Allied Telesis AR440S manual

C613-16049-00 REV E www .alliedtelesis. com AlliedW ar e TM OS How T o | Intr oduction In this How T o Note’ s example, a headquarters offic e has VPNs to two branch offices and a number of r oaming VPN clients. The example il lustrates the following possible components that you could use in a corporate netw ork: z VPNs betw een a headquar ters o[...]

Page 2 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks How to mak e voice traffic high priority ................................................. ...................................... .... 30 How to prioritise outg oing V oIP traffic fr om the headquar ters r outer ............................ 31 How to prioritise outg oing V oIP t[...]

Page 3 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks About IPsec modes: tunnel and transpor t This solution uses two types of VPN: z IPsec tunnel mode, for the head quar ters office to branch office VPNs. These are site-to- site (r outer -to-router) VPNs. z IPsec transport mode with L2TP , fo r the roaming Windo ws VPN clients. Th[...]

Page 4 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Backgr ound: NA T -T and policies NA T -T NA T T ra v ersal (NA T -T) can be enabled on an y of our IPsec VPN l inks. It automatically allows IPsec VPNs to tra v erse any NA T gatewa ys that ma y be in the VPN path. This is lik el y to occur with the VPNs fr om the roaming VPN c[...]

Page 5 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Po l i c i e s a n d interfaces It is useful to k eep in mind that you apply fir e wall rules and IPsec policies to interfaces in the follo wing different wa ys: z Fire wall rules can be applied on either privat e or public interfaces. The rules are matched against traffic that [...]

Page 6 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to configure VPNs in typical corporate netw orks This section describes a typical corporate network using secure VPN. The network consists of a headquarters (HQ) r outer and tw o branch office r outers. The headquarters r outer is acting as a VPN Access Concentrator , and a[...]

Page 7 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks 2. The branch office 1 r outer , which provides: z an ADSL PPP oA Internet connection. Note that the PPPoA connection r equires an AT M D S L A M z VPN access to headquarters using IPsec tunnel mode z incoming VPN client access from r oaming users z a fix ed Internet address so [...]

Headquar ters Page 8 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to configur e the headquar ters VPN access concentrator Befor e you begin to configure y our router , ensur e that it is running the appr opriate softwar e r elease , patch and GUI files and has no configuration. set inst=pref rel=< rel-file > pat=< p[...]

Headquar ters Page 9 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Give a fixed public addr ess to the interface eth0, which is the Internet connection interface. Y ou can replace eth0 with ppp0 if you use a leased line . enable ip add ip int=eth0 ip=200.200 .200.1 Give a fixed private ad dress to the interface vlan 1 , which conn[...]

Headquar ters Page 10 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks r emote security officers (RSOs). RSO defini tions specify trusted remote addr esses for security officer users. add user rso ip=< ipadd> [-< ipadd >] enable user rso enable telnet server If desired, set the r outer to send log messages to a sys log s[...]

Headquar ters Page 11 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Check that you ha v e a 3DES feature licence for the ISAKMP policies. show feature Y ou can purchase featur e licences from y our Allied T elesis distributor . If necessar y , install the licence , using the passwor d provided by y our distributor . enable featur[...]

Headquar ters Page 12 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Create IPsec policies to bypass IPsec for ISAKMP messages and the “port floated” ke y exchange that NA T -T uses. create ipsec pol=isakmp in t=eth0 ac=permit lp=500 rp=500 create ipsec pol=isakmp_fl oat int=eth0 ac=permit lp=4500 Create an IPsec policy for th[...]

Headquar ters Page 13 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks z the branch office policies use a differ en t encr yption transform—3des2key—than the r oaming policy . When a new incoming ISAKMP mess age starts, this lets the router identify whether to match it to the r oaming policy or one of the branch office policies.[...]

Headquar ters Page 14 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks can trust traffic ar riving on the dynam ic interf aces because—in this exa mple configuration—it can only come from an authenticat ed and encr ypted VPN connection. create firewall policy=hq dynamic=roaming add firewall policy=hq dyn amic=roaming user=any ad[...]

Headquar ters Page 15 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks The rule f or the private interface uses both sour ce and destination addr esses to identify outgoing VPN traffic. add firewall policy=hq ru= 5 ac=non int=vlan1 prot=all ip=192.168.140.1-192.168.1 40.254 rem=192.168.141.0-192.168.144.254 If yo u configured SSH (r[...]

Page 16 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Ho w to configur e the AR440S r outer at branch office 1 Befor e you begin to configure y our router , ensur e that it is running the appr opriate softwar e r elease , patch and GUI files and has no configuration. set inst=pref rel=< rel-file > pat=< p[...]

Page 17 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Create y our Asymmetric Digita l Subscriber Line (ADSL) conn ection. Asynchronous T ransfer Mode (A TM) is alwa ys used ov er ADSL. enable adsl=0 create atm=0 over=adsl0 add atm=0 channel=1 Cr eate your PP PoA link, an d define the userna me and pass wor d need[...]

Page 18 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 If you need remote management access, we st r ongly recommend that y ou use Secure Shell (SSH). Y ou should not telnet to a secure gatewa y . T o configure SS H, define appr opriate RSA en cr yption k eys, then enable the SSH server . create enco key=2 type=rsa[...]

Page 19 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Y ou need to co nfigure dynamic PPP ov er L2TP to accept in coming Windows VPN client connections. Create an IP pool to allocate unique intern al pa yload addr esses to incoming VPN clients. create ip pool=roaming ip= 192.168.144.1-192.168.144.50 Define a PPP t[...]

Page 20 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 z (for site-to-site VPNs) 3DESOUTER as the encr yption algorithm for ESP z (for site-to-site VPNs) SHA as the hashing alg orithm for ESP authentication z (for r oaming client VPNs) four possible variants of VPN encr yption, for added flexibility . W e propose t[...]

Page 21 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Create y our ISAKMP pre-shar ed ke y . This ke y is used when initiating your VPN during phase one ISAKMP exchanges with your VPN peers. Share the value of this pr e-shared k e y with all VPN peers that use it—in this example , th e r oaming VPN cl ients and [...]

Page 22 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 can trust traffic ar riving on the dynam ic interf aces because—in this exa mple configuration—it can only come from an authenticat ed and encr ypted VPN connection. create firewall policy=bra nch1 dynamic=roaming add firewall policy=branch 1 dynamic=roamin[...]

Page 23 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 The rule f or the private interface uses both sour ce and destination addr esses to identify outgoing VPN traffic. add firewall policy=branch 1 ru=5 ac=non int=vlan1 prot=all ip=192.168.141.1-192.168.1 41.254 rem=192.168.140.0-192.168.142.254 If yo u configured[...]

Page 24 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Ho w to configur e the AR440S r outer at branch office 2 Befor e you begin to configure y our router , ensur e that it is running the appr opriate softwar e r elease , patch and GUI files and has no configuration. set inst=pref rel=< rel-file > pat=< p[...]

Page 25 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Create y our Asymmetric Digita l Subscriber Line (ADSL) conn ection. Asynchronous T ransfer Mode (A TM) is alwa ys used ov er ADSL. enable adsl=0 create atm=0 over=adsl0 add atm=0 channel=1 Branch 2 uses PPP oEoA (PPP over virtual ethe rnet over A TM). Cr eate [...]

Page 26 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 If desire d, set up the router as a DH CP server for the branch office 2 LAN. create dhcp policy=branch2 lease=7 200 add dhcp policy=branch2 ro u=192.168.142.254 add dhcp policy=branch2 su bn=255.255.255.0 create dhcp range=branch2_ hosts poli=branch2 ip=192.16[...]

Page 27 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Check that you ha v e a 3DES feature licence for the ISAKMP policy . show feature Y ou can purchase featur e licences from y our Allied T elesis distributor . If necessar y , install the licence , using the passwor d provided by y our distributor . enable featu[...]

Page 28 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Create another IPsec policy for dir ect Internet traffic fr om the head quarters LAN to the Internet, such as web br owsin g. create ipsec pol=internet int=ppp0 ac=permit Note: The or der of the IPsec policies is impor tant. The In te rn et per mi t p ol ic y m[...]

Page 29 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Branch office 2 does not need rule 3 that the other site s hav e, because branch office 2 has no r oaming VPN client connections. Create a pair of rules to allow office-to-offi ce pa ylo ad traffic to pass thr ough the fire wall without appl ying NA T . This tr[...]

Page 30 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to mak e voice traffic high priority This is an optional enhancemen t to the configuration of the routers. It prioritises outg oing v oice traffic higher than other outgoing traf fic on each VPN, to maximise call quality . Use the configuration in this section if y ou expe[...]

Headquar ters Page 31 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Ho w to prioritise outg oing V oIP traffic from the headquar ters r outer Add the f ollowing steps after step 9 on page 14 . First, classify the V oIP traffic . In many depl o yments of V oIP , the originating V oIP ap pliance marks V oIP pack ets with a DSCP val[...]

Headquar ters Page 32 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Apply the policy to the VPN betw een headquarters and branch office 1 . set sqos interface=ipsec-b ranch1 tunnelpolicy=1 Apply the policy to the VPN betw een headquarters and branch office 2. set sqos interface=ipsec-b ranch2 tunnelpolicy=1 This example creates f[...]

Page 33 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Ho w to prioritise outg oing V o IP traffic from the branch office 1 ro u t e r Add the f ollowing steps after step 11 on page 22 . In this example , the originating V o IP applianc e has mark ed V oIP traffic and V oIP signalling pack ets with DSCP 48. create [...]

Page 34 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 This example creates f our triggers, which allows for up to four simultaneous r oaming client VPNs. Y ou can scale this to the correct n umber for y our network. Create the f ollowing scripts as text files on the r outer . Create triggers to run the a ppropriat[...]

Page 35 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Ho w to prioritise outg oing V o IP traffic from the branch office 2 r outer Add the f ollowing steps after step 11 on page 22 . In this example , the originating V o IP applia nce has mark ed V oIP traffic and V oIP control pack ets with DSCP 48. create classi[...]

Page 36 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to test y our VPN solution If the following tests sho w that your tunn el is not w orking, see the How T o Note Ho w T o T roubleshoot A Virtual Pr ivate Network (VPN) . Check the LANs are rea c h a b l e The simplest wa y to test a tunnel is to ping fr om one LAN to the o[...]

Page 37 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Configuration scripts for headquarters and branch offices This section pr ovides script-only v ersions of th e three configurations described earlier in this document. Scripts can provide a quick er wa y to configure y our routers, thr ough pre-editing and downloading using TFT[...]

Headquar ters Page 38 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Headquar ters VPN access conce ntrator's configuration # System configuration set system name=HQ # User configuration set user securedelay=600 # Add your approved roaming VPN client usernames. add user=roaming1 pass=roaming1 lo=no telnet=no add user=roaming2[...]

Headquar ters Page 39 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # DHCP configuration # If desired, use the router as a DHCP server. create dhcp poli=hq lease=7200 add dhcp poli=hq rou=192.168.140.254 add dhcp poli=hq subn=255.255.255.0 create dhcp range=hq_hosts poli=hq ip=192.168.140.16 num=32 ena dhcp # SSH configuration # [...]

Headquar ters Page 40 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # Create a group of SA specifications for the roaming VPN clients. # These SA specifications use IPsec transport mode. create ipsec sas=2 key=isakmp prot=esp enc=3desouter hasha=sha mod=transport create ipsec sas=3 key=isakmp prot=esp enc=3desouter hasha=md5 mod=[...]

Headquar ters Page 41 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # FIREWALL configuration enable firewall create firewall policy=hq enable firewall policy=hq icmp_f=all # Define a firewall dynamic definition to work with dynamic # interfaces. This provides for the dynamic PPP/L2TP interfaces that # incoming Windows VPN connect[...]

Headquar ters Page 42 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # If you configured SSH, create a rule for SSH traffic. add firewall policy=hq ru=6 ac=allo int=eth0 prot=tcp po=22 ip=200.200.200.1 gblip=200.200.200.1 gblp=22 # If you use telnet instead (not recommended), create a rule for it. # add firewall policy=hq ru=7 ac=[...]

Page 43 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Branch office 1 AR440S configuration—the PPP oA site with VPN client access and a fix ed IP addr ess # SYSTEM configuration set system name=Branch1 # USER configuration set user securedelay=600 # Add your approved roaming VPN client usernames. add user=roamin[...]

Page 44 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # allows incoming roaming VPN client connections. The clients can # only target a known, unchanging address. create ppp=0 over=atm0.1 echo=10 lqr=off bap=off idle=off set ppp=0 username="branch office 1" password=branch1 iprequest=off # Note that this[...]

Page 45 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # Log configuration # If desired, forward router log entries to a UNIX-style syslog # server. create log output=2 destination=syslog server=< your-local-syslog-server-address > syslogformat=extended add log out=2 filter=1 sev=>3 # IPSEC configuration #[...]

Page 46 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # ISAKMP Configuration create isakmp pol=hq pe=200.200.200.1 key=1 sendd=true heart=both set isa pol=hq localid=branch1 encalg=3des2key create isakmp pol=roaming pe=any key=1 set isa pol=roaming sendd=true sendi=true natt=true localid=branch1 enable isakmp # FI[...]

Page 47 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # Create a pair of rules to allow office-to-office payload traffic to # pass through the firewall without applying NAT. # The rule for the public interface uses encapsulation=ipsec to # identify incoming VPN traffic. add firewall poli=branch1 ru=4 ac=non int=pp[...]

Page 48 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Branch office 2 AR440S configuration—the PPP oEoA site with a dynamically assigned IP addr ess # SYSTEM configuration set system name=Branch2 # USER configuration set user securedelay=600 # Define a security officer. add user=secoff pass=<your secoff passw[...]

Page 49 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 # DHCP configuration # If desired, use the router as a DHCP server. create dhcp poli=branch2 lease=7200 add dhcp poli=branch2 rou=192.168.142.254 add dhcp poli=branch2 subn=255.255.255.0 create dhcp range=branch2_hosts poli=branch2 ip=192.168.142.16 num=32 ena [...]

Page 50 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 # Create an IPsec policy for branch 2 to headquarters VPN traffic. create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1 peer=200.200.200.1 isa=hq set ipsec pol=hq lad=192.168.142.0 lma=255.255.255.0 rad=192.168.0.0 rma=255.255.0.0 # Create another IPsec poli[...]

Page 51 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 # If you use telnet instead (not recommended), create a rule for it. # add firewall policy=branch2 ru=7 ac=allo int=ppp0 prot=tcp po=23 # ip=192.168.142.254 gblip=0.0.0.0 gblp=23 # INT configuration - if prioritising VoIP set int=ppp0 mtu=256 set int=ppp0 frag=[...]

Page 52 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Extra configuration scripts for lab testing the VPN solution This section pr ovides additional configuration th at y ou ma y need if y ou want to lab test the VPN solution. It has scr ipts for : z setting up a PPP oE access concentrator for branch offi ce 2 to connect to . In a[...]

USA Headq u ar ters | 19800 Nor th Cr eek Parkwa y | S u ite 200 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 E u r opea n Headq u ar ters | Via Motta 24 | 6830 Chiasso | Switzerla n d | T: +41 91 69769.00 | F: +41 91 69769.11 Asia-Paci f ic Headq u ar ters | 11 T ai Se ng Li n k | Si ng apor e | 534182 | T: +65 6383 3832 | [...]