Allied Telesis AR440S Network Card User Manual


  Open as PDF
of 53
 
Headquarters
Page 40 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
# Create a group of SA specifications for the roaming VPN clients.
# These SA specifications use IPsec transport mode.
create ipsec sas=2 key=isakmp prot=esp enc=3desouter hasha=sha
mod=transport
create ipsec sas=3 key=isakmp prot=esp enc=3desouter hasha=md5
mod=transport
create ipsec sas=4 key=isakmp prot=esp enc=des hasha=sha
mod=transport
create ipsec sas=5 key=isakmp prot=esp enc=des hasha=md5
mod=transport
create ipsec bund=1 key=isakmp string="1"
create ipsec bund=2 key=isakmp string="2 or 3 or 4 or 5"
# Create IPsec policies to bypass IPsec for ISAKMP messages and the
# "port floated" key exchange that NAT-T uses.
create ipsec pol=isakmp int=eth0 ac=permit
set ipsec pol=isakmp lp=500 rp=500
create ipsec pol=isakmp_float int=eth0 ac=permit
set ipsec pol=isakmp_float lp=4500
# Create an IPsec policy for branch 1 to headquarters VPN traffic.
create ipsec pol=branch1 int=eth0 ac=ipsec key=isakmp isa=branch1
bund=1 peer=222.222.222.1
set ipsec pol=branch1 lad=192.168.0.0 lma=255.255.0.0
rad=192.168.141.0 rma=255.255.255.0
# Create another IPsec policy for branch 2 to headquarters VPN
# traffic.
create ipsec pol=branch2 int=eth0 ac=ipsec key=isakmp isa=branch2
bund=1 peer=dynamic
set ipsec pol=branch2 lad=192.168.0.0 lma=255.255.0.0
rad=192.168.142.0 rma=255.255.255.0
# Create another IPsec policy for roaming VPN clients. This policy
# uses the L2TP port to identify traffic.
create ipsec pol=roaming int=eth0 ac=ipsec key=isakmp bund=2 peer=any
isa=roaming
set ipsec pol=roaming lp=1701 tra=udp
# Create another IPsec policy to allow for direct Internet access
# such as web browsing.
create ipsec pol=internet int=eth0 ac=permit
enable ipsec
# ISAKMP Configuration
create isakmp pol=branch1 pe=222.222.222.1 sendd=true key=1
heart=both encalg=3des2key localid=hq
create isakmp pol=branch2 pe=any sendd=true key=1 heart=both
encalg=3des2key localid=hq
create isakmp pol=roaming pe=any key=1
set isakmp pol=roaming sendd=true sendi=true natt=true localid=hq
enable isakmp
 previous next