Configuring the router > The configuration script
#Firewall enable fire
create fire poli=main
create fire poli=main dy=dynamic
add fire poli=main dy=dynamic user=ANY add fire poli=main int=vlan1 type=private
#Dynamic private interfaces are accepted from L2TP, which are from
#IPSec only.
add fire poli=main
#The firewall allows for internally generated access to the Internet
#through the following NAT definition.
add fire poli=main nat=enhanced int=vlan1 gblint=eth0
#This NAT definition allows Internet access for remote VPN users by
#providing address translation.
add fire poli=main nat=enhanced
#Rule 2 becomes the L2TP tunnel allow rule. Additional security is
#provided by only allowing traffic from IPSec tunnels.
add fire poli=main rule=2 int=eth0 action=allow prot=udp
create ipsec sas=1 key=isakmp prot=esp encalg=3desouter hashalg=sha mode=transport
create ipsec sas=2 key=isakmp prot=esp encalg=3desouter hashalg=md5 mode=transport
create ipsec sas=3 key=isakmp prot=esp encalg=des hashalg=sha mode=transport
create ipsec sas=4 key=isakmp prot=esp encalg=des hashalg=md5 mode=transport
#The ORDER of proposals is important. You should propose the strongest
#encryption first.
create ipsec bundle=1 key=isakmp string=”1 or 2 or 3 or 4”
create ipsec policy=isakmp int=eth0 action=permit lport=500 rport=500
#This is a generic IPSec policy that multiple IPSec remote PC clients
#can connect through.
create ipsec policy=to_HQ int=eth0 action=ipsec key=isakmp bundle=1 peer=any isa=keys
set ipsec policy=to_HQ transport=udp rport=1701
#The following policy allows for internally generated Internet access. create ipsec policy=Internet int=eth0 act=permit
enable ipsec
create isakmp policy=keys peer=any key=1 set isakmp policy=keys sendd=true enable isakmp
Page 6 AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without
