Branch office 1 – Allied Telesis AlliedWare AR440S User Manual
Page 45
Page 45 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
branch office
1
#
Log configuration
#
If desired, forward router log entries to a UNIX-style syslog
#
server.
create log output=2 destination=syslog
server=<your-local-syslog-server-address> syslogformat=extended
add log out=2 filter=1 sev=>3
#
IPSEC configuration
#
Create an SA specification for the site-to-site VPN. This SA
#
specification uses tunnel mode by default.
create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
#
Create a group of SA specifications for the roaming VPN clients.
#
These SA specifications use IPsec transport mode.
create ipsec sas=2 key=isakmp prot=esp enc=3desouter hasha=sha
mod=transport
create ipsec sas=3 key=isakmp prot=esp enc=3desouter hasha=md5
mod=transport
create ipsec sas=4 key=isakmp prot=esp enc=des hasha=sha
mod=transport
create ipsec sas=5 key=isakmp prot=esp enc=des hasha=md5
mod=transport
create ipsec bund=1 key=isakmp string="1"
create ipsec bund=2 key=isakmp string="2 or 3 or 4 or 5"
#
Create IPsec policies to bypass IPsec for ISAKMP messages and the
#
"port floated" key exchange that NAT-T uses.
create ipsec pol=isakmp int=ppp0 ac=permit
set ipsec pol=isakmp lp=500 rp=500
create ipsec pol=isakmp_float int=ppp0 ac=permit
set ipsec pol=isakmp_float lp=4500
#
Create an IPsec policy for branch 1 to headquarters VPN traffic.
create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1
peer=200.200.200.1 isa=hq
set ipsec pol=hq lad=192.168.141.0 lma=255.255.255.0 rad=192.168.0.0
rma=255.255.0.0
#
Create another IPsec policy for roaming VPN clients. This policy
#
uses the L2TP port to identify traffic.
create ipsec pol=roaming int=ppp0 ac=ipsec key=isakmp bund=2 peer=any
isa=roaming
set ipsec pol=roaming lp=1701 tra=UDP
#
Create another IPsec policy to allow for direct Internet access
#
such as web browsing.
create ipsec pol=internet int=ppp0 ac=permit
enable ipsec