Branch office 2 – Allied Telesis AlliedWare AR440S User Manual
Page 49
Page 49 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
branch office 2
#
DHCP configuration
#
If desired, use the router as a DHCP server.
create dhcp poli=branch2 lease=7200
add dhcp poli=branch2 rou=192.168.142.254
add dhcp poli=branch2 subn=255.255.255.0
create dhcp range=branch2_hosts poli=branch2 ip=192.168.142.16 num=32
ena dhcp
#
SSH configuration
#
You should not telnet to a secure gateway, so set up Secure Shell
#
for remote management. This requires encryption keys - see
#
#
Enable the SSH server.
enable ssh server serverkey=2 hostkey=3
#
Enable the user who connects via SSH to log in as secoff, by adding
#
the secoff user as an SSH user. If desired, also restrict access so
#
that it is only permitted from particular addresses.
add ssh user=secoff password=<secoff-password>
ipaddress=<trusted-remote-ip-address>
mask=<desired-subnet-mask-of-trusted-hosts>
disable telnet server
#
As the commands above show, we strongly recommend SSH instead of
#
telnet. However, if you choose to use telnet, create RSO users
#
(remote security officers) and define the IP addresses that these
#
users may connect from.
#
add user rso ip=<ipadd>[-<ipadd>]
#
enable user rso
#
enable telnet server
#
Log configuration
#
If desired, forward router log entries to a UNIX-style syslog
#
server.
create log output=2 destination=syslog
server=<your-local-syslog-server-address> syslogformat=extended
add log out=2 filter=1 sev=>3
#
IPSEC configuration
#
Create an SA specification for the site-to-site VPN. This SA
#
specification uses tunnel mode by default.
create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
create ipsec bund=1 key=isakmp string="1"
#
Create an IPsec policy to bypass IPsec for ISAKMP messages.
create ipsec pol=isakmp int=ppp0 ac=permit
set ipsec pol=isakmp lp=500 rp=500