Ipsec And Firewall Through Two Nat Gateways (Eg: Adsl) - Allied Telesis AR Router Configuration

6.6. IPSec and Firewall through two NAT
gateways (eg: ADSL)
This configuration illustrates an IPSec tunnel through two NATing devices (eg: NATing ADSL
gateway devices). It uses release 2.2.1, which allows ISAKMP through NATing devices without
the need of L2TP, because of the introduction of the 'localid' and 'remoteid' parameters. It also
allows for Internet access.
A future version of this example will also accommodate VPN clients, using a new release version
of the VPN client.
Site A
LIN K
Coll
TX RX
CentreCOM AR300
Access Router LAN WAN
192.168.10.0
192.168.1.253
Router A
set sys name="Head Office"
set user securedelay=600
add user=secoff pass=<your password> priv=sec
# IP
#
enable ip
add ip int=eth0 ip=192.168.10.1 mask=255.255.255.0
add ip int=eth1 ip=192.168.1.253
add ip rou=0.0.0.0 next=192.168.1.254 int=eth1
# Firewall
# To enable out going ping see example 5.1.1
enable fire
create fire policy="main"
add fire policy="main" int=eth0 type=private
add fire policy="main" int=eth1 type=public
add fire poli="main" nat=enhanced int=eth0 gblin=eth1
add fire poli="main" ru=1 int=eth1 action=allow ip=192.168.1.253 prot=udp port=500
gblip=192.168.1.253 gblpo=500
add fire poli="main" ru=2 int=eth1 action=nonat prot=all ip=192.168.10.1-192.168.10.254 encap=ipsec
add fire poli="main" ru=3 int=eth0 action=nonat prot=all ip=192.168.10.1-192.168.10.254
set fire poli="main" ru=3 remoteip=192.168.20.1-192.168.20.254
# IPSec
#
ena ipsec
create ips sas=1 prot=esp hasha=null encalg=des keym=isakmp
create ips bundle=1 keym=isakmp string="1"
create ips pol=isakmp int=eth1 act=permit lpo=500
create ips pol=remoffice int=eth1 act=ipsec key=isakmp bund=1 peer=200.200.200.2 isa=remoffice
set ips pol=remoffice lad=192.168.10.0 lmask=255.255.255.0 rad=192.168.20.0 rmask=255.255.255.0
create ips pol=internet int=eth1 act=permit
#
#ISAKMP
# Note: Use Section 1.5 to enable system security and generate an Encryption Key of type GENERAL
# on router A and B
# This example uses the same network key for all ISAKMP Exchanges
cre isa pol=remoffice peer=200.200.200.2 hashalg=sha key=1
set isa pol=remoffice senddeletes=on setcommitbit=on sendnotify=on localid=headoffice
remoteid=remote1
enable isakmp
Helpful Scripts
Revision 5.8.7; 5 April 2001
Internet Access
192.168.1.254
SYSTEM
NATing
ADSL
200.200.200.1
NAT
Both ADSL units:
PINHole through to Router interface
(UDP 500, ESP [50])
192.168.2.254
Virtual Tunnel
NATing
ADSL
200.200.200.2
NAT
Helpful Scripts
Site B
LIN K
TX RX Coll
CentreCOM AR300
Access Router LAN WAN SYSTEM
192.168.2.253
192.168.20.0
Page
37