{"id":1618,"date":"2025-11-22T15:48:00","date_gmt":"2025-11-22T06:48:00","guid":{"rendered":"https:\/\/mylifeisbeautiful555.net\/?page_id=1618"},"modified":"2025-11-22T15:48:01","modified_gmt":"2025-11-22T06:48:01","slug":"vpn%e3%81%8c%e8%b2%bc%e3%82%8c%e3%81%aa%e3%81%84%e5%8e%9f%e5%9b%a0tls%e3%81%ae%e5%a0%b4%e5%90%88","status":"publish","type":"page","link":"https:\/\/mylifeisbeautiful555.net\/?page_id=1618","title":{"rendered":"VPN\u304c\u8cbc\u308c\u306a\u3044\u539f\u56e0(TLS\u306e\u5834\u5408)"},"content":{"rendered":"\n

TLS \u304c\u539f\u56e0\u3067 VPN \u304c\u8cbc\u308c\u306a\u3044\uff08\u63a5\u7d9a\u3067\u304d\u306a\u3044\uff09\u3053\u3068\u306f\u5341\u5206\u3042\u308a\u307e\u3059\u3002<\/strong>
\u7279\u306b AnyConnect \/ Cisco Secure Client \/ OpenVPN \/ SSL-VPN\uff08Firepower \/ ASA \/ FortiGate \/ Palo Alto\uff09<\/strong> \u306a\u3069\u306f TLS \u3067\u5236\u5fa1\u901a\u4fe1\u3092\u884c\u3046\u305f\u3081\u3001TLS \u306e\u554f\u984c\u304c\u3042\u308b\u3068\u63a5\u7d9a\u304c\u5fc5\u305a\u5931\u6557\u3057\u307e\u3059\u3002<\/p>\n\n\n\n

TLS \u304c\u539f\u56e0\u3067 VPN \u304c\u8cbc\u308c\u306a\u3044\u5178\u578b\u30d1\u30bf\u30fc\u30f3<\/h1>\n\n\n\n

\u2460 TLS \u30d0\u30fc\u30b8\u30e7\u30f3\u4e0d\u4e00\u81f4<\/strong><\/h2>\n\n\n\n

\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3068\u30b5\u30fc\u30d0\u30fc\u3067\u30b5\u30dd\u30fc\u30c8\u3055\u308c\u3066\u3044\u308b TLS \u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u9055\u3046\u3068\u63a5\u7d9a\u4e0d\u53ef\u3002<\/p>\n\n\n\n

\u30af\u30e9\u30a4\u30a2\u30f3\u30c8<\/th>\u30b5\u30fc\u30d0\u30fc<\/th>\u7d50\u679c<\/th><\/tr><\/thead>
TLS1.2<\/td>TLS1.0 \u306e\u307f<\/td>❌ \u63a5\u7d9a\u5931\u6557<\/td><\/tr>
TLS1.3 \u306e\u307f<\/td>TLS1.2 \u306e\u307f<\/td>❌ \u63a5\u7d9a\u5931\u6557<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Cisco ASA \u3067\u306f\u3001tls-version<\/code> \u3067\u5236\u5fa1\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n

ssl server-version tlsv1.2\nssl client-version tlsv1.2\n<\/code><\/pre>\n\n\n\n
\u53e4\u3044 ASA\/FTD \u3067\u306f TLS1.0 \u304c\u30c7\u30d5\u30a9\u30eb\u30c8\u3067 ON \u2192 \u6700\u65b0\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304c\u62d2\u5426\u3059\u308b\u30b1\u30fc\u30b9\u304c\u591a\u3044\u3067\u3059\u3002<\/p>\n\n\n\n
\u2461 \u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u306e\u554f\u984c\uff08\u671f\u9650\u5207\u308c\u30fbCN\u4e0d\u4e00\u81f4\uff09<\/strong><\/h2>\n\n\n\n
VPN \u30b5\u30fc\u30d0\u30fc\u304c\u63d0\u793a\u3059\u308b\u8a3c\u660e\u66f8\u306b\u554f\u984c\u304c\u3042\u308b\u3068 TLS \u30cf\u30f3\u30c9\u30b7\u30a7\u30a4\u30af\u304c\u5931\u6557\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
    \n
  • \u8a3c\u660e\u66f8\u671f\u9650\u5207\u308c<\/strong><\/li>\n\n\n\n
  • FQDN \u3068 CN\/SAN \u304c\u4e00\u81f4\u3057\u306a\u3044<\/strong><\/li>\n\n\n\n
  • \u4e2d\u9593\u8a3c\u660e\u66f8\u304c\u672a\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/strong><\/li>\n\n\n\n
  • \u81ea\u5df1\u7f72\u540d\u3060\u304c AnyConnect \u3067\u8a31\u53ef\u3055\u308c\u3066\u3044\u306a\u3044<\/strong><\/li>\n<\/ul>\n\n\n\n
    AnyConnect \u3067\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30a8\u30e9\u30fc\u306b\u306a\u308a\u307e\u3059\uff1a<\/p>\n\n\n\n
      \n
    • Certificate Validation Failure<\/code><\/li>\n\n\n\n
    • Unable to complete connection<\/code><\/li>\n\n\n\n
    • The certificate you are viewing does not match...<\/code><\/li>\n<\/ul>\n\n\n\n
      \u2462 \u6697\u53f7\u30b9\u30a4\u30fc\u30c8\uff08Cipher Suite\uff09\u306e\u4e0d\u4e00\u81f4<\/strong><\/h2>\n\n\n\n
      TLS \u3067\u4f7f\u3048\u308b\u6697\u53f7\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u304c\u4e00\u81f4\u3057\u306a\u3044\u3068 VPN \u306f\u8cbc\u308c\u307e\u305b\u3093\u3002<\/p>\n\n\n\n
      \u4f8b\uff1a<\/p>\n\n\n\n
        \n
      • \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\uff1aAES-GCM \u3068 ECDHE \u306e\u307f<\/li>\n\n\n\n
      • \u30b5\u30fc\u30d0\u30fc\uff1aAES-CBC \u3084 RSA \u306e\u307f\uff08\u53e4\u3044 ASA\uff09<\/li>\n<\/ul>\n\n\n\n
        \u2192 TLS \u30cf\u30f3\u30c9\u30b7\u30a4\u30af\u5931\u6557 \u2192 VPN\u4e0d\u53ef<\/p>\n\n\n\n
        ASA \u306e\u5834\u5408\uff1a<\/p>\n\n\n\n
        ssl encryption aes256-sha1 aes128-sha1<\/code><\/pre>\n\n\n\n
        \u2463 \u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u3067 TLS\uff08443\uff09\u304c\u30d6\u30ed\u30c3\u30af\u3055\u308c\u3066\u3044\u308b<\/strong><\/h2>\n\n\n\n
        SSL-VPN \u306f TLS\uff08TCP443\uff09\u3092\u5229\u7528\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
          \n
        • \u4f01\u696d\u306e\u30d7\u30ed\u30ad\u30b7<\/li>\n\n\n\n
        • FW \u306e TLS \u30a4\u30f3\u30b9\u30da\u30af\u30b7\u30e7\u30f3<\/li>\n\n\n\n
        • FortiGate \/ Palo Alto \u306e SSL-Decryption<\/li>\n<\/ul>\n\n\n\n
          \u3053\u308c\u3089\u304c\u539f\u56e0\u3067 VPN \u306e TLS \u30cf\u30f3\u30c9\u30b7\u30a7\u30a4\u30af\u304c\u58ca\u3055\u308c\u308b\u3068\u63a5\u7d9a\u4e0d\u53ef\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n
          \u75c7\u72b6\uff1a<\/p>\n\n\n\n
            \n
          • \u56fa\u307e\u3063\u305f\u307e\u307e\u9032\u307e\u306a\u3044<\/li>\n\n\n\n
          • Client hello \u304c\u5c4a\u304b\u306a\u3044<\/li>\n\n\n\n
          • TLS alert \u304c\u8fd4\u3055\u308c\u308b<\/li>\n<\/ul>\n\n\n\n
            \u2464 MTU\/MSS \u304c\u539f\u56e0\u3067 TLS \u30d1\u30b1\u30c3\u30c8\u65ad\u7247\u5316 \u2192 \u63a5\u7d9a\u4e0d\u53ef<\/strong><\/h2>\n\n\n\n
            TLS \u3092\u4f7f\u3046 SSL-VPN \u306f\u30d1\u30b1\u30c3\u30c8\u304c\u5927\u304d\u3044\u305f\u3081\u3001MTU \u554f\u984c\u304c\u7279\u306b\u8d77\u304d\u3084\u3059\u3044\u3067\u3059\u3002<\/p>\n\n\n\n
            \u3088\u304f\u3042\u308b\u8a2d\u5099\uff1a<\/p>\n\n\n\n
              \n
            • NTT ONU + PPPoE \u63a5\u7d9a\uff08MTU 1454\uff09<\/li>\n\n\n\n
            • IPv6 IPoE \u7d4c\u7531\u306e\u30d7\u30ed\u30ad\u30b7<\/li>\n<\/ul>\n\n\n\n
              TLS \u30cf\u30f3\u30c9\u30b7\u30a4\u30af\u304c\u9014\u4e2d\u3067\u6b20\u3051\u308b\u3068\u63a5\u7d9a\u4e0d\u53ef\u3002<\/p>\n\n\n\n
              \u5bfe\u7b56\u4f8b\uff1a<\/p>\n\n\n\n
                \n
              • AnyConnect \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\u3067 MTU \u4e0b\u3052\u308b\uff081300\u301c1360 \u63a8\u5968\uff09<\/li>\n\n\n\n
              • ASA \u5074\u306e sysopt connection tcpmss 1300<\/code><\/li>\n<\/ul>\n\n\n\n
                \u2465 OCSP \/ CRL \u306e\u8a8d\u8a3c\u5931\u6557<\/strong><\/h2>\n\n\n\n
                \u8a3c\u660e\u66f8\u306e\u5931\u52b9\u78ba\u8a8d\u304c\u3067\u304d\u306a\u3044\u3068 TLS \u304c\u5931\u6557\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
                  \n
                • \u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u306b\u51fa\u3089\u308c\u306a\u3044\u30bb\u30b0\u30e1\u30f3\u30c8\u304b\u3089\u63a5\u7d9a<\/li>\n\n\n\n
                • \u30d7\u30ed\u30ad\u30b7\u3067 OCSP \u304c\u30d6\u30ed\u30c3\u30af<\/li>\n<\/ul>\n\n\n\n
                  \u7d50\u679c\uff1a<\/p>\n\n\n\n
                    \n
                  • TLS \u30cf\u30f3\u30c9\u30b7\u30a4\u30af\u4e2d\u306b \u201c\u8a3c\u660e\u66f8\u691c\u8a3c NG\u201d \u3067\u5207\u65ad<\/li>\n<\/ul>\n\n\n\n
                    VPN\u30e1\u30fc\u30ab\u30fc\u5225\uff1aTLS\u304c\u539f\u56e0\u306e\u3088\u304f\u3042\u308b\u30a8\u30e9\u30fc<\/h1>\n\n\n\n
                    Cisco ASA \/ Firepower<\/strong><\/h2>\n\n\n\n
                      \n
                    • AnyConnect was not able to establish a connection to the specified secure gateway<\/code><\/li>\n\n\n\n
                    • The certificate you are viewing does not match...<\/code><\/li>\n\n\n\n
                    • Connection attempt has failed due to server certificate problem<\/code><\/li>\n<\/ul>\n\n\n\n
                      FortiGate<\/strong><\/h2>\n\n\n\n
                        \n
                      • TLS handshake failed<\/code><\/li>\n\n\n\n
                      • sslvpn_login_permission denied<\/code><\/li>\n<\/ul>\n\n\n\n
                        Palo Alto (GlobalProtect)<\/strong><\/h2>\n\n\n\n
                          \n
                        • Gateway TLS Handshake Failed<\/code><\/li>\n\n\n\n
                        • client hello timeout<\/code><\/li>\n<\/ul>\n\n\n\n
                          \u7d50\u8ad6\uff1aTLS \u306f VPN \u306e\u300c\u5165\u53e3\u300d\u306a\u306e\u3067\u554f\u984c\u304c\u3042\u308b\u3068\u5fc5\u305a\u5931\u6557\u3057\u307e\u3059<\/h1>\n\n\n\n
                          SSL-VPN\u306f\u6700\u521d\u306e\u5236\u5fa1\u901a\u4fe1\u304c\u3059\u3079\u3066 TLS \u3092\u4f7f\u3046\u305f\u3081\u3001<\/p>\n\n\n\n
                            \n
                          • TLS\u30cf\u30f3\u30c9\u30b7\u30a4\u30af<\/li>\n\n\n\n
                          • \u8a3c\u660e\u66f8\u691c\u8a3c<\/li>\n\n\n\n
                          • \u6697\u53f7\u30b9\u30a4\u30fc\u30c8\u4ea4\u6e09<\/li>\n<\/ul>\n\n\n\n
                            \u3053\u308c\u306e\u3069\u308c\u304b 1 \u3064\u3067\u3082\u5931\u6557\u3059\u308b\u3068 VPN \u306f\u8cbc\u308c\u307e\u305b\u3093\u3002<\/p>\n\n\n\n
                            <\/p>\n","protected":false},"excerpt":{"rendered":"
                            TLS \u304c\u539f\u56e0\u3067 VPN \u304c\u8cbc\u308c\u306a\u3044\uff08\u63a5\u7d9a\u3067\u304d\u306a\u3044\uff09\u3053\u3068\u306f\u5341\u5206\u3042\u308a\u307e\u3059\u3002\u7279\u306b AnyConnect \/ Cisco Secure Client \/ OpenVPN \/ SSL-VPN\uff08Firepower \/ ASA \/  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1618","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages\/1618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1618"}],"version-history":[{"count":1,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages\/1618\/revisions"}],"predecessor-version":[{"id":1619,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages\/1618\/revisions\/1619"}],"wp:attachment":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}