Allied Telesis AlliedWare AR440S user manual

User manual for the device Allied Telesis AlliedWare AR440S

Device: Allied Telesis AlliedWare AR440S
Category: Network Card
Manufacturer: Allied Telesis
Size: 0.35 MB
Added : 11/12/2013
Number of pages: 53
Print the manual

Download

How to use this site?

Our goal is to provide you with a quick access to the content of the user manual for Allied Telesis AlliedWare AR440S. Using the online preview, you can quickly view the contents and go to the page where you will find the solution to your problem with Allied Telesis AlliedWare AR440S.

For your convenience

If looking through the Allied Telesis AlliedWare AR440S user manual directly on this website is not convenient for you, there are two possible solutions:

  • Full Screen Viewing - to easily view the user manual (without downloading it to your computer), you can use full-screen viewing mode. To start viewing the user manual Allied Telesis AlliedWare AR440S on full screen, use the button Fullscreen.
  • Downloading to your computer - You can also download the user manual Allied Telesis AlliedWare AR440S to your computer and keep it in your files. However, if you do not want to take up too much of your disk space, you can always download it in the future from ManualsBase.
Allied Telesis AlliedWare AR440S User manual - Online PDF
Advertisement
« Page 1 of 53 »
Advertisement
Print version

Many people prefer to read the documents not on the screen, but in the printed version. The option to print the manual has also been provided, and you can use it by clicking the link above - Print the manual. You do not have to print the entire manual Allied Telesis AlliedWare AR440S but the selected pages only. paper.

Summaries

Below you will find previews of the content of the user manuals presented on the following pages to Allied Telesis AlliedWare AR440S. If you want to quickly view the content of pages found on the following pages of the manual, you can use them.

Abstracts of contents
Summary of the content on the page No. 1

TM
AlliedWare OS
How To | Configure VPNs in a Corporate Network, with
Optional Prioritisation of VoIP
Introduction
In this How To Note’s example, a headquarters office has VPNs to two branch offices and a
number of roaming VPN clients. The example illustrates the following possible components
that you could use in a corporate network:
VPNs between a headquarters office and roaming VPN clients, such as travellers’ laptops
VPNs between a branch office and roaming VPN clients, such as travelle

Summary of the content on the page No. 2

How to make voice traffic high priority ........................................................................................... 30 How to prioritise outgoing VoIP traffic from the headquarters router ............................ 31 How to prioritise outgoing VoIP traffic from the branch office 1 router ......................... 33 How to prioritise outgoing VoIP traffic from the branch office 2 router ......................... 35 How to test your VPN solution ................................

Summary of the content on the page No. 3

About IPsec modes: tunnel and transport This solution uses two types of VPN: IPsec tunnel mode, for the headquarters office to branch office VPNs. These are site-to- site (router-to-router) VPNs. IPsec transport mode with L2TP, for the roaming Windows VPN clients. The following figure shows the protocol stacks for the tunnel mode VPN and the transport mode VPN for the connection type PPPoA. IP IPsec payload (dynamic PPP PPP using template) using L2TP server IPsec payload IP L2TP definition t

Summary of the content on the page No. 4

Background: NAT-T and policies NAT-T NAT Traversal (NAT-T) can be enabled on any of our IPsec VPN links. It automatically allows IPsec VPNs to traverse any NAT gateways that may be in the VPN path. This is likely to occur with the VPNs from the roaming VPN clients—they are likely to use a LAN at a remote site that is behind a NAT gateway. NAT-T may also be applicable for a site-to-site VPN, if one of the routers is behind a NAT gateway, such as some ADSL devices. Note that AR44xS series rou

Summary of the content on the page No. 5

Policies and It is useful to keep in mind that you apply firewall rules and IPsec policies to interfaces in the interfaces following different ways: Firewall rules can be applied on either private or public interfaces. The rules are matched against traffic that comes into the interface to which they were applied. Rules applied to private interfaces are typically quite different to rules applied to public interfaces. IPsec policies are applied only on the public interface. The policy definit

Summary of the content on the page No. 6

How to configure VPNs in typical corporate networks This section describes a typical corporate network using secure VPN. The network consists of a headquarters (HQ) router and two branch office routers. The headquarters router is acting as a VPN Access Concentrator, and allows for VPN access from either of the branch office sites or from roaming laptop VPN clients. The network is illustrated in the following figure. branch office 1 Telco’s ADSL ISP’s headquarters VPN router exchange route

Summary of the content on the page No. 7

2. The branch office 1 router, which provides: an ADSL PPPoA Internet connection. Note that the PPPoA connection requires an ATM DSLAM VPN access to headquarters using IPsec tunnel mode incoming VPN client access from roaming users a fixed Internet address so that roaming VPN clients have a known target for the branch office end of the VPN 3. The branch office 2 router, which provides: an ADSL PPPoEoA Internet connection VPN access to headquarters using IPsec tunnel mode a dynamically a

Summary of the content on the page No. 8

How to configure the headquarters VPN access concentrator Before you begin to configure your router, ensure that it is running the appropriate software release, patch and GUI files and has no configuration. set inst=pref rel= pat= gui= set conf=none disable system security restart reboot Note: A software QoS extension to this configuration, to prioritise VoIP traffic over the VPNs, is available in "How to prioritise outgoing VoIP traffic from the headquarters r

Summary of the content on the page No. 9

2. Configure IP for internet access Give a fixed public address to the interface eth0, which is the Internet connection interface. You can replace eth0 with ppp0 if you use a leased line. enable ip add ip int=eth0 ip=200.200.200.1 Give a fixed private address to the interface vlan1, which connects the router to the headquarters LAN. add ip int=vlan1 ip=192.168.140.254 Set the default route. The next hop is the gateway address provided by the ISP. add ip rou=0.0.0.0 mask=0.0.0.0 int=eth0 next=2

Summary of the content on the page No. 10

remote security officers (RSOs). RSO definitions specify trusted remote addresses for security officer users. add user rso ip=[-] enable user rso enable telnet server 4. Capture status information remotely, if desired If desired, set the router to send log messages to a syslog server. create log output=2 destination=syslog server= syslogformat=extended add log out=2 filter=1 sev=>3 If desired, you can configure SNMP to inform you or your service provider of

Summary of the content on the page No. 11

6. Check feature licences Check that you have a 3DES feature licence for the ISAKMP policies. show feature You can purchase feature licences from your Allied Telesis distributor. If necessary, install the licence, using the password provided by your distributor. enable feature=3des pass= 7. Configure the VPNs for the branch offices and roaming clients Enable IPsec enable ipsec In this example, IPsec SA specifications propose: ISAKMP as the key management protocol ESP as the I

Summary of the content on the page No. 12

Create IPsec policies to bypass IPsec for ISAKMP messages and the “port floated” key exchange that NAT-T uses. create ipsec pol=isakmp int=eth0 ac=permit lp=500 rp=500 create ipsec pol=isakmp_float int=eth0 ac=permit lp=4500 Create an IPsec policy for the VPN traffic between headquarters and branch office 1. Identify the traffic by its local and remote addresses—in this example the subnet used on the LAN at branch office 1 (remote) is 192.168.141.0/24. Note that the local address selector is

Summary of the content on the page No. 13

the branch office policies use a different encryption transform—3des2key—than the roaming policy. When a new incoming ISAKMP message starts, this lets the router identify whether to match it to the roaming policy or one of the branch office policies. the policies include local IDs. These allow the remote peers to identify incoming ISAKMP packets from the headquarters router through any NAT gateways in the path. Create an ISAKMP policy for the VPN to branch 1, with a fixed address. Use ISAKM

Summary of the content on the page No. 14

can trust traffic arriving on the dynamic interfaces because—in this example configuration—it can only come from an authenticated and encrypted VPN connection. create firewall policy=hq dynamic=roaming add firewall policy=hq dynamic=roaming user=any add firewall policy=hq int=dyn-roaming type=private Define NAT definitions to use when traffic from the local LAN accesses the Internet and to allow Internet access for remote VPN client users. add firewall policy=hq nat=enhanced int=vlan1 gblin=et

Summary of the content on the page No. 15

The rule for the private interface uses both source and destination addresses to identify outgoing VPN traffic. add firewall policy=hq ru=5 ac=non int=vlan1 prot=all ip=192.168.140.1-192.168.140.254 rem=192.168.141.0-192.168.144.254 If you configured SSH (recommended), create a rule to allow SSH traffic to pass through the firewall. add firewall policy=hq ru=6 ac=allo int=eth0 prot=tcp po=22 ip=200.200.200.1 gblip=200.200.200.1 gblp=22 If you instead stayed with telnet (not recommended) an

Summary of the content on the page No. 16

How to configure the AR440S router at branch office 1 Before you begin to configure your router, ensure that it is running the appropriate software release, patch and GUI files and has no configuration. set inst=pref rel= pat= gui= set conf=none disable system security restart reboot Note: A software QoS extension to this configuration, to prioritise VoIP traffic over the VPNs, is available in "How to prioritise outgoing VoIP traffic from the branch office 1 ro

Summary of the content on the page No. 17

2. Configure ADSL for internet access Create your Asymmetric Digital Subscriber Line (ADSL) connection. Asynchronous Transfer Mode (ATM) is always used over ADSL. enable adsl=0 create atm=0 over=adsl0 add atm=0 channel=1 3. Configure PPP for PPPoA Create your PPPoA link, and define the username and password needed for Internet access. This is provided by your Internet Service Provider (ISP). create ppp=0 over=atm0.1 echo=10 lqr=off bap=off idle=off set ppp=0 username="branch office 1" password

Summary of the content on the page No. 18

5. Configure remote management access, if desired If you need remote management access, we strongly recommend that you use Secure Shell (SSH). You should not telnet to a secure gateway. To configure SSH, define appropriate RSA encryption keys, then enable the SSH server. create enco key=2 type=rsa length=1024 description="host key" format=ssh create enco key=3 type=rsa length=768 description="server key" format=ssh enable ssh server serverkey=3 hostkey=2 Enable the user who connects via SSH

Summary of the content on the page No. 19

7. Configure dynamic PPP over L2TP connections You need to configure dynamic PPP over L2TP to accept incoming Windows VPN client connections. Create an IP pool to allocate unique internal payload addresses to incoming VPN clients. create ip pool=roaming ip=192.168.144.1-192.168.144.50 Define a PPP template. This defines authentication and uses the IP pool of addresses. create ppp template=1 set ppp template=1 bap=off ippool=roaming authentication=chap echo=10 lqr=off Configure L2TP. When the r

Summary of the content on the page No. 20

(for site-to-site VPNs) 3DESOUTER as the encryption algorithm for ESP (for site-to-site VPNs) SHA as the hashing algorithm for ESP authentication (for roaming client VPNs) four possible variants of VPN encryption, for added flexibility. We propose the most secure option first. Create an SA specification for the headquarters office site-to-site VPN. This SA specification uses tunnel mode by default. create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha Create a group of SA specifica


Alternative user manuals
# User manual Category Download
1 Allied Telesis AT-2701FTXA/SC User manual Network Card 7
2 Allied Telesis AT-2711LX/SC User manual Network Card 1
3 Allied Telesis AT-2711FX/SC User manual Network Card 5
4 Allied Telesis AT-2701FXA/ST User manual Network Card 4
5 Allied Telesis ADSL48 User manual Network Card 1
6 Allied Telesis AT-2701FXA/SC User manual Network Card 1
7 Allied Telesis AT-2874SX User manual Network Card 2
8 Allied Telesis AT-2711FX/MT User manual Network Card 0
9 Allied Telesis AT-2711LX/LC User manual Network Card 1
10 Allied Telesis AT-2911LTX/SC User manual Network Card 0
11 Allied Telesis AT-2911LX/SC User manual Network Card 2
12 Allied Telesis AT-2911GP/SXLC User manual Network Card 1
13 Allied Telesis AT-2911STX/LC User manual Network Card 1
14 Allied Telesis AT-2911LX/LC User manual Network Card 1
15 Allied Telesis AT-2911SFP/2 User manual Network Card 3
16 Sony BTA-NW1A User manual Network Card 2
17 Sony BKMW-E3000 User manual Network Card 2
18 Sony AC-SQ950D User manual Network Card 0
19 Sony BBV RX100 User manual Network Card 3
20 Sony CLIE A-AVZ-100-11 User manual Network Card 1