Extreme Networks Altitude 4700 Series Product Reference Manual page 645

Question 11: My tunnel works fine when I use the LAN-WAN Access page to configure my
●
firewall. Now that I use Advanced LAN Access, my VPN stops working. What am I doing wrong?
VPN requires certain packets to be passed through the firewall. Subnet Access automatically inserts
these rules for you when you do VPN. Advanced Subnet Access requires these rules to be in effect
for each tunnel.
An 'allow' inbound rule:
●
Scr <Remote Subnet IP range>
Dst <Local Subnet IP range>
Transport ANY
Scr port 1:65535
Dst port 1:65535
Rev NAT None
An 'allow' outbound rule:
●
Scr <Local Subnet IP range>
Dst <Remote Subnet IP range>
Transport ANY
Scr port 1:65535
Dst port 1:65535
NAT None
For IKE, an 'allow' inbound rule:
●
Scr
<Remote Subnet IP range>
Dst
<WAN IP address>
Transport
UDP
Scr port
1:65535
Dst port
500
Rev NAT
None
These three rules should be configured above all other rules (default or user defined). When
Advanced LAN Access is used, certain inbound/outbound rules need to be configured to control
incoming/outgoing packet flow for IPSec to work properly (with Advanced LAN Access). These
rules should be configured first before other rules are configured.
Question 12: Do I need to add any special routes on the Access Point to get my VPN tunnel to
●
work?
No. However, clients could need extra routing information. Clients on the local LAN side should
either use the Access Point as their gateway or have a route entry tell them to use the Access Point
as the gateway to reach the remote subnet.
Altitude 4700 Series Access Point Product Reference Guide
645