Support User Manuals

Allied Telesis AR440S Network Card User Manual

Open as PDF

of 53

Headquarters

Page 13 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

z the branch office policies use a different encryption transform—3des2key—than the

roaming policy. When a new incoming ISAKMP message starts, this lets the router identify

whether to match it to the roaming policy or one of the branch office policies.

z the policies include local IDs. These allow the remote peers to identify incoming ISAKMP

packets from the headquarters router through any NAT gateways in the path.

Create an ISAKMP policy for the VPN to branch

1

, with a fixed address. Use ISAKMP

heartbeats, which allow ISAKMP to clear SAs if either end of the link resets.

create isakmp pol=branch1 pe=222.222.222.1 sendd=true key=1 heart=both

encalg=3des2key localid=hq

Create an ISAKMP policy for the VPN to branch 2, with peer=any because the branch 2

router has a dynamic address.

create isakmp pol=branch2 pe=any sendd=true key=1 heart=both

encalg=3des2key localid=hq

Create an ISAKMP policy for VPNs to roaming VPN clients, with peer=any because the

peers have dynamic addresses. Note that you cannot use heartbeats with Windows peers.

We recommend that you enable NAT-T, because the roaming VPN clients will sometimes

need to connect through a NAT-T gateway.

create isakmp pol=roaming pe=any key=1 sendd=true natt=true sendi=on

localid=hq2

The roaming policy uses the same key as the branch office policies. If you want to, you can

instead generate a unique pre-shared key to use with the roaming clients, and attach it to the

roaming policy.

Enable the firewall and create a firewall policy.

enable firewall

create firewall policy=hq

enable firewall policy=hq icmp_f=all

Specify the LAN-facing interface of the router as a private (trusted) interface on the firewall.

add firewall policy=hq int=vlan1 type=private

Specify the Internet-facing interface of the router as a public (not trusted) interface on the

firewall.

add firewall policy=hq int=eth0 type=public

Define a firewall dynamic definition to enable dynamically created interfaces to participate in

the firewall. In this case, the definition provides for the dynamic PPP over L2TP interfaces

that incoming Windows VPN connections use. In other words, when the router dynamically

creates PPP interfaces over the L2TP connections from the roaming PC clients, the router

automatically adds these dynamic interfaces as private interfaces on the firewall. The router

8. Configure the firewall’s basic settings

previous next