Table of Contents
Advertisement
6.3. IPSec (with ISAKMP), Firewall, and VPN Client
This configuration illustrates two IPSec tunnels, allowing for a remote office, a remote VPN client
(roaming user), and Internet access. The VPN client may use dynamic ip address. This example
is not suitable behind a NATing device (eg: ADSL).
Pre-2.0.2 Release: The ISAKMP protocol can only be used simultaneously with Firewall NAT if
L2TP is employed between tunnelling routers. See Example 6.5
2.0.2 Release onwards: The ISAKMP protocol may be used simultaneously with Firewall NAT with
the introduction of the Firewall "nonat" action shown in this example.
Site A
CentreCOM AR300
Access Router
192.168.10.0
Router A
set user
securedelay=600
add user=secoff pass=<your password> priv=sec
# ppp configuration
create ppp=0 over=syn0
# optional set ppp=0 over=syn0 lqr=off echo=on
# IP
enable ip
Add ip int=eth0 ip=192.168.10.1 mask=255.255.255.0
Add ip int=ppp0 ip=200.200.200.1
add ip rou=0.0.0.0 next=0.0.0.0 int=ppp0
# Firewall
# To enable out going ping see example 5.1.1
enable fire
create fire poli=main
add fire poli=main int=eth0 type=private
add fire poli=main int=ppp0 type=public
add fire poli=main nat=enhanced int=eth0 gblint=ppp0
add fire poli=main rule=1 int=ppp0 action=allow ip=200.200.200.1 prot=udp port=500 gblip=200.200.200.1
gblpo=500
add fire poli=main rule=2 int=ppp0 action=nonat prot=all ip=192.168.10.1-192.168.10.254 encap=ipsec
# Rule 3 for internally initiated VPN traffic to Remote Office
add firewall poli=main ru=3 ac=nonat int=eth0 prot=all ip=192.168.10.1-192.168.10.254
set firewall poli=main ru=3 remoteip=192.168.20.1-192.168.20.254
# IPSec
# Includes VPN client configuration for user "Roaming1"
ena ipsec
create ips sas=1 prot=esp hasha=null encalg=des keym=isakmp
create ips sas=2 prot=ah mode=tunn hasha=sha keym=isakmp
create ips bundle=1 keym=isakmp string="1 and 2"
create ips pol=isakmp int=ppp0 act=permit lpo=500 rpo=500
create ips pol=remoffice int=ppp0 act=ipsec key=isakmp bund=1 peer=222.222.222.1 isa=remoffice
set ips pol=remoffice lad=192.168.10.0 lmask=255.255.255.0 rad=192.168.20.0 rmask=255.255.255.0
create ips pol=roaming1 int=ppp0 act=ipsec key=isakmp bund=1 peer=dynamic isa=roaming1
set ips pol=roaming1 lad=192.168.10.0 lma=255.255.255.0 rname=roaming1
create ips pol=internet int=ppp0 act=permit
# ISAKMP
# Note: Use Section 1.5 to enable system security and generate an Encryption Key of type GENERAL on
# router A and B
# This example uses the same network key for all ISAKMP Exchanges
cre isa pol=remoffice peer=222.222.222.1 hashalg=sha key=1
set isa pol=remoffice senddeletes=on setcommitbit=on sendnotify=on
cre isa pol=roaming1 peer=any hashalg=sha key=1
set isa pol=roaming1 senddeletes=on setcommitbit=on sendnotify=on
enable isakmp
# Optional authentication of remote sites to be done at the head office using a UAD or Radius Server
#set isa pol=roaming1 xauth=server xauthtype=generic
#add radius server=192.168.10.254 secret=secret
# OR add user=boblogin pass=bobpass
Helpful Scripts
Revision 5.8.7; 5 April 2001
Internet Access
Virtual Tunnel
LI
Col
NK TX RX
l
LAN
WAN
SYSTEM
200.200.200.1
VPN Client
Dynamic IP
Roaming User
222.222.222.1
Helpful Scripts
Site B
LI
NK TX RX
Col
l
CentreCOM AR300
LAN
WAN
SYSTEM
Access Router
192.168.20.0
Page
31
- Quick Links:
- Configurations
Hide quick links:
Advertisement
Table of Contents
Need help?
Do you have a question about the AR Router and is the answer not in the manual?
Questions and answers