beautypg.com

Branch office 1 – Allied Telesis AlliedWare AR440S User Manual

Page 20

background image

Page 20 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

branch office

1

z

(for site-to-site VPNs) 3DESOUTER as the encryption algorithm for ESP

z

(for site-to-site VPNs) SHA as the hashing algorithm for ESP authentication

z

(for roaming client VPNs) four possible variants of VPN encryption, for added flexibility.
We propose the most secure option first.

Create an SA specification for the headquarters office site-to-site VPN. This SA specification
uses tunnel mode by default.

create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha

Create a group of SA specifications for the roaming VPN clients. These SA specifications use
IPsec transport mode for Windows VPN interoperability. Multiple specifications allow IPsec
to negotiate different levels of encryption to match what your version of the VPN client
provides.

create ipsec sas=2 key=isakmp prot=esp enc=3desouter hasha=sha

mod=transport

create ipsec sas=3 key=isakmp prot=esp enc=3desouter hasha=md5

mod=transport

create ipsec sas=4 key=isakmp prot=esp enc=des hasha=sha mod=transport

create ipsec sas=5 key=isakmp prot=esp enc=des hasha=md5 mod=transport

Create two IPsec bundles, one for the headquarters router VPN and one for the roaming
VPN clients.

create ipsec bund=1 key=isakmp string="1"

create ipsec bund=2 key=isakmp string="2 or 3 or 4 or 5"

Create IPsec policies to bypass IPsec for ISAKMP messages and the “port floated” key
exchange that NAT-T uses.

create ipsec pol=isakmp int=ppp0 ac=permit lp=500 rp=500

create ipsec pol=isakmp_float int=ppp0 ac=permit lp=4500

Create an IPsec policy for the VPN traffic between headquarters and branch office 1. Identify
the traffic by its local and remote addresses—in this example the subnet used on the LAN at
branch office 1 (local) is 192.168.141.0/24. Note that the remote address selector is wider
than the headquarter’s LAN; in fact, we cover all site subnets with this supernet.

create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1

peer=200.200.200.1 isa=hq lad=192.168.141.0 lma=255.255.255.0

rad=192.168.0.0 rma=255.255.0.0

Create another IPsec policy for roaming VPN clients to access headquarters. Identify the
traffic by the L2TP port (UDP traffic to port 1701). This policy uses peeraddress=any. The
any option allows simultaneous VPN clients to be set up under the policy.

create ipsec pol=roaming int=ppp0 ac=ipsec key=isakmp bund=2 peer=any

isa=roaming lp=1701 tra=udp

Create another IPsec policy for direct Internet traffic from the headquarters LAN to the
Internet, such as web browsing.

create ipsec pol=internet int=ppp0 ac=permit

Note:

The order of the IPsec policies is important. The Internet permit policy must be last.

See also other documents in the category Allied Telesis Hardware: