Filter
Top Products
Page 20 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
branch office
1
z (for site-to-site VPNs) 3DESOUTER as the encryption algorithm for ESP
z (for site-to-site VPNs) SHA as the hashing algorithm for ESP authentication
z (for roaming client VPNs) four possible variants of VPN encryption, for added flexibility.
We propose the most secure option first.
Create an SA specification for the headquarters office site-to-site VPN. This SA specification
uses tunnel mode by default.
create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
Create a group of SA specifications for the roaming VPN clients. These SA specifications use
IPsec transport mode for Windows VPN interoperability. Multiple specifications allow IPsec
to negotiate different levels of encryption to match what your version of the VPN client
provides.
create ipsec sas=2 key=isakmp prot=esp enc=3desouter hasha=sha
mod=transport
create ipsec sas=3 key=isakmp prot=esp enc=3desouter hasha=md5
mod=transport
create ipsec sas=4 key=isakmp prot=esp enc=des hasha=sha mod=transport
create ipsec sas=5 key=isakmp prot=esp enc=des hasha=md5 mod=transport
Create two IPsec bundles, one for the headquarters router VPN and one for the roaming
VPN clients.
create ipsec bund=1 key=isakmp string="1"
create ipsec bund=2 key=isakmp string="2 or 3 or 4 or 5"
Create IPsec policies to bypass IPsec for ISAKMP messages and the “port floated” key
exchange that NAT-T uses.
create ipsec pol=isakmp int=ppp0 ac=permit lp=500 rp=500
create ipsec pol=isakmp_float int=ppp0 ac=permit lp=4500
Create an IPsec policy for the VPN traffic between headquarters and branch office
1
. Identify
the traffic by its local and remote addresses—in this example the subnet used on the LAN at
branch office
1
(local) is
1
92.
1
68.
1
4
1
.0/24. Note that the remote address selector is wider
than the headquarter’s LAN; in fact, we cover all site subnets with this supernet.
create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1
peer=200.200.200.1 isa=hq lad=192.168.141.0 lma=255.255.255.0
rad=192.168.0.0 rma=255.255.0.0
Create another IPsec policy for roaming VPN clients to access headquarters. Identify the
traffic by the L2TP port (UDP traffic to port
1
70
1
). This policy uses peeraddress=any. The
any option allows simultaneous VPN clients to be set up under the policy.
create ipsec pol=roaming int=ppp0 ac=ipsec key=isakmp bund=2 peer=any
isa=roaming lp=1701 tra=udp
Create another IPsec policy for direct Internet traffic from the headquarters LAN to the
Internet, such as web browsing.
create ipsec pol=internet int=ppp0 ac=permit
Note: The order of the IPsec policies is important. The Internet permit policy must be last.