Filter
Top Products
Page 29 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
branch office 2
Branch office 2 does not need rule 3 that the other sites have, because branch office 2 has no
roaming VPN client connections.
Create a pair of rules to allow office-to-office payload traffic to pass through the firewall
without applying NAT. This traffic must bypass NAT so that the traffic matches subsequent
IPsec policy address selectors. You need two rules—one for the public interface and one for
the private interface—so that office-to-office payload traffic bypasses NAT regardless of
which side initiated the session.
The rule for the public interface uses encapsulation=ipsec to identify incoming VPN
traffic—decrypted payload data that came from the IPsec module.
add firewall policy=branch2 ru=4 ac=non int=ppp0 prot=all enc=ips
The rule for the private interface uses both source and destination addresses to identify
outgoing VPN traffic.
add firewall policy=branch2 ru=5 ac=non int=vlan1 prot=all
ip=192.168.142.1-192.168.142.254 rem=192.168.140.0-192.168.142.254
If you configured SSH (recommended), create a rule to allow SSH traffic to pass through the
firewall.
add firewall policy=branch2 ru=6 ac=allo int=ppp0 prot=tcp po=22
ip=192.168.142.254 gblip=0.0.0.0 gblp=22
If you instead stayed with telnet (not recommended) and configured RSOs, create a rule to
allow telnet traffic to pass through the firewall.
add firewall policy=branch2 ru=7 ac=allo int=ppp0 prot=tcp po=23
ip=192.168.142.254 gblip=0.0.0.0 gblp=23
It is important to save your configuration when you finish, to preserve the configuration over
any power cuts.
create conf=<your-file.cfg>
This is particularly important in security configurations because it preserves the security
officer definition. Without this, regaining configuration access would destroy encryption
information such as keys.
Once you have saved the configuration to a file, specify that file as the configuration script to
use when the router boots up.
set config=<your-file.cfg>
11. Save your configuration