Filter
Top Products
Page 22 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
branch office
1
can trust traffic arriving on the dynamic interfaces because—in this example configuration—it
can only come from an authenticated and encrypted VPN connection.
create firewall policy=branch1 dynamic=roaming
add firewall policy=branch1 dynamic=roaming user=any
add firewall policy=branch1 int=dyn-roaming type=private
Define NAT definitions to use when traffic from the local LAN accesses the Internet and to
allow Internet access for remote VPN client users.
add firewall policy=branch1 nat=enhanced int=vlan1 gblin=ppp0
add firewall policy=branch1 nat=enhanced int=dyn-roaming gblin=ppp0
Note: Windows VPN client default behaviour does not support “split tunnelling”. This
means that when the Windows VPN tunnel is up, all traffic passes through it, whether the
traffic is destined for the branch office LAN or for Internet surfing destinations. Therefore, we
suggest you define the second NAT above, to allow clients to access the Internet via the
branch office router when their VPN connection is up.
Create a rule to allow incoming ISAKMP negotiation messages to pass through the firewall.
add firewall policy=branch1 ru=1 ac=allo int=ppp0 prot=udp po=500
ip=222.222.222.1 gblip=222.222.222.1 gblp=500
Create a rule to support NAT-T. If a NAT gateway is detected in the VPN path, NAT-T “port
floats” IKE to port 4500, and also encapsulates IPsec inside UDP headers to the same port.
Therefore, UDP traffic to port 4500 must be allowed to pass through the firewall.
add firewall policy=branch1 ru=2 ac=allo int=ppp0 prot=udp po=4500
ip=222.222.222.1 gblip=222.222.222.1 gblp=4500
Create a rule for the roaming VPN clients. Windows VPN client uses L2TP (UDP to port
1
70
1
) encapsulated inside IPsec. This rule allows L2TP traffic through the firewall if it
originally arrived at the router encapsulated in IPsec (and was decapsulated by the IPsec
process before it passed to the firewall).
add firewall policy=branch1 ru=3 ac=allo int=ppp0 prot=udp po=1701
ip=222.222.222.1 gblip=222.222.222.1 gblp=1701 enc=ips
Create a pair of rules to allow office-to-office payload traffic to pass through the firewall
without applying NAT. This traffic must bypass NAT so that the traffic matches subsequent
IPsec policy address selectors. You need two rules—one for the public interface and one for
the private interface—so that office-to-office payload traffic bypasses NAT regardless of
which side initiated the session.
The rule for the public interface uses encapsulation=ipsec to identify incoming VPN
traffic—decrypted payload data that came from the IPsec module.
add firewall policy=branch1 ru=4 ac=non int=ppp0 prot=all enc=ips
11. Configure the firewall’s access rules