beautypg.com

Branch office 1 – Allied Telesis AlliedWare AR440S User Manual

Page 22

background image

Page 22 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

branch office

1

can trust traffic arriving on the dynamic interfaces because—in this example configuration—it
can only come from an authenticated and encrypted VPN connection.

create firewall policy=branch1 dynamic=roaming

add firewall policy=branch1 dynamic=roaming user=any

add firewall policy=branch1 int=dyn-roaming type=private

Define NAT definitions to use when traffic from the local LAN accesses the Internet and to
allow Internet access for remote VPN client users.

add firewall policy=branch1 nat=enhanced int=vlan1 gblin=ppp0

add firewall policy=branch1 nat=enhanced int=dyn-roaming gblin=ppp0

Note:

Windows VPN client default behaviour does not support “split tunnelling”. This

means that when the Windows VPN tunnel is up, all traffic passes through it, whether the
traffic is destined for the branch office LAN or for Internet surfing destinations. Therefore, we
suggest you define the second NAT above, to allow clients to access the Internet via the
branch office router when their VPN connection is up.

Create a rule to allow incoming ISAKMP negotiation messages to pass through the firewall.

add firewall policy=branch1 ru=1 ac=allo int=ppp0 prot=udp po=500

ip=222.222.222.1 gblip=222.222.222.1 gblp=500

Create a rule to support NAT-T. If a NAT gateway is detected in the VPN path, NAT-T “port
floats” IKE to port 4500, and also encapsulates IPsec inside UDP headers to the same port.
Therefore, UDP traffic to port 4500 must be allowed to pass through the firewall.

add firewall policy=branch1 ru=2 ac=allo int=ppp0 prot=udp po=4500

ip=222.222.222.1 gblip=222.222.222.1 gblp=4500

Create a rule for the roaming VPN clients. Windows VPN client uses L2TP (UDP to port
1701) encapsulated inside IPsec. This rule allows L2TP traffic through the firewall if it
originally arrived at the router encapsulated in IPsec (and was decapsulated by the IPsec
process before it passed to the firewall).

add firewall policy=branch1 ru=3 ac=allo int=ppp0 prot=udp po=1701

ip=222.222.222.1 gblip=222.222.222.1 gblp=1701 enc=ips

Create a pair of rules to allow office-to-office payload traffic to pass through the firewall
without applying NAT. This traffic must bypass NAT so that the traffic matches subsequent
IPsec policy address selectors. You need two rules—one for the public interface and one for
the private interface—so that office-to-office payload traffic bypasses NAT regardless of
which side initiated the session.

The rule for the public interface uses encapsulation=ipsec to identify incoming VPN
traffic—decrypted payload data that came from the IPsec module.

add firewall policy=branch1 ru=4 ac=non int=ppp0 prot=all enc=ips

11. Configure the firewall’s access rules

See also other documents in the category Allied Telesis Hardware: