Ipsec (With Manual Key) And Firewall With Nat Device (Eg: Adsl), Plus Vpn Client - Allied Telesis AR Router Configuration

6.4. IPSec (with Manual Key) and Firewall with
NAT device (eg: ADSL), plus VPN Client
This configuration illustrates two IPSec tunnels, allowing for a remote office, a remote VPN client
(roaming user), and Internet access. In this example the VPN client must use a static address.
(This is because router at Site A is behind a NATing device (ADSL modem), which therefore
necessitated a manual key configuration, which in turn requires a peer with static address).
Note: Use the Manual Key option to get through a NATing device (eg: ADSL) between
routers, or use example 6.5 (L2TP). If passing through a NAT device (eg: ADSL) the VPN
Client (Dialup user) must have a fixed IP address. A future release of the IPSec client will
provide a solution to this restriction.
ADSL
PINHole everything through to
Router interface
(UDP, TCP, ESP [50], AH [51])
Site A
CentreCOM AR300
Access Router
192.168.10.0
Router A
set user securedelay=600
add user=secoff pass=<your password> priv=sec
# IP
#
enable ip
Add ip int=eth0 ip=192.168.10.1
Add ip int=eth1 ip=192.168.1.253
add ip rou=0.0.0.0 next=192.168.1.254 int=eth1
# Firewall
# To enable out going ping see example 5.1.1
enable fire
create fire poli=main
add fire poli=main int=eth0 type=private
add fire poli=main int=eth1 type=public
add fire poli=main nat=enhanced int=eth0 gblint=eth1
add fire poli=main rule=1 int=eth1 action=allow ip=192.168.1.253 prot=50 gblip=192.168.1.253
add fire poli=main rule=2 int=eth1 action=nonat ip=192.168.10.1-192.168.10.254 prot=all encap=ipsec
# Rule 3 for internally initiated VPN traffic to Remote Office
add firewall poli=main ru=3 ac=nonat int=eth0 prot=all ip=192.168.10.1-192.168.10.254
set firewall poli=main ru=3 remoteip=192.168.20.1-192.168.20.254
# IPSec
# Includes VPN client configuration for user "Roaming1". The same key is used for the remote office
# and the remote VPN client PC (laptop).
# Note: Use Section 1.5 to enable system security and generate an Encryption Key of type DES on
# router A and B
ena ipsec
create ips sas=1 prot=esp hasha=null encalg=des keym=manual enckey=1 inspi=1555 outspi=1555
create ips bundle=1 keym=manual string="1"
create ips pol=remoffice int=eth1 act=ipsec key=manual bund=1 peer=222.222.222.1
set ips pol=remoffice lad=192.168.10.0 lmask=255.255.255.0 rad=192.168.20.0 rmask=255.255.255.0
# The peer for the VPN Client (roaming1) must be a fixed address, due to use of manual keys.
create ips pol=roaming1 int=eth1 act=ipsec key=manual bund=1 peer=<dialup ip address>
set ips pol=roaming1 lad=192.168.10.0 lma=255.255.255.0 rad=<dialup ip address> rmask=255.255.255.255
create ips pol=internet int=eth1 act=permit
Helpful Scripts
Revision 5.8.7; 5 April 2001
NAT
192.168.1.254
Virtual
LIN K
Coll
TX RX
Tunnel
LAN WAN SYSTEM
ADSL
192.168.1.253 200.200.200.1
Fixed IP
Internet Access
Helpful Scripts
VPN Client
Roaming User
Site B
222.222.222.1
LIN K
Coll
TX RX
CentreCOM AR300
Access Router LAN WAN SYSTEM
192.168.20.0
Page
33