Allied Telesis AlliedWare AR440S How To Configure
  1. Manuals
  2. Brands
  3. Allied Telesis Manuals
  4. Network Hardware
  5. AR440S
  6. How to configure
Allied Telesis AlliedWare AR440S How To Configure

Allied Telesis AlliedWare AR440S How To Configure

How to configure vpns in a corporate network, with optional prioritisation of voip
Hide thumbs Also See for AlliedWare AR440S:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Network Manual
TM
AlliedWare
Configure VPNs in a Corporate Network, with
How To |
Optional Prioritisation of VoIP
Introduction
In this How To Note's example, a headquarters office has VPNs to two branch offices and a
number of roaming VPN clients. The example illustrates the following possible components
that you could use in a corporate network:
VPNs between a headquarters office and roaming VPN clients, such as travellers' laptops
VPNs between a branch office and roaming VPN clients, such as travellers' laptops
a VPN between a headquarters office and a branch office with a fixed IP address, when the
branch office has an ADSL PPPoA connection to the internet
a VPN between a headquarters office and a branch office with a dynamically assigned IP
address, when the branch office has an ADSL PPPoEoA connection to the internet
using software QoS to prioritise voice (VoIP) traffic over the VPNs
Select the solution components that are relevant for your network requirements and
internet connection type.
Contents
Related How To Notes .......................................................................................................................... 2
About IPsec modes: tunnel and transport ......................................................................................... 3
Background: NAT-T and policies .......................................................................................................... 4
How to configure VPNs in typical corporate networks ................................................................. 6
Before you start ............................................................................................................................... 7
How to configure the headquarters VPN access concentrator ........................................... 8
How to configure the AR440S router at branch office 1 ..................................................... 16
How to configure the AR440S router at branch office 2 ..................................................... 24
C613-16049-00 REV E
OS
www.alliedtelesis.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the AlliedWare AR440S and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Allied Telesis AlliedWare AR440S

Summary of Contents for Allied Telesis AlliedWare AR440S

  • Page 1: Table Of Contents

    AlliedWare Configure VPNs in a Corporate Network, with How To | Optional Prioritisation of VoIP Introduction In this How To Note’s example, a headquarters office has VPNs to two branch offices and a number of roaming VPN clients. The example illustrates the following possible components that you could use in a corporate network: VPNs between a headquarters office and roaming VPN clients, such as travellers’...

  • Page 2: Which Products And Software Versions Does This Information Apply To

    Related How To Notes Allied Telesis offers How To Notes with a wide range of VPN solutions, from quick and simple solutions for connecting home and remote offices, to advanced multi-feature setups. Notes also describe how to create a VPN between an Allied Telesis router and equipment from a number of other vendors.

  • Page 3: About Ipsec Modes: Tunnel And Transport

    About IPsec modes: tunnel and transport This solution uses two types of VPN: IPsec tunnel mode, for the headquarters office to branch office VPNs. These are site-to- site (router-to-router) VPNs. IPsec transport mode with L2TP, for the roaming Windows VPN clients. The following figure shows the protocol stacks for the tunnel mode VPN and the transport mode VPN for the connection type PPPoA.

  • Page 4: Background: Nat-T And Policies

    Background: NAT -T and policies NAT -T NAT Traversal (NAT-T) can be enabled on any of our IPsec VPN links. It automatically allows IPsec VPNs to traverse any NAT gateways that may be in the VPN path. This is likely to occur with the VPNs from the roaming VPN clients—they are likely to use a LAN at a remote site that is behind a NAT gateway.
  • Page 5 Policies and It is useful to keep in mind that you apply firewall rules and IPsec policies to interfaces in the interfaces following different ways: Firewall rules can be applied on either private or public interfaces. The rules are matched against traffic that comes into the interface to which they were applied.

  • Page 6: How To Configure Vpns In Typical Corporate Networks

    How to configure VPNs in typical corporate networks This section describes a typical corporate network using secure VPN. The network consists of a headquarters (HQ) router and two branch office routers. The headquarters router is acting as a VPN Access Concentrator, and allows for VPN access from either of the branch office sites or from roaming laptop VPN clients.

  • Page 7: Before You Start

    The branch office 1 router, which provides: an ADSL PPPoA Internet connection. Note that the PPPoA connection requires an ATM DSLAM VPN access to headquarters using IPsec tunnel mode incoming VPN client access from roaming users a fixed Internet address so that roaming VPN clients have a known target for the branch office end of the VPN The branch office 2 router, which provides: an ADSL PPPoEoA Internet connection...

  • Page 8: How To Configure The Headquarters Vpn Access Concentrator

    How to configure the headquarters VPN access concentrator Before you begin to configure your router, ensure that it is running the appropriate software release, patch and GUI files and has no configuration. set inst=pref rel=<rel-file> pat=<patch-file> gui=<gui-file> set conf=none disable system security restart reboot A software QoS extension to this configuration, to prioritise VoIP traffic over the Note:...
  • Page 9 2. Configure IP for internet access Give a fixed public address to the interface eth0, which is the Internet connection interface. You can replace eth0 with ppp0 if you use a leased line. enable ip add ip int=eth0 ip=200.200.200.1 Give a fixed private address to the interface vlan1, which connects the router to the headquarters LAN.
  • Page 10 LAN interface of the router going down. We recommend SNMPv3 for security reasons. For details, see How To Configure SNMPv3 On Allied Telesis Routers and Managed Layer 3 Switches. This How To Note is available from resources/literature/howto.aspx.
  • Page 11 6. Check feature licences Check that you have a 3DES feature licence for the ISAKMP policies. show feature You can purchase feature licences from your Allied Telesis distributor. If necessary, install the licence, using the password provided by your distributor. enable feature=3des pass=<licence-number>...
  • Page 12 ISAKMP policies meet the different needs of the different types of peer—Allied Telesis routers versus Windows VPN clients. For example, Allied Telesis peers support heartbeats; Windows VPN clients do not. Page 12 | AlliedWare™ OS How To Note: VPNs for Corporate Networks...
  • Page 13 the branch office policies use a different encryption transform—3des2key—than the roaming policy. When a new incoming ISAKMP message starts, this lets the router identify whether to match it to the roaming policy or one of the branch office policies. the policies include local IDs. These allow the remote peers to identify incoming ISAKMP packets from the headquarters router through any NAT gateways in the path.
  • Page 14 can trust traffic arriving on the dynamic interfaces because—in this example configuration—it can only come from an authenticated and encrypted VPN connection. create firewall policy=hq dynamic=roaming add firewall policy=hq dynamic=roaming user=any add firewall policy=hq int=dyn-roaming type=private Define NAT definitions to use when traffic from the local LAN accesses the Internet and to allow Internet access for remote VPN client users.
  • Page 15 The rule for the private interface uses both source and destination addresses to identify outgoing VPN traffic. add firewall policy=hq ru=5 ac=non int=vlan1 prot=all ip=192.168.140.1-192.168.140.254 rem=192.168.141.0-192.168.144.254 If you configured SSH (recommended), create a rule to allow SSH traffic to pass through the firewall.

  • Page 16: How To Configure The Ar440S Router At Branch Office 1

    How to configure the AR440S router at branch office 1 Before you begin to configure your router, ensure that it is running the appropriate software release, patch and GUI files and has no configuration. set inst=pref rel=<rel-file> pat=<patch-file> gui=<gui-file> set conf=none disable system security restart reboot A software QoS extension to this configuration, to prioritise VoIP traffic over the...
  • Page 17 2. Configure ADSL for internet access Create your Asymmetric Digital Subscriber Line (ADSL) connection. Asynchronous Transfer Mode (ATM) is always used over ADSL. enable adsl=0 create atm=0 over=adsl0 add atm=0 channel=1 3. Configure PPP for PPPoA Create your PPPoA link, and define the username and password needed for Internet access. This is provided by your Internet Service Provider (ISP).
  • Page 18 LAN interface of the router going down. We recommend SNMPv3 for security reasons. For details, see How To Configure SNMPv3 On Allied Telesis Routers and Managed Layer 3 Switches. This How To Note is available from resources/literature/howto.aspx.
  • Page 19 8. Check feature licences Check that you have a 3DES feature licence for the ISAKMP policies. show feature You can purchase feature licences from your Allied Telesis distributor. If necessary, install the licence, using the password provided by your distributor. enable feature=3des pass=<licence-number>...
  • Page 20 (for site-to-site VPNs) 3DESOUTER as the encryption algorithm for ESP (for site-to-site VPNs) SHA as the hashing algorithm for ESP authentication (for roaming client VPNs) four possible variants of VPN encryption, for added flexibility. We propose the most secure option first. Create an SA specification for the headquarters office site-to-site VPN.
  • Page 21 Create your ISAKMP pre-shared key. This key is used when initiating your VPN during phase one ISAKMP exchanges with your VPN peers. Share the value of this pre-shared key with all VPN peers that use it—in this example, the roaming VPN clients and the headquarters router.
  • Page 22 can trust traffic arriving on the dynamic interfaces because—in this example configuration—it can only come from an authenticated and encrypted VPN connection. create firewall policy=branch1 dynamic=roaming add firewall policy=branch1 dynamic=roaming user=any add firewall policy=branch1 int=dyn-roaming type=private Define NAT definitions to use when traffic from the local LAN accesses the Internet and to allow Internet access for remote VPN client users.
  • Page 23 The rule for the private interface uses both source and destination addresses to identify outgoing VPN traffic. add firewall policy=branch1 ru=5 ac=non int=vlan1 prot=all ip=192.168.141.1-192.168.141.254 rem=192.168.140.0-192.168.142.254 If you configured SSH (recommended), create a rule to allow SSH traffic to pass through the firewall.

  • Page 24: How To Configure The Ar440S Router At Branch Office 2

    How to configure the AR440S router at branch office 2 Before you begin to configure your router, ensure that it is running the appropriate software release, patch and GUI files and has no configuration. set inst=pref rel=<rel-file> pat=<patch-file> gui=<gui-file> set conf=none disable system security restart reboot A software QoS extension to this configuration, to prioritise VoIP traffic over the...
  • Page 25 2. Configure ADSL for internet access Create your Asymmetric Digital Subscriber Line (ADSL) connection. Asynchronous Transfer Mode (ATM) is always used over ADSL. enable adsl=0 create atm=0 over=adsl0 add atm=0 channel=1 Branch 2 uses PPPoEoA (PPP over virtual ethernet over ATM). Create the virtual ethernet over ATM.
  • Page 26 LAN interface of the router going down. We recommend SNMPv3 for security reasons. For details, see How To Configure SNMPv3 On Allied Telesis Routers and Managed Layer 3 Switches. This How To Note is available from resources/literature/howto.aspx.
  • Page 27 7. Check feature licences Check that you have a 3DES feature licence for the ISAKMP policy. show feature You can purchase feature licences from your Allied Telesis distributor. If necessary, install the licence, using the password provided by your distributor. enable feature=3des pass=<licence-number>...
  • Page 28 Create another IPsec policy for direct Internet traffic from the headquarters LAN to the Internet, such as web browsing. create ipsec pol=internet int=ppp0 ac=permit The order of the IPsec policies is important. The Internet permit policy must be last. Note: Create your ISAKMP pre-shared key.
  • Page 29 Branch office 2 does not need rule 3 that the other sites have, because branch office 2 has no roaming VPN client connections. Create a pair of rules to allow office-to-office payload traffic to pass through the firewall without applying NAT. This traffic must bypass NAT so that the traffic matches subsequent IPsec policy address selectors.

  • Page 30: How To Make Voice Traffic High Priority

    How to make voice traffic high priority This is an optional enhancement to the configuration of the routers. It prioritises outgoing voice traffic higher than other outgoing traffic on each VPN, to maximise call quality. Use the configuration in this section if you expect your VPN client or branch office users will be using VoIP over a VPN.

  • Page 31: How To Prioritise Outgoing Voip Traffic From The Headquarters Router

    How to prioritise outgoing VoIP traffic from the headquarters router Add the following steps after 1. Create classifiers First, classify the VoIP traffic. In many deployments of VoIP, the originating VoIP appliance marks VoIP packets with a DSCP value. In this example, it marks both VoIP traffic and VoIP signalling packets with DSCP 48.
  • Page 32 4. For site-to-site VPNs, apply the SQoS policy to the tunnels Apply the policy to the VPN between headquarters and branch office 1. set sqos interface=ipsec-branch1 tunnelpolicy=1 Apply the policy to the VPN between headquarters and branch office 2. set sqos interface=ipsec-branch2 tunnelpolicy=1 5.

  • Page 33: How To Prioritise Outgoing Voip Traffic From The Branch Office 1 Router

    How to prioritise outgoing VoIP traffic from the branch office 1 router Add the following steps after 1. Create classifiers In this example, the originating VoIP appliance has marked VoIP traffic and VoIP signalling packets with DSCP 48. create classifier=48 ipds=48 2.
  • Page 34 5. For roaming clients, use triggers to apply SQoS to dynamic interfaces This example creates four triggers, which allows for up to four simultaneous roaming client VPNs. You can scale this to the correct number for your network. Create the following scripts as text files on the router. script name ppp0up.scp ppp1up.scp...

  • Page 35: How To Prioritise Outgoing Voip Traffic From The Branch Office 2 Router

    How to prioritise outgoing VoIP traffic from the branch office 2 router Add the following steps after 1. Create classifiers In this example, the originating VoIP appliance has marked VoIP traffic and VoIP control packets with DSCP 48. create classifier=48 ipds=48 2.

  • Page 36: How To Test Your Vpn Solution

    How to test your VPN solution If the following tests show that your tunnel is not working, see the How To Note How To Troubleshoot A Virtual Private Network (VPN). Check the The simplest way to test a tunnel is to ping from one LAN to the other. LANs are reachable From a PC attached to one peer, ping a PC attached to the other peer.

  • Page 37: Configuration Scripts For Headquarters And Branch Offices

    Configuration scripts for headquarters and branch offices This section provides script-only versions of the three configurations described earlier in this document. Scripts can provide a quicker way to configure your routers, through pre-editing and downloading using TFTP or ZMODEM. You can copy and paste the scripts below to an editor on your PC, modify addresses, passwords and any other requirements for all your individual sites, and then use TFTP or ZMODEM to transfer the files to your routers.

  • Page 38: Headquarters Vpn Access Concentrator's Configuration

    Headquarters VPN access concentrator's configuration # System configuration set system name=HQ # User configuration set user securedelay=600 # Add your approved roaming VPN client usernames. add user=roaming1 pass=roaming1 lo=no telnet=no add user=roaming2 pass=roaming2 lo=no telnet=no add user=roaming3 pass=roaming3 lo=no telnet=no add user=roaming4 pass=roaming4 lo=no telnet=no # Define a security officer.
  • Page 39 # DHCP configuration # If desired, use the router as a DHCP server. create dhcp poli=hq lease=7200 add dhcp poli=hq rou=192.168.140.254 add dhcp poli=hq subn=255.255.255.0 create dhcp range=hq_hosts poli=hq ip=192.168.140.16 num=32 ena dhcp # SSH configuration # You should not telnet to a secure gateway, so set up Secure Shell # for remote management.
  • Page 40 # Create a group of SA specifications for the roaming VPN clients. # These SA specifications use IPsec transport mode. create ipsec sas=2 key=isakmp prot=esp enc=3desouter hasha=sha mod=transport create ipsec sas=3 key=isakmp prot=esp enc=3desouter hasha=md5 mod=transport create ipsec sas=4 key=isakmp prot=esp enc=des hasha=sha mod=transport create ipsec sas=5 key=isakmp prot=esp enc=des hasha=md5 mod=transport...
  • Page 41 # FIREWALL configuration enable firewall create firewall policy=hq enable firewall policy=hq icmp_f=all # Define a firewall dynamic definition to work with dynamic # interfaces. This provides for the dynamic PPP/L2TP interfaces that # incoming Windows VPN connections use. create firewall policy=hq dy=roaming add firewall policy=hq dy=roaming user=any # Specify the private and public interfaces.
  • Page 42 # If you configured SSH, create a rule for SSH traffic. add firewall policy=hq ru=6 ac=allo int=eth0 prot=tcp po=22 ip=200.200.200.1 gblip=200.200.200.1 gblp=22 # If you use telnet instead (not recommended), create a rule for it. # add firewall policy=hq ru=7 ac=allo int=eth0 prot=tcp po=23 # ip=200.200.200.1 gblip=200.200.200.1 gblp=23 # INT configuration - if prioritising VoIP set int=eth0 mtu=256...

  • Page 43: Branch Office 1 Ar440S Configuration-The Pppoa Site With Vpn Client Access And A Fixed Ip Address

    Branch office 1 AR440S configuration—the PPPoA site with VPN client access and a fixed IP address # SYSTEM configuration set system name=Branch1 # USER configuration set user securedelay=600 # Add your approved roaming VPN client usernames. add user=roaming1 pass=roaming1 lo=no telnet=no add user=roaming2 pass=roaming2 lo=no telnet=no add user=roaming3 pass=roaming3 lo=no telnet=no add user=roaming4 pass=roaming4 lo=no telnet=no...
  • Page 44 # allows incoming roaming VPN client connections. The clients can # only target a known, unchanging address. create ppp=0 over=atm0.1 echo=10 lqr=off bap=off idle=off set ppp=0 username="branch office 1" password=branch1 iprequest=off # Note that this interface needs a permanent IP address because the # branch office allows incoming roaming VPN client connections.
  • Page 45 # Log configuration # If desired, forward router log entries to a UNIX-style syslog # server. create log output=2 destination=syslog server=<your-local-syslog-server-address> syslogformat=extended add log out=2 filter=1 sev=>3 # IPSEC configuration # Create an SA specification for the site-to-site VPN. This SA # specification uses tunnel mode by default.
  • Page 46 # ISAKMP Configuration create isakmp pol=hq pe=200.200.200.1 key=1 sendd=true heart=both set isa pol=hq localid=branch1 encalg=3des2key create isakmp pol=roaming pe=any key=1 set isa pol=roaming sendd=true sendi=true natt=true localid=branch1 enable isakmp # FIREWALL configuration enable firewall create firewall policy=branch1 enable firewall policy=branch1 icmp_f=all # Define a firewall dynamic definition to work with dynamic # interfaces.
  • Page 47 # Create a pair of rules to allow office-to-office payload traffic to # pass through the firewall without applying NAT. # The rule for the public interface uses encapsulation=ipsec to # identify incoming VPN traffic. add firewall poli=branch1 ru=4 ac=non int=ppp0 prot=all enc=ips # The rule for the private interface uses both source and destination # addresses to identify outgoing VPN traffic.

  • Page 48: Branch Office 2 Ar440S Configuration-The Pppoeoa Site With A Dynamically Assigned Ip Address

    Branch office 2 AR440S configuration—the PPPoEoA site with a dynamically assigned IP address # SYSTEM configuration set system name=Branch2 # USER configuration set user securedelay=600 # Define a security officer. add user=secoff pass=<your secoff password> priv=securityofficer lo=yes telnet=yes # Change the manager privilege user’s password. set user=manager password=<your-password>...
  • Page 49 # DHCP configuration # If desired, use the router as a DHCP server. create dhcp poli=branch2 lease=7200 add dhcp poli=branch2 rou=192.168.142.254 add dhcp poli=branch2 subn=255.255.255.0 create dhcp range=branch2_hosts poli=branch2 ip=192.168.142.16 num=32 ena dhcp # SSH configuration # You should not telnet to a secure gateway, so set up Secure Shell # for remote management.
  • Page 50 # Create an IPsec policy for branch 2 to headquarters VPN traffic. create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1 peer=200.200.200.1 isa=hq set ipsec pol=hq lad=192.168.142.0 lma=255.255.255.0 rad=192.168.0.0 rma=255.255.0.0 # Create another IPsec policy to allow for direct Internet access # such as web browsing. create ipsec pol=internet int=ppp0 ac=permit enable ipsec # ISAKMP Configuration...
  • Page 51 # If you use telnet instead (not recommended), create a rule for it. # add firewall policy=branch2 ru=7 ac=allo int=ppp0 prot=tcp po=23 # ip=192.168.142.254 gblip=0.0.0.0 gblp=23 # INT configuration - if prioritising VoIP set int=ppp0 mtu=256 set int=ppp0 frag=yes # CLASSIFIER configuration - if prioritising VoIP # Create a classifier to identify voice traffic (DSCP value 48 in # this example).

  • Page 52: Extra Configuration Scripts For Lab Testing The Vpn Solution

    Extra configuration scripts for lab testing the VPN solution This section provides additional configuration that you may need if you want to lab test the VPN solution. It has scripts for: setting up a PPPoE access concentrator for branch office 2 to connect to. In a test network, this access concentrator plays the role of the PPPoA or PPPoEoA service from your ISP or Telco setting up a NAT gateway so you can verify your VPN clients passing through NAT-T.

  • Page 53: Hotel's Nat Gateway Firewall Configuration

    Singapor e 534182 T: +65 6383 3832 Allied Telesis is a trademark or registered trademark of Allied Telesis, Inc. in the United States and other countries. T: +1 800 424 4284 F: +1 425 481 3895 F: +41 91 69769.11...

This manual is also suitable for:

Ar400 seriesAr750sAr770sRapier seriesAt-8800 seriesRapier i series

Table of Contents

Save PDF