Branch office 2 – Allied Telesis AlliedWare AR440S User Manual

Page 27 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

branch office 2

Check that you have a 3DES feature licence for the ISAKMP policy.

show feature

You can purchase feature licences from your Allied Telesis distributor.

If necessary, install the licence, using the password provided by your distributor.

enable feature=3des pass=<licence-number>

Enable IPsec

enable ipsec

In this example, IPsec SA specification proposes:

z

ISAKMP as the key management protocol

z

ESP as the IPsec protocol

z

3DES as the encryption algorithm for ESP

z

SHA as the hashing algorithm for ESP authentication

Create an SA specification for the headquarters office site-to-site VPN. This SA specification
uses tunnel mode by default.

create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha

Note that the branch office 2 router has no connections from roaming VPN clients so does
not need SA specifications for them.

Create an IPsec bundle for the SA specification.

create ipsec bund=1 key=isakmp string="1"

Create an IPsec policy to permit ISAKMP messages to bypass IPsec.

create ipsec pol=isakmp int=ppp0 ac=permit lp=500 rp=500

Create an IPsec policy for the VPN traffic between headquarters and branch office 2. Identify
the traffic by its local and remote addresses—in this example the subnet used on the LAN at
branch office 2 (local) is 192.168.142.0/24 so use that as the local address selector. However,
define a wider remote address selector, to allow for other incoming VPN traffic via
headquarters.

create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1

peer=200.200.200.1 isa=hq lad=192.168.142.0 lma=255.255.255.0

rad=192.168.0.0 rma=255.255.0.0

7.

Check feature licences

8.

Configure the VPNs for connecting to the headquarters office