ページ1に含まれる内容の要旨
TM
AlliedWare OS
How To | Create a VPN between an Allied Telesis Router
1
and a Microsoft Windows 2000 Client, Without
Using NAT-T
Introduction
This document describes how to provide secure remote access through IP security (IPSec)
Virtual Private Networks (VPN).
This VPN solution is suitable for any business deployment and provides your office with
secure internet access and firewall protection, plus remote encrypted VPN access for staff
who work from home.
You should use the companion Note
ページ2に含まれる内容の要旨
Which products and releases does it apply to? > This document describes how to configure the Windows system to use IPSec VPN to connect to your office through the AR415S router. When your staff want to connect to the office they simply use the VPN icon on their desktop to initiate the IPSec VPN connection. Which products and releases does it apply to? The following Allied Telesis routers are most suitable as VPN gateways because they have fast hardware encryption support and high performanc
ページ3に含まれる内容の要旨
Security issue > Security issue Since this Windows VPN solution is usually used to allow remote access into corporate networks, a common security concern is “what happens if the remote laptop or PC is stolen or falls into unauthorised hands?” This is particularly a concern because the VPN connection is enabled through the standard dial-up networking window that allows username and passwords to be saved. A solution to this security concern is to disable the standard behaviour that allows p
ページ4に含まれる内容の要旨
Configuring the router > Perform initial security configuration on the router Configuring the router This section contains a script file for running IPSec encapsulating L2TP on a Head Office AR400 series router, configured to support IPSec remote PC clients. Using this script involves the following steps: 1. "Perform initial security configuration on the router", on this page. 2. Make a copy the script, which starts on page 5. Name it (for example) vpn.cfg. 3. Personalise IP addresses, pass
ページ5に含まれる内容の要旨
Configuring the router > The configuration script The configuration script Note: Comments are indicated in the script below using the # symbol. Placeholders for IP addresses, passwords, etc are indicated by text within < > set system name=”IPSec Gateway” # The command below shows the Security Officer inactive timeout delay. # The default is 60 seconds. During setup you can instead use 600 # seconds if desired. set user securedelay=600 # The incoming L2TP calls will be CHAP authenticated. #
ページ6に含まれる内容の要旨
Configuring the router > The configuration script # Firewall enable fire create fire poli=main create fire poli=main dy=dynamic add fire poli=main dy=dynamic user=ANY add fire poli=main int=vlan1 type=private # Dynamic private interfaces are accepted from L2TP, which are from # IPSec only. add fire poli=main int=dyn-dynamic type=private add fire poli=main int=eth0 type=public # The firewall allows for internally generated access to the Internet # through the following NAT definition. add fi
ページ7に含まれる内容の要旨
Configuring the router > Set the router to use the configuration Set the router to use the configuration After loading the configuration onto the switch, set the router to use the script after a reboot. If you named the script vpn.cfg, enter the command: set conf=vpn.cfg If you entered the configuration directly into the command line instead of loading the script, save the configuration by entering the commands: create conf=vpn.cfg set conf=vpn.cfg Page 7 | AlliedWare™ OS How To Note: VPNs
ページ8に含まれる内容の要旨
Configuring the VPN client > Add a new registry entry Configuring the VPN client Configuring the Windows 2000 VPN client involves the following stages: "Add a new registry entry", on this page "Add the IP Security Policy Management snap-in" on page 9 "Create an IP Security Policy" on page 11 "Create an IP Security Rule" on page 13 "Create an IP Filter" on page 16 "Configure the connection" on page 23 Add a new registry entry To ensure compatibility, you need to make a change to the reg
ページ9に含まれる内容の要旨
Configuring the VPN client > Add the IP Security Policy Management snap-in Add the IP Security Policy Management snap-in Note: You need to know the public IP address for the router from your Internet Service Provider (ISP) for this configuration. This example assumes that you have already set up your internet connection. 1. On your desktop, select Start > Run and enter the following command: mmc This opens the Console window, as shown in the following figure. 2. Select Console Root > Add/R
ページ10に含まれる内容の要旨
Configuring the VPN client > Add the IP Security Policy Management snap-in 3. Click Add. This opens the Add Standalone Snap-In window. Scroll down the list of Available Standalone Snap-ins and select IP Security Policy Management, as shown in the following figure. 4. Click Add. This opens the Select Computer window, which lets you select the computer or domain that the snap-in will manage. Select Local computer, as shown in the following figure. 5. Click Finish, then Close, then OK, to ret
ページ11に含まれる内容の要旨
Configuring the VPN client > Create an IP Security Policy Create an IP Security Policy 1. On the Console window, click, then right-click IP Security Policies on Local Machine. 2. Select Create IP Security Policy. This opens the IP Security Policy Wizard, as shown in the following figure. Page 11 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T
ページ12に含まれる内容の要旨
Configuring the VPN client > Create an IP Security Policy 3. Click Next, then enter a name for your security policy (e.g. “To Head Office”), as shown in the following figure. 4. Click Next. This opens the Requests for Secure Communication window. Clear the Activate the default response rule checkbox, as shown in the following figure. Page 12 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T
ページ13に含まれる内容の要旨
Configuring the VPN client > Create an IP Security Rule 5. Click Next. You have now completed the IP Security Policy Wizard, as shown in the following figure. 6. Leave the Edit properties checkbox checked. Click Finish. Create an IP Security Rule 1. Clicking Finish in the previous step opens the IP Security Policy Properties window, as shown in the following figure. Page 13 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T
ページ14に含まれる内容の要旨
Configuring the VPN client > Create an IP Security Rule 2. Click Add. This opens the Security Rule Wizard, as shown in the following figure. 3. Click Next. The next window lets you specify the tunnel endpoint for the IP Security rule, if required. A tunnel endpoint is not required for this example. Therefore, make sure This rule does not specify a tunnel is selected, as shown in the following figure. Page 14 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T
ページ15に含まれる内容の要旨
Configuring the VPN client > Create an IP Security Rule 4. Click Next. The next window lets you specify the network type the IP Security rule applies to. Make sure the All network connections option is selected, as shown in the following figure. 5. Click Next. The next window lets you specify the authentication method for the IP Security rule. Select the Use this string to protect the key exchange (preshared key) option, as shown in the following figure. In the text box underneath the o
ページ16に含まれる内容の要旨
Configuring the VPN client > Create an IP Filter Create an IP Filter 1. Click Next. The next window, shown in the following figure, lets you specify the IP filter for the type of IP traffic the IP Security rule applies to. 2. Click Add to start creating a new filter. This opens the IP Filter List Name window. Enter a name (e.g. “L2TP Tunnel Filter”), as shown in the following figure. Page 16 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T
ページ17に含まれる内容の要旨
Configuring the VPN client > Create an IP Filter 3. Click Add. This starts the IP Filter Wizard, as shown in the following figure. 4. Click Next. This opens the IP Traffic Source window. Select My IP Address from the Source address drop- down box, as shown in the following figure. Page 17 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T
ページ18に含まれる内容の要旨
Configuring the VPN client > Create an IP Filter 5. Click Next. This opens the IP Traffic Destination window. Select A specific IP Address from the Destination address drop-down box, as shown in the following figure. Enter the destination IP address of your Allied Telesyn router. This must be a valid Internet address. 6. Click Next. This opens the IP Protocol Type window. Select UDP from the drop-down box, as shown in the following figure. Page 18 | AlliedWare™ OS How To Note: VPNs with W
ページ19に含まれる内容の要旨
Configuring the VPN client > Create an IP Filter 7. Click Next. This opens the IP Protocol Port window. Select From this port and enter 1701, as shown in the following figure. 8. Click Next. This completes the IP Filter wizard. Leave the Edit properties box unchecked, as shown in the following figure. Page 19 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T
ページ20に含まれる内容の要旨
Configuring the VPN client > Create an IP Filter 9. Click Finish, then on the IP Filter List window, click Close. This returns you to the Security Rule Wizard IP Filter List window. The filter list now includes your new L2TP Tunnel Filter filter, as shown in the following figure. 10. Select L2TP Tunnel Filter and click Next. This opens the Filter Action window. Select Require Security, as shown in the following figure. This option forces the VPN client to use strong security. Microsoft Win