SADB
Peer VAGUAR2: Could not find a matching rule

[VPN-Status] 2020/02/25 13:03:55,954
VPN: policy manager error indication: VAGUAR22 (.aa.aaa.aaa.aaa), cause: 12801

[VPN-Status] 2020/02/25 13:03:55,954
VPN: WAN state changed to WanCalled for VANGUARD2 (0.0.0.0), called by: 020fc8b8

[VPN-Status] 2020/02/25 13:03:55,954
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for VAGUAR2 (aaa.aaa.aaa.aaa)

[VPN-Status] 2020/02/25 13:03:55,954
vpn-maps[10], remote: VAGUAR2, idle, static-name
Auf dem Shew soft client ist nichts mit "Netzen" konfiguriert. Ich komme nicht weiter.
Was mache ich bei den Regeln falsch? Soll ich das lieber anders lösen?
kay_ausderkiste
Beiträge: 14
Registriert: 14 Nov 2019, 11:38

Re: VPN Regel für Zugriff auf bestimmt IPs

Beitrag von kay_ausderkiste »

Danke, aber das ist doch keine Antwort auf meine VPN / Firewall Regel Frage.
Der VPN bzw. dessen Verbindungsaufbau ist hier nicht das Problem. Sondern wie ich die Eingehende Verbindung auf 1-2 lokale iPhone Adressen beschränke.

VPN Client A mit shew soft soll via Lancôme 1900ef (VPN) nur 1-2 Adressen statt des ganzen Netz Bereiches erreichen können.
ittk
Beiträge: 1244
Registriert: 27 Apr 2006, 09:56

Re: VPN Regel für Zugriff auf bestimmt IPs

Beitrag von ittk »

kay_ausderkiste hat geschrieben: 25 Feb 2020, 20:35 Danke, aber das ist doch keine Antwort auf meine VPN / Firewall Regel Frage.
Der VPN bzw. dessen Verbindungsaufbau ist hier nicht das Problem. Sondern wie ich die Eingehende Verbindung auf 1-2 lokale iPhone Adressen beschränke.

VPN Client A mit shew soft soll via Lancôme 1900ef (VPN) nur 1-2 Adressen statt des ganzen Netz Bereiches erreichen können.
Bezueglich Lancôme wirst Du hier nicht fuendig werden :D
12x 1621 Anx. B-21x 1711 VPN-3x 1722 Anx. B-7x 1723 VoIP-1x 1811 DSL, 1x 7011 VPN-1 x 7111 VPN-1x 8011 VPN-10er Pack Adv. VPN Client (2x V1.3-3x 2.0)-Hotspot Option-Adv. VoIP Client/P250 Handset-Adv.VoIP Option-4x VPN-Option-2x L-54 dual-2x L54ag-2x O-18a
backslash
Moderator
Moderator
Beiträge: 7010
Registriert: 08 Nov 2004, 21:26
Wohnort: Aachen

Re: VPN Regel für Zugriff auf bestimmt IPs

Beitrag von backslash »

Hi kay_ausderkiste,
Der VPN bzw. dessen Verbindungsaufbau ist hier nicht das Problem. Sondern wie ich die Eingehende Verbindung auf 1-2 lokale iPhone Adressen beschränke.
kurz und Knapp: Die Firewall ist dein Freund... Einfach eine Deny-Regel erstellen, die den Zugriff für den Client auf alles blockt und dann eine Allow-Regel, die den Zugriff auf die gewünschten Adressen erlaubt....

Oder du mußt anfangen mit gezielten IPSec-Regeln, die dem Client nur den Zugriff auf die Adressen erlaubt - dann mußt du im Cliuent aber auch passende Relgeln erstellen und hoffen, daß die SAs auch sauber ausgehandelt werden (pro erlaubter Adresse brauchst du je eine Regel soweohl im LANCOM ALS AUCH im Client) - da kann ich nur sagen: mach es dir nicht so schwer und nimm die Firewall-Lösung...

Gruß
Backslash
b.junghans
Beiträge: 59
Registriert: 08 Okt 2013, 15:25

Re: VPN Regel für Zugriff auf bestimmt IPs

Beitrag von b.junghans »

nicht falsch verstehen aber das ist sehr lustig, bei mir ist es genau andersrum :L)

Hab nen 1900EF, im entfernteten netz nen router über vpn verbunden.
der erntfernte router kann den 1900EF pingen aber kein server dahinter erreichen.
der 1900ef kann die server erreichen.
routen sind da und firewall iczt auch größtenteils blank bis auf die 2 standrad regeln + die vpn regel.

stehe grade echt aufm schlauch, werde aber nochmal nen eigenes thema dafür aufmachen :D
backslash
Moderator
Moderator
Beiträge: 7010
Registriert: 08 Nov 2004, 21:26
Wohnort: Aachen

Re: VPN Regel für Zugriff auf bestimmt IPs

Beitrag von backslash »

Hi b.junghans,

das klingt für mich so als ob den Servern die Route zum Netz hinter dem VPN fehlt. Ist der 1900EF für die Server das Default-Gateway? Falls nein, mußt du in den Servern eine explizite Route setzen zum dem Netz setzen, bei der das 1900EF als Gateway eingetragen ist.

Ansonsten gilt natürlich: ist auf den Servern eine Firewall aktiv, die Zugriffe aus anderen Netzen unterbindet? Das ist z.B. bei fast allen NAS Geräten der Fall. (wobei man das"fast" vermutlicg auch strichen kann)

Gruß
Backslash
b.junghans
Beiträge: 59
Registriert: 08 Okt 2013, 15:25

Re: VPN Regel für Zugriff auf bestimmt IPs

Beitrag von b.junghans »

backslash hat geschrieben: 27 Feb 2020, 13:46 Hi b.junghans,

das klingt für mich so als ob den Servern die Route zum Netz hinter dem VPN fehlt. Ist der 1900EF für die Server das Default-Gateway? Falls nein, mußt du in den Servern eine explizite Route setzen zum dem Netz setzen, bei der das 1900EF als Gateway eingetragen ist.
:M

klar, das wird es sein, die server nutzen ja noch den alten als gateway.
wieso ich da nicht selbst drauf gekommen bin... tausend dank!!!

edit: und es war wirklich so, nun klappt es wie erwartet :D
Antworten