beautypg.com

Branch office 1 – Allied Telesis AlliedWare AR440S User Manual

Page 46

background image

Page 46 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

branch office

1

#

ISAKMP Configuration

create isakmp pol=hq pe=200.200.200.1 key=1 sendd=true heart=both

set isa pol=hq localid=branch1 encalg=3des2key

create isakmp pol=roaming pe=any key=1

set isa pol=roaming sendd=true sendi=true natt=true localid=branch1

enable isakmp

#

FIREWALL configuration

enable firewall

create firewall policy=branch1

enable firewall policy=branch1 icmp_f=all

#

Define a firewall dynamic definition to work with dynamic

#

interfaces. This provides for the dynamic PPP/L2TP interfaces that

#

incoming Windows VPN connections use.

create firewall policy=branch1 dy=roaming

add firewall policy=branch1 dy=roaming user=any

#

Specify the private and public interfaces. The roaming interface is

#

private - you can trust it because it comes from an authenticated

#

Windows VPN connection.

add firewall policy=branch1 int=vlan1 type=private

add firewall policy=branch1 int=dyn-roaming type=private

add firewall policy=branch1 int=ppp0 type=public

#

Create a NAT definition for traffic from the branch office 1 LAN to

#

use when accessing the Internet.

add firewall poli=branch1poli=branch1 nat=enhanced int=vlan1

gblin=ppp0

#

Create another NAT definition for roaming VPN clients to use when

#

accessing the Internet via the branch office 1 router.

add firewall poli=branch1 nat=enhanced int=dyn-roaming gblin=ppp0

#

Create a rule to allow incoming ISAKMP negotiation to pass through

#

the firewall.

add firewall poli=branch1 ru=1 ac=allo int=ppp0 prot=udp po=500

ip=222.222.222.1 gblip=222.222.222.1 gblp=500

#

Create a rule to support NAT-T. If there is a NAT gateway in the

#

VPN path, NAT-T "port floats" IKE to port 4500, and also

#

encapsulates IPsec inside the same port.

add firewall poli=branch1 ru=2 ac=allo int=ppp0 prot=udp po=4500

ip=222.222.222.1 gblip=222.222.222.1 gblp=4500

#

Create a rule for the roaming VPN clients. Windows uses L2TP (port

#

1701) inside IPsec. This rule allows traffic that comes from IPsec

#

and uses port 1701.

add firewall poli=branch1 ru=3 ac=allo int=ppp0 prot=udp po=1701

ip=222.222.222.1 gblip=222.222.222.1 gblp=1701 enc=ips

See also other documents in the category Allied Telesis Hardware: