Support User Manuals

Allied Telesis AR440S Network Card User Manual

Open as PDF

of 53

Page 21 | AlliedWare™ OS How To Note: VPNs for Corporate Networks

branch office

1

Create your ISAKMP pre-shared key. This key is used when initiating your VPN during phase

one ISAKMP exchanges with your VPN peers. Share the value of this pre-shared key with all

VPN peers that use it—in this example, the roaming VPN clients and the headquarters

router. The router only uses this key during phase one ISAKMP exchanges.

create enco key=1 type=general value=<alphanumeric-preshared-key>

Enable ISAKMP.

ena isa

Like the headquarters policy (see comments on page 12) this example uses separate ISAKMP

policies for each peer.

Create an ISAKMP policy for the VPN to headquarters, with a fixed address. Use ISAKMP

heartbeats, which allow ISAKMP to clear SAs if either end of the link resets.

create isakmp pol=hq pe=200.200.200.1 sendd=true key=1 heart=both

localid=branch1 encalg=3des2key

Create an ISAKMP policy for roaming VPN clients, with peer=any because the peers have

dynamic addresses. Note that you cannot use heartbeats with Windows peers. We

recommend that you enable NAT-T, because the roaming VPN clients will sometimes need to

connect through a NAT-T gateway.

create isakmp pol=roaming pe=any key=1 sendd=true sendi=on natt=true

localid=branch1

The roaming policy uses the same key as the policy for the headquarters VPN. If you want to,

you can instead generate a unique pre-shared key to use with the roaming clients, and attach

it to the roaming policy.

Enable the firewall and create a firewall policy.

enable firewall

create firewall policy=branch1

enable firewall policy=branch1 icmp_f=all

Specify the LAN-facing interface of the router as a private (trusted) interface on the firewall.

add firewall policy=branch1 int=vlan1 type=private

Specify the Internet-facing interface of the router as a public (not trusted) interface on the

firewall.

add firewall policy=branch1 int=ppp0 type=public

Define a firewall dynamic definition to enable dynamically created interfaces to participate in

the firewall. In this case, the definition provides for the dynamic PPP over L2TP interfaces

that incoming Windows VPN connections use. In other words, when the router dynamically

creates PPP interfaces over the L2TP connections from the roaming PC clients, the router

automatically adds these dynamic interfaces as private interfaces on the firewall. The router

10. Configure the firewall’s basic settings

previous next