beautypg.com

Headquar ters – Allied Telesis AlliedWare AR440S User Manual

Page 40

background image

Headquar

ters

Page 40 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

#

Create a group of SA specifications for the roaming VPN clients.

#

These SA specifications use IPsec transport mode.

create ipsec sas=2 key=isakmp prot=esp enc=3desouter hasha=sha

mod=transport

create ipsec sas=3 key=isakmp prot=esp enc=3desouter hasha=md5

mod=transport

create ipsec sas=4 key=isakmp prot=esp enc=des hasha=sha

mod=transport

create ipsec sas=5 key=isakmp prot=esp enc=des hasha=md5

mod=transport

create ipsec bund=1 key=isakmp string="1"

create ipsec bund=2 key=isakmp string="2 or 3 or 4 or 5"

#

Create IPsec policies to bypass IPsec for ISAKMP messages and the

#

"port floated" key exchange that NAT-T uses.

create ipsec pol=isakmp int=eth0 ac=permit

set ipsec pol=isakmp lp=500 rp=500

create ipsec pol=isakmp_float int=eth0 ac=permit

set ipsec pol=isakmp_float lp=4500

#

Create an IPsec policy for branch 1 to headquarters VPN traffic.

create ipsec pol=branch1 int=eth0 ac=ipsec key=isakmp isa=branch1

bund=1 peer=222.222.222.1

set ipsec pol=branch1 lad=192.168.0.0 lma=255.255.0.0

rad=192.168.141.0 rma=255.255.255.0

#

Create another IPsec policy for branch 2 to headquarters VPN

#

traffic.

create ipsec pol=branch2 int=eth0 ac=ipsec key=isakmp isa=branch2

bund=1 peer=dynamic

set ipsec pol=branch2 lad=192.168.0.0 lma=255.255.0.0

rad=192.168.142.0 rma=255.255.255.0

#

Create another IPsec policy for roaming VPN clients. This policy

#

uses the L2TP port to identify traffic.

create ipsec pol=roaming int=eth0 ac=ipsec key=isakmp bund=2 peer=any

isa=roaming

set ipsec pol=roaming lp=1701 tra=udp

#

Create another IPsec policy to allow for direct Internet access

#

such as web browsing.

create ipsec pol=internet int=eth0 ac=permit

enable ipsec

#

ISAKMP Configuration

create isakmp pol=branch1 pe=222.222.222.1 sendd=true key=1

heart=both encalg=3des2key localid=hq

create isakmp pol=branch2 pe=any sendd=true key=1 heart=both

encalg=3des2key localid=hq

create isakmp pol=roaming pe=any key=1

set isakmp pol=roaming sendd=true sendi=true natt=true localid=hq

enable isakmp

See also other documents in the category Allied Telesis Hardware: