Branch office 1 – Allied Telesis AlliedWare AR440S User Manual

Page 44

Page 44 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

branch office

allows incoming roaming VPN client connections. The clients can

only target a known, unchanging address.

create ppp=0 over=atm0.1 echo=10 lqr=off bap=off idle=off

set ppp=0 username="branch office 1" password=branch1 iprequest=off

Note that this interface needs a permanent IP address because the

branch office allows incoming roaming VPN client connections. The

clients can only target a known, unchanging address.

IP configuration

enable ip

add ip int=vlan1 ip=192.168.141.254

Statically define the PPP interface address.

add ip int=ppp0 ip=222.222.222.1

add ip rou=0.0.0.0 mask=0.0.0.0 int=ppp0 next=0.0.0.0

Create an IP pool to allocate unique internal payload addresses to

incoming VPN clients.

create ip pool=roaming ip=192.168.143.1-192.168.143.50

DHCP configuration

If desired, use the router as a DHCP server.

create dhcp poli=branch1 lease=7200

add dhcp poli=branch1 rou=192.168.141.254

add dhcp poli=branch1 subn=255.255.255.0

create dhcp range=branch1_hosts poli=branch1 ip=192.168.141.16 num=32

ena dhcp

SSH configuration

You should not telnet to a secure gateway, so set up Secure Shell

for remote management. This requires encryption keys - see

Enable the SSH server.

enable ssh server serverkey=3 hostkey=2

Enable the user who connects via SSH to log in as secoff, by adding

the secoff user as an SSH user. If desired, also restrict access so

that it is only permitted from particular addresses.

add ssh user=secoff password=<secoff-password>

ipaddress=<trusted-remote-ip-address>

mask=<desired-subnet-mask-of-trusted-hosts>

disable telnet server

As the commands above show, we strongly recommend SSH instead of

telnet. However, if you choose to use telnet, create RSO users

(remote security officers) and define the IP addresses that these

users may connect from.

add user rso ip=<ipadd>[-<ipadd>]

enable user rso

enable telnet server