Table of Contents
Advertisement
Quick Links
TM
AlliedWare
Create a VPN between an Allied Telesis Router
How To |
and a Microsoft Windows 2000
Using NAT-T
Introduction
This document describes how to provide secure remote access through IP security (IPSec)
Virtual Private Networks (VPN).
This VPN solution is suitable for any business deployment and provides your office with
secure internet access and firewall protection, plus remote encrypted VPN access for staff
who work from home.
You should use the companion Note How To Create A VPN Between An Allied Telesis Router And
A Microsoft Windows 2000 Client, Over NAT-T instead, if:
the Allied Telesis router is connected to the Internet through a NAT gateway device, such
as an ADSL modem, and/or
you want to let travelling staff connect to your office from such places as hotel rooms.
This companion How To Note is available from
howto.aspx.
Consider the following typical scenario:
You are the manager of a small business and you have purchased an AR415S for your small
office premises. You have five PCs networked together with a server in your office. You
intend to use your AR415S as your Internet gateway and for it to provide firewall protection.
You also have people who sometimes work from home. You would like these staff members
to have secure (encrypted) remote access through the Internet to the servers in your office,
to allow them to access files, the private Intranet, and business email.
Each staff member has a laptop or PC with Windows 2000 installed.
1. Internet Explorer and Windows are registered trademarks of Microsoft Corporation in the United States and other countries.
C613-16004-00 REV D
OS
1
Client, Without
www.alliedtelesis.com/resources/literature/
www.alliedtelesis.com
Advertisement
Table of Contents
Related Manuals for Allied Telesis VPN
Summary of Contents for Allied Telesis VPN
- Page 1 VPN access for staff who work from home. You should use the companion Note How To Create A VPN Between An Allied Telesis Router And A Microsoft Windows 2000 Client, Over NAT-T instead, if:...
-
Page 2: Related How To Notes
VPN between an Allied Telesis router and equipment from a number of other vendors. For a complete list of VPN How To Notes, see the Overview of VPN Solutions in How To Notes in the How To Library at www.alliedtelesis.com/resources/literature/howto.aspx. -
Page 3: Example Network
A solution to this security concern is to disable the standard behaviour that allows passwords to be saved. VPN users will then have to enter their password each time they connect. If you would like to implement this security measure, refer to Microsoft Knowledge Base article 172430 by following this link: support.microsoft.com/default.aspx?scid=172430. -
Page 4: Configuring The Router
ISAKMP negotiation. Page 4 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the router > Perform initial security configuration on the router page 5. Name it (for example) vpn.cfg. page. - Page 5 The configuration script Note: Comments are indicated in the script below using the # symbol. Placeholders for IP addresses, passwords, etc are indicated by text within < > set system name=”IPSec Gateway” # The command below shows the Security Officer inactive timeout delay. # The default is 60 seconds.
- Page 6 # The firewall allows for internally generated access to the Internet # through the following NAT definition. add fire poli=main nat=enhanced int=vlan1 gblint=eth0 # This NAT definition allows Internet access for remote VPN users by # providing address translation. add fire poli=main nat=enhanced int=dyn-dynamic gblint=eth0 add fire poli=main rule=1 int=eth0 action=allow prot=udp ip=<office-Internet-address>...
- Page 7 Set the router to use the configuration After loading the configuration onto the switch, set the router to use the script after a reboot. If you named the script vpn.cfg, enter the command: set conf=vpn.cfg If you entered the configuration directly into the command line instead of loading the script, save the configuration by entering the commands: create conf=vpn.cfg...
-
Page 8: Configuring The Vpn Client
Configuring the VPN client Configuring the Windows 2000 VPN client involves the following stages: "Add a new registry entry", on this page "Add the IP Security Policy Management snap-in" on page 9 "Create an IP Security Policy" on page 11 "Create an IP Security Rule"... - Page 9 Select Console Root > Add/Remove Snap-In. This opens the Add/Remove Snap-in window, as shown in the following figure. Page 9 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Add the IP Security Policy Management snap-in...
- Page 10 Select Local computer, as shown in the following figure. Click Finish, then Close, then OK, to return to the Console window. Page 10 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Add the IP Security Policy Management snap-in...
- Page 11 Select Create IP Security Policy. This opens the IP Security Policy Wizard, as shown in the following figure. Page 11 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Security Policy...
- Page 12 This opens the Requests for Secure Communication window. Clear the Activate the default response rule checkbox, as shown in the following figure. Page 12 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Security Policy...
- Page 13 Clicking Finish in the previous step opens the IP Security Policy Properties window, as shown in the following figure. Page 13 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Security Rule...
- Page 14 A tunnel endpoint is not required for this example. Therefore, make sure This rule does not specify a tunnel is selected, as shown in the following figure. Page 14 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Security Rule...
- Page 15 The pre-shared key needs to be the same ISAKMP pre-shared key as is defined on the router ("Generate a random key." on page Page 15 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Security Rule...
- Page 16 This opens the IP Filter List Name window. Enter a name (e.g. “L2TP Tunnel Filter”), as shown in the following figure. Page 16 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Filter...
- Page 17 This opens the IP Traffic Source window. Select My IP Address from the Source address drop- down box, as shown in the following figure. Page 17 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Filter...
- Page 18 This opens the IP Protocol Type window. Select UDP from the drop-down box, as shown in the following figure. Page 18 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Filter...
- Page 19 This completes the IP Filter wizard. Leave the Edit properties box unchecked, as shown in the following figure. Page 19 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Filter...
- Page 20 This opens the Filter Action window. Select Require Security, as shown in the following figure. This option forces the VPN client to use strong security. Microsoft Windows will not accept any incoming calls by default. All outgoing calls to your Allied Telesis router will be required to use IPSec encryption (assuming you use the router configuration from script"...
- Page 21 This returns you to the Console Root window, as shown in the following figure. Click IP Security Policies on Local Machine. Page 21 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Filter...
- Page 22 Select Exit from the Console menu, to close and save the console window to your local hard drive. This uses the default name of Console1, as shown in the following figure. Page 22 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Create an IP Filter...
- Page 23 This opens the New Connection Wizard. Click Next. Select Connect to a private network through the internet, as shown in the following figure. Page 23 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Configure the connection...
- Page 24 The next window lets you assign an associated dialled call or select Do not dial the initial connection. Selecting Do not dial the initial connection is appropriate if you will have LAN access available before initiating the VPN call (for example, if you have a cable modem). Click Next.
- Page 25 If you want to, check the Add a shortcut to this connection to my desktop check box. Page 25 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Configure the connection...
- Page 26 This opens the Virtual Private Connection to Head Office window. Click the Networking Tab. Select Layer-2 Tunneling Protocol (L2TP) in the drop-down box, as shown in the following figure. Page 26 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T Configuring the VPN client > Configure the connection...
- Page 27 Configuring the VPN client > Configure the connection Click OK. This completes the configuration of the L2TP client. To connect to the office, click Connect. Note that the connection will fail if the router has not yet been configured. If the connection succeeds, the following dialog box displays. Click OK.
-
Page 28: Troubleshooting
Troubleshooting If your tunnel is not working, see the How To Note How To Troubleshoot A Virtual Private Network (VPN). This How To Note has detailed information about testing and troubleshooting VPNs on the router. Page 28 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T... -
Page 29: Closing The Connection
Singapor e 534182 T: +65 6383 3832 Allied Telesis is a trademark or registered trademark of Allied Telesis, Inc. in the United States and other countries. T: +1 800 424 4284 F: +1 425 481 3895 F: +41 91 69769.11...