beautypg.com

Allied Telesis VPN User Manual

Page 6

background image

Configuring the router > The configuration script

Page 6 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T

#

Firewall

enable fire

create fire poli=main

create fire poli=main dy=dynamic

add fire poli=main dy=dynamic user=ANY

add fire poli=main int=vlan1 type=private

#

Dynamic private interfaces are accepted from L2TP, which are from

#

IPSec only.

add fire poli=main int=dyn-dynamic type=private

add fire poli=main int=eth0 type=public

#

The firewall allows for internally generated access to the Internet

#

through the following NAT definition.

add fire poli=main nat=enhanced int=vlan1 gblint=eth0

#

This NAT definition allows Internet access for remote VPN users by

#

providing address translation.

add fire poli=main nat=enhanced int=dyn-dynamic gblint=eth0

add fire poli=main rule=1 int=eth0 action=allow prot=udp

ip=<office-Internet-address> port=500

gblip=<office-Internet-address> gblpo=500

#

Rule 2 becomes the L2TP tunnel allow rule. Additional security is

#

provided by only allowing traffic from IPSec tunnels.

add fire poli=main rule=2 int=eth0 action=allow prot=udp

ip=<office-Internet-address> port=1701

gblip=<office-Internet-address> gblpo=1701 encap=ipsec

create ipsec sas=1 key=isakmp prot=esp encalg=3desouter hashalg=sha

mode=transport

create ipsec sas=2 key=isakmp prot=esp encalg=3desouter hashalg=md5

mode=transport

create ipsec sas=3 key=isakmp prot=esp encalg=des hashalg=sha

mode=transport

create ipsec sas=4 key=isakmp prot=esp encalg=des hashalg=md5

mode=transport

#

The ORDER of proposals is important. You should propose the strongest

#

encryption first.

create ipsec bundle=1 key=isakmp string=”1 or 2 or 3 or 4”

create ipsec policy=isakmp int=eth0 action=permit lport=500 rport=500

#

This is a generic IPSec policy that multiple IPSec remote PC clients

#

can connect through.

create ipsec policy=to_HQ int=eth0 action=ipsec key=isakmp bundle=1

peer=any isa=keys

set ipsec policy=to_HQ transport=udp rport=1701

#

The following policy allows for internally generated Internet access.

create ipsec policy=Internet int=eth0 act=permit

enable ipsec

create isakmp policy=keys peer=any key=1

set isakmp policy=keys sendd=true

enable isakmp

See also other documents in the category Allied Telesis Hardware: