Headquarters

can trust traffic arriving on the dynamic interfaces because—in this example configuration—it can only come from an authenticated and encrypted VPN connection.

create firewall policy=hq dynamic=roaming

add firewall policy=hq dynamic=roaming user=any

add firewall policy=hq int=dyn-roaming type=private

Define NAT definitions to use when traffic from the local LAN accesses the Internet and to allow Internet access for remote VPN client users.

add firewall policy=hq nat=enhanced int=vlan1 gblin=eth0

add firewall policy=hq nat=enhanced int=dyn-roaming gblin=eth0

Note: Windows VPN client default behaviour does not support “split tunnelling”. This means that when the Windows VPN tunnel is up, all traffic passes through it, whether the traffic is destined for the headquarters office LAN or for Internet surfing destinations. Therefore, we suggest you define the second NAT above, to allow clients to access the Internet via the headquarters router when their VPN connection is up.

9. Configure the firewall’s access rules

Create a rule to allow incoming ISAKMP negotiation messages to pass through the firewall.

add firewall policy=hq ru=1 ac=allo int=eth0 prot=udp po=500 ip=200.200.200.1 gblip=200.200.200.1 gblp=500

Create a rule to support NAT-T. If a NAT gateway is detected in the VPN path, NAT-T “port floats” IKE to port 4500, and also encapsulates IPsec inside UDP headers to the same port. Therefore, UDP traffic to port 4500 must be allowed to pass through the firewall.

add firewall policy=hq ru=2 ac=allo int=eth0 prot=udp po=4500 ip=200.200.200.1 gblip=200.200.200.1 gblp=4500

Create a rule for the roaming VPN clients. Windows VPN client uses L2TP (UDP to port 1701) encapsulated inside IPsec. This rule allows L2TP traffic through the firewall if it originally arrived at the router encapsulated in IPsec (and was decapsulated by the IPsec process before it passed to the firewall).

add firewall policy=hq ru=3 ac=allo int=eth0 prot=udp po=1701 ip=200.200.200.1 gblip=200.200.200.1 gblp=1701 enc=ips

Create a pair of rules to allow office-to-office payload traffic to pass through the firewall without applying NAT. This traffic must bypass NAT so that the traffic matches subsequent IPsec policy address selectors. You need two rules—one for the public interface and one for the private interface—so that office-to-office payload traffic bypasses NAT regardless of which side initiated the session.

The rule for the public interface uses encapsulation=ipsec to identify incoming VPN traffic—decrypted payload data that came from the IPsec module.

add firewall policy=hq ru=4 ac=non int=eth0 prot=all enc=ips

Page 14 AlliedWare™ OS How To Note: VPNs for Corporate Networks

Page 14
Image 14
Allied Telesis AR440S manual Configure the firewall’s access rules

AR440S specifications

Allied Telesis offers a range of advanced routers designed to meet the connectivity and operational needs of modern enterprises. Among its extensive lineup, the AR450S, AR441S, AR415S, AR442S, and AR440S models stand out for their robust features and technologies, making them ideal solutions for various networking environments.

The Allied Telesis AR450S is a high-performance router tailored for service providers and large enterprises. It supports advanced routing protocols, including IPv4 and IPv6, ensuring compatibility with both legacy and modern networks. The AR450S boasts substantial throughput capabilities, making it suitable for bandwidth-intensive applications. Its versatile WAN options, including Ethernet and cellular connectivity, allow seamless integration into diverse network architectures.

Next in the lineup is the AR441S, which focuses on providing enhanced security and reliability. With built-in firewall capabilities and VPN support, this model ensures secure communication over the internet. The AR441S also features numerous Ethernet ports for flexible connectivity, enabling organizations to scale their networks as needed. Its user-friendly interface facilitates straightforward configuration and management.

The AR415S is designed for branch offices and small to medium-sized enterprises. This router offers a balance of performance and affordability, equipped with essential features like Quality of Service (QoS) and traffic shaping. The AR415S supports multiple WAN connections, which helps in maintaining reliable internet access by auto-failing to backup connections when necessary.

The AR442S incorporates advanced networking technologies, including dynamic routing protocols and deep packet inspection. This model enhances performance by optimizing traffic flow and improving bandwidth utilization. Its support for VoIP and other multimedia applications makes it an excellent choice for organizations seeking to maximize their communication capabilities.

Lastly, the AR440S is engineered for high availability and redundancy. It includes dual power supplies and hot-swappable components, ensuring that network services remain uninterrupted during maintenance. The AR440S is particularly valuable in mission-critical environments where downtime can lead to significant business disruption.

In summary, the Allied Telesis AR series routers—AR450S, AR441S, AR415S, AR442S, and AR440S—offer a rich set of features tailored to various operational needs. With their advanced routing capabilities, security features, and reliable performance, these routers represent the cutting edge of networking technology for businesses looking to enhance their connectivity and operational efficiency.