Filter
Top Products
Page 27 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
branch office 2
Check that you have a 3DES feature licence for the ISAKMP policy.
show feature
You can purchase feature licences from your Allied Telesis distributor.
If necessary, install the licence, using the password provided by your distributor.
enable feature=3des pass=<licence-number>
Enable IPsec
enable ipsec
In this example, IPsec SA specification proposes:
z ISAKMP as the key management protocol
z ESP as the IPsec protocol
z 3DES as the encryption algorithm for ESP
z SHA as the hashing algorithm for ESP authentication
Create an SA specification for the headquarters office site-to-site VPN. This SA specification
uses tunnel mode by default.
create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
Note that the branch office 2 router has no connections from roaming VPN clients so does
not need SA specifications for them.
Create an IPsec bundle for the SA specification.
create ipsec bund=1 key=isakmp string="1"
Create an IPsec policy to permit ISAKMP messages to bypass IPsec.
create ipsec pol=isakmp int=ppp0 ac=permit lp=500 rp=500
Create an IPsec policy for the VPN traffic between headquarters and branch office 2. Identify
the traffic by its local and remote addresses—in this example the subnet used on the LAN at
branch office 2 (local) is
1
92.
1
68.
1
42.0/24 so use that as the local address selector. However,
define a wider remote address selector, to allow for other incoming VPN traffic via
headquarters.
create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1
peer=200.200.200.1 isa=hq lad=192.168.142.0 lma=255.255.255.0
rad=192.168.0.0 rma=255.255.0.0
7. Check feature licences
8. Configure the VPNs for connecting to the headquarters office