Allied Telesis AR440S manual Configure the VPNs for connecting to the headquarters office

branch office 2

7. Check feature licences

Check that you have a 3DES feature licence for the ISAKMP policy.

show feature

You can purchase feature licences from your Allied Telesis distributor.

If necessary, install the licence, using the password provided by your distributor.

enable feature=3des pass=<licence-number>

8. Configure the VPNs for connecting to the headquarters office

Enable IPsec

enable ipsec

In this example, IPsec SA specification proposes:

zISAKMP as the key management protocol

zESP as the IPsec protocol

z3DES as the encryption algorithm for ESP

zSHA as the hashing algorithm for ESP authentication

Create an SA specification for the headquarters office site-to-site VPN. This SA specification uses tunnel mode by default.

create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha

Note that the branch office 2 router has no connections from roaming VPN clients so does not need SA specifications for them.

Create an IPsec bundle for the SA specification.

create ipsec bund=1 key=isakmp string="1"

Create an IPsec policy to permit ISAKMP messages to bypass IPsec.

create ipsec pol=isakmp int=ppp0 ac=permit lp=500 rp=500

Create an IPsec policy for the VPN traffic between headquarters and branch office 2. Identify the traffic by its local and remote addresses—in this example the subnet used on the LAN at branch office 2 (local) is 192.168.142.0/24 so use that as the local address selector. However, define a wider remote address selector, to allow for other incoming VPN traffic via headquarters.

create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1 peer=200.200.200.1 isa=hq lad=192.168.142.0 lma=255.255.255.0 rad=192.168.0.0 rma=255.255.0.0