Allied Telesis AR440S Network Card User Manual


  Open as PDF
of 53
 
Page 46 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
branch office
1
# ISAKMP Configuration
create isakmp pol=hq pe=200.200.200.1 key=1 sendd=true heart=both
set isa pol=hq localid=branch1 encalg=3des2key
create isakmp pol=roaming pe=any key=1
set isa pol=roaming sendd=true sendi=true natt=true localid=branch1
enable isakmp
# FIREWALL configuration
enable firewall
create firewall policy=branch1
enable firewall policy=branch1 icmp_f=all
# Define a firewall dynamic definition to work with dynamic
# interfaces. This provides for the dynamic PPP/L2TP interfaces that
# incoming Windows VPN connections use.
create firewall policy=branch1 dy=roaming
add firewall policy=branch1 dy=roaming user=any
# Specify the private and public interfaces. The roaming interface is
# private - you can trust it because it comes from an authenticated
# Windows VPN connection.
add firewall policy=branch1 int=vlan1 type=private
add firewall policy=branch1 int=dyn-roaming type=private
add firewall policy=branch1 int=ppp0 type=public
# Create a NAT definition for traffic from the branch office 1 LAN to
# use when accessing the Internet.
add firewall poli=branch1poli=branch1 nat=enhanced int=vlan1
gblin=ppp0
# Create another NAT definition for roaming VPN clients to use when
# accessing the Internet via the branch office 1 router.
add firewall poli=branch1 nat=enhanced int=dyn-roaming gblin=ppp0
# Create a rule to allow incoming ISAKMP negotiation to pass through
# the firewall.
add firewall poli=branch1 ru=1 ac=allo int=ppp0 prot=udp po=500
ip=222.222.222.1 gblip=222.222.222.1 gblp=500
# Create a rule to support NAT-T. If there is a NAT gateway in the
# VPN path, NAT-T "port floats" IKE to port 4500, and also
# encapsulates IPsec inside the same port.
add firewall poli=branch1 ru=2 ac=allo int=ppp0 prot=udp po=4500
ip=222.222.222.1 gblip=222.222.222.1 gblp=4500
# Create a rule for the roaming VPN clients. Windows uses L2TP (port
# 1701) inside IPsec. This rule allows traffic that comes from IPsec
# and uses port 1701.
add firewall poli=branch1 ru=3 ac=allo int=ppp0 prot=udp po=1701
ip=222.222.222.1 gblip=222.222.222.1 gblp=1701 enc=ips
 previous next