beautypg.com

Branch office 2 – Allied Telesis AlliedWare AR440S User Manual

Page 50

background image

Page 50 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

branch office 2

#

Create an IPsec policy for branch 2 to headquarters VPN traffic.

create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1

peer=200.200.200.1 isa=hq

set ipsec pol=hq lad=192.168.142.0 lma=255.255.255.0 rad=192.168.0.0

rma=255.255.0.0

#

Create another IPsec policy to allow for direct Internet access

#

such as web browsing.

create ipsec pol=internet int=ppp0 ac=permit

enable ipsec

#

ISAKMP Configuration

create isakmp pol=hq pe=200.200.200.1 key=1 sendd=true heart=both

set isakmp pol=hq localid=branch2 encalg=3des2key

enable isakmp

#

FIREWALL configuration

enable firewall

create firewall policy=branch2

enable firewall policy=branch2 icmp_f=all

#

Specify the private and public interfaces.

add firewall policy=branch2 int=vlan1 type=private

add firewall policy=branch2 int=ppp0 type=public

#

Create a NAT definition for traffic from the branch office 2 LAN to

#

use when accessing the Internet.

add firewall poli=branch2 nat=enhanced int=vlan1 gblin=ppp0

#

Create a rule to allow incoming ISAKMP negotiation to pass through

#

the firewall. This rule specifies 0.0.0.0 as the global IP address

#

because the PPP address of branch office 2 is dynamically assigned.

#

The rule uses the LAN address to identify matching traffic.

add firewall poli=branch2 ru=1 ac=allo int=ppp0 prot=udp po=500

ip=192.168.142.254 gblip=0.0.0.0 gblp=500

#

Create a pair of rules to allow office-to-office payload traffic to

#

pass through the firewall without applying NAT.

#

The rule for the public interface uses encapsulation=ipsec to

#

identify incoming VPN traffic.

add firewall poli=branch2 ru=4 ac=non int=ppp0 prot=all enc=ips

#

The rule for the private interface uses both source and destination

#

addresses to identify outgoing VPN traffic.

add firewall poli=branch2 ru=5 ac=non int=vlan1 prot=all

ip=192.168.142.1-192.168.142.254

set firewall poli=branch2 ru=5 rem=192.168.140.0-192.168.144.254

#

If you configured SSH, create a rule for SSH traffic.

add firewall policy=branch2 ru=6 ac=allo int=ppp0 prot=tcp po=22

ip=192.168.142.254 gblip=0.0.0.0 gblp=22

See also other documents in the category Allied Telesis Hardware: