Instruction/ maintenance manual of the product AR440S Allied Telesis
Go to page of 53
C613-16049-00 REV E www .alliedtelesis. com AlliedW ar e TM OS How T o | Intr oduction In this How T o Note’ s example, a headquarters offic e has VPNs to two branch offices and a number of r oaming VPN clients.
Page 2 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks How to mak e voice traffic high priority ................................................. ...................................... .... 30 How to prioritise outg oing V oIP traffic fr om the headquar ters r outer .
Page 3 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks About IPsec modes: tunnel and transpor t This solution uses two types of VPN: z IPsec tunnel mode, for the head quar ters office to branch office VPNs. These are site-to- site (r outer -to-router) VPNs.
Page 4 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Backgr ound: NA T -T and policies NA T -T NA T T ra v ersal (NA T -T) can be enabled on an y of our IPsec VPN l inks. It automatically allows IPsec VPNs to tra v erse any NA T gatewa ys that ma y be in the VPN path.
Page 5 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Po l i c i e s a n d interfaces It is useful to k eep in mind that you apply fir e wall rules and IPsec policies to interfaces in the follo wing different wa ys: z Fire wall rules can be applied on either privat e or public interfaces.
Page 6 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to configure VPNs in typical corporate netw orks This section describes a typical corporate network using secure VPN. The network consists of a headquarters (HQ) r outer and tw o branch office r outers.
Page 7 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks 2. The branch office 1 r outer , which provides: z an ADSL PPP oA Internet connection.
Headquar ters Page 8 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to configur e the headquar ters VPN access concentrator Befor e you begin to configure y our router , ensur e that it is running the appr opriate softwar e r elease , patch and GUI files and has no configuration.
Headquar ters Page 9 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Give a fixed public addr ess to the interface eth0, which is the Internet connection interface. Y ou can replace eth0 with ppp0 if you use a leased line . enable ip add ip int=eth0 ip=200.
Headquar ters Page 10 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks r emote security officers (RSOs). RSO defini tions specify trusted remote addr esses for security officer users.
Headquar ters Page 11 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Check that you ha v e a 3DES feature licence for the ISAKMP policies. show feature Y ou can purchase featur e licences from y our Allied T elesis distributor . If necessar y , install the licence , using the passwor d provided by y our distributor .
Headquar ters Page 12 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Create IPsec policies to bypass IPsec for ISAKMP messages and the “port floated” ke y exchange that NA T -T uses.
Headquar ters Page 13 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks z the branch office policies use a differ en t encr yption transform—3des2key—than the r oaming policy . When a new incoming ISAKMP mess age starts, this lets the router identify whether to match it to the r oaming policy or one of the branch office policies.
Headquar ters Page 14 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks can trust traffic ar riving on the dynam ic interf aces because—in this exa mple configuration—it can only come from an authenticat ed and encr ypted VPN connection.
Headquar ters Page 15 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks The rule f or the private interface uses both sour ce and destination addr esses to identify outgoing VPN traffic. add firewall policy=hq ru= 5 ac=non int=vlan1 prot=all ip=192.
Page 16 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Ho w to configur e the AR440S r outer at branch office 1 Befor e you begin to configure y our router , ensur e that it is running the appr opriate softwar e r elease , patch and GUI files and has no configuration.
Page 17 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Create y our Asymmetric Digita l Subscriber Line (ADSL) conn ection.
Page 18 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 If you need remote management access, we st r ongly recommend that y ou use Secure Shell (SSH). Y ou should not telnet to a secure gatewa y . T o configure SS H, define appr opriate RSA en cr yption k eys, then enable the SSH server .
Page 19 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Y ou need to co nfigure dynamic PPP ov er L2TP to accept in coming Windows VPN client connections. Create an IP pool to allocate unique intern al pa yload addr esses to incoming VPN clients.
Page 20 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 z (for site-to-site VPNs) 3DESOUTER as the encr yption algorithm for ESP z (for site-to-site VPNs) SHA as the hashing alg orithm for ESP authentication z (for r oaming client VPNs) four possible variants of VPN encr yption, for added flexibility .
Page 21 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Create y our ISAKMP pre-shar ed ke y . This ke y is used when initiating your VPN during phase one ISAKMP exchanges with your VPN peers.
Page 22 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 can trust traffic ar riving on the dynam ic interf aces because—in this exa mple configuration—it can only come from an authenticat ed and encr ypted VPN connection.
Page 23 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 The rule f or the private interface uses both sour ce and destination addr esses to identify outgoing VPN traffic. add firewall policy=branch 1 ru=5 ac=non int=vlan1 prot=all ip=192.
Page 24 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Ho w to configur e the AR440S r outer at branch office 2 Befor e you begin to configure y our router , ensur e that it is running the appr opriate softwar e r elease , patch and GUI files and has no configuration.
Page 25 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Create y our Asymmetric Digita l Subscriber Line (ADSL) conn ection. Asynchronous T ransfer Mode (A TM) is alwa ys used ov er ADSL. enable adsl=0 create atm=0 over=adsl0 add atm=0 channel=1 Branch 2 uses PPP oEoA (PPP over virtual ethe rnet over A TM).
Page 26 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 If desire d, set up the router as a DH CP server for the branch office 2 LAN. create dhcp policy=branch2 lease=7 200 add dhcp policy=branch2 ro u=192.168.142.254 add dhcp policy=branch2 su bn=255.
Page 27 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Check that you ha v e a 3DES feature licence for the ISAKMP policy . show feature Y ou can purchase featur e licences from y our Allied T elesis distributor . If necessar y , install the licence , using the passwor d provided by y our distributor .
Page 28 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Create another IPsec policy for dir ect Internet traffic fr om the head quarters LAN to the Internet, such as web br owsin g. create ipsec pol=internet int=ppp0 ac=permit Note: The or der of the IPsec policies is impor tant.
Page 29 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Branch office 2 does not need rule 3 that the other site s hav e, because branch office 2 has no r oaming VPN client connections. Create a pair of rules to allow office-to-offi ce pa ylo ad traffic to pass thr ough the fire wall without appl ying NA T .
Page 30 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to mak e voice traffic high priority This is an optional enhancemen t to the configuration of the routers. It prioritises outg oing v oice traffic higher than other outgoing traf fic on each VPN, to maximise call quality .
Headquar ters Page 31 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Ho w to prioritise outg oing V oIP traffic from the headquar ters r outer Add the f ollowing steps after step 9 on page 14 .
Headquar ters Page 32 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Apply the policy to the VPN betw een headquarters and branch office 1 . set sqos interface=ipsec-b ranch1 tunnelpolicy=1 Apply the policy to the VPN betw een headquarters and branch office 2.
Page 33 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Ho w to prioritise outg oing V o IP traffic from the branch office 1 ro u t e r Add the f ollowing steps after step 11 on page 22 . In this example , the originating V o IP applianc e has mark ed V oIP traffic and V oIP signalling pack ets with DSCP 48.
Page 34 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 This example creates f our triggers, which allows for up to four simultaneous r oaming client VPNs. Y ou can scale this to the correct n umber for y our network. Create the f ollowing scripts as text files on the r outer .
Page 35 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Ho w to prioritise outg oing V o IP traffic from the branch office 2 r outer Add the f ollowing steps after step 11 on page 22 . In this example , the originating V o IP applia nce has mark ed V oIP traffic and V oIP control pack ets with DSCP 48.
Page 36 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Ho w to test y our VPN solution If the following tests sho w that your tunn el is not w orking, see the How T o Note Ho w T o T roubleshoot A Virtual Pr ivate Network (VPN) .
Page 37 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Configuration scripts for headquarters and branch offices This section pr ovides script-only v ersions of th e three configurations described earlier in this document.
Headquar ters Page 38 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks Headquar ters VPN access conce ntrator's configuration # System configuration set system name=HQ # User configuration set user securedelay=600 # Add your approved roaming VPN client usernames.
Headquar ters Page 39 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # DHCP configuration # If desired, use the router as a DHCP server. create dhcp poli=hq lease=7200 add dhcp poli=hq rou=192.168.140.254 add dhcp poli=hq subn=255.255.
Headquar ters Page 40 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # Create a group of SA specifications for the roaming VPN clients.
Headquar ters Page 41 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # FIREWALL configuration enable firewall create firewall policy=hq enable firewall policy=hq icmp_f=all # Define a firewall dynamic definition to work with dynamic # interfaces.
Headquar ters Page 42 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks # If you configured SSH, create a rule for SSH traffic. add firewall policy=hq ru=6 ac=allo int=eth0 prot=tcp po=22 ip=200.200.200.1 gblip=200.200.200.1 gblp=22 # If you use telnet instead (not recommended), create a rule for it.
Page 43 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 Branch office 1 AR440S configuration—the PPP oA site with VPN client access and a fix ed IP addr ess # SYSTEM configuration set system name=Branch1 # USER configuration set user securedelay=600 # Add your approved roaming VPN client usernames.
Page 44 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # allows incoming roaming VPN client connections. The clients can # only target a known, unchanging address.
Page 45 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # Log configuration # If desired, forward router log entries to a UNIX-style syslog # server.
Page 46 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # ISAKMP Configuration create isakmp pol=hq pe=200.200.200.1 key=1 sendd=true heart=both set isa pol=hq localid.
Page 47 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 1 # Create a pair of rules to allow office-to-office payload traffic to # pass through the firewall without applying NAT. # The rule for the public interface uses encapsulation=ipsec to # identify incoming VPN traffic.
Page 48 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 Branch office 2 AR440S configuration—the PPP oEoA site with a dynamically assigned IP addr ess # SYSTEM configuration set system name=Branch2 # USER configuration set user securedelay=600 # Define a security officer.
Page 49 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 # DHCP configuration # If desired, use the router as a DHCP server. create dhcp poli=branch2 lease=7200 add dhcp poli=branch2 rou=192.168.142.254 add dhcp poli=branch2 subn=255.
Page 50 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 # Create an IPsec policy for branch 2 to headquarters VPN traffic. create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1 peer=200.200.200.1 isa=hq set ipsec pol=hq lad=192.
Page 51 | AlliedW are™ OS Ho w T o Note: VPN s for Corporate Netw orks branch office 2 # If you use telnet instead (not recommended), create a rule for it. # add firewall policy=branch2 ru=7 ac=allo int=ppp0 prot=tcp po=23 # ip=192.168.142.254 gblip=0.
Page 52 | AlliedW are™ OS Ho w T o Note: VPNs f or Corporate Networks Extra configuration scripts for lab testing the VPN solution This section pr ovides additional configuration th at y ou ma y need if y ou want to lab test the VPN solution. It has scr ipts for : z setting up a PPP oE access concentrator for branch offi ce 2 to connect to .
USA Headq u ar ters | 19800 Nor th Cr eek Parkwa y | S u ite 200 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 E u r opea n Headq u ar ters | Via Motta 24 | 6830 Chiasso | Switzerla n d | T: +41 91 69769.
An important point after buying a device Allied Telesis AR440S (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought Allied Telesis AR440S yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data Allied Telesis AR440S - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, Allied Telesis AR440S you will learn all the available features of the product, as well as information on its operation. The information that you get Allied Telesis AR440S will certainly help you make a decision on the purchase.
If you already are a holder of Allied Telesis AR440S, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime Allied Telesis AR440S.
However, one of the most important roles played by the user manual is to help in solving problems with Allied Telesis AR440S. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device Allied Telesis AR440S along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center