Resumo do conteúdo contido na página número 1
TM
AlliedWare OS
How To | Configure VPNs in a Corporate Network, with
Optional Prioritisation of VoIP
Introduction
In this How To Note’s example, a headquarters office has VPNs to two branch offices and a
number of roaming VPN clients. The example illustrates the following possible components
that you could use in a corporate network:
VPNs between a headquarters office and roaming VPN clients, such as travellers’ laptops
VPNs between a branch office and roaming VPN clients, such as travelle
Resumo do conteúdo contido na página número 2
How to make voice traffic high priority ........................................................................................... 30 How to prioritise outgoing VoIP traffic from the headquarters router ............................ 31 How to prioritise outgoing VoIP traffic from the branch office 1 router ......................... 33 How to prioritise outgoing VoIP traffic from the branch office 2 router ......................... 35 How to test your VPN solution ................................
Resumo do conteúdo contido na página número 3
About IPsec modes: tunnel and transport This solution uses two types of VPN: IPsec tunnel mode, for the headquarters office to branch office VPNs. These are site-to- site (router-to-router) VPNs. IPsec transport mode with L2TP, for the roaming Windows VPN clients. The following figure shows the protocol stacks for the tunnel mode VPN and the transport mode VPN for the connection type PPPoA. IP IPsec payload (dynamic PPP PPP using template) using L2TP server IPsec payload IP L2TP definition t
Resumo do conteúdo contido na página número 4
Background: NAT-T and policies NAT-T NAT Traversal (NAT-T) can be enabled on any of our IPsec VPN links. It automatically allows IPsec VPNs to traverse any NAT gateways that may be in the VPN path. This is likely to occur with the VPNs from the roaming VPN clients—they are likely to use a LAN at a remote site that is behind a NAT gateway. NAT-T may also be applicable for a site-to-site VPN, if one of the routers is behind a NAT gateway, such as some ADSL devices. Note that AR44xS series rou
Resumo do conteúdo contido na página número 5
Policies and It is useful to keep in mind that you apply firewall rules and IPsec policies to interfaces in the interfaces following different ways: Firewall rules can be applied on either private or public interfaces. The rules are matched against traffic that comes into the interface to which they were applied. Rules applied to private interfaces are typically quite different to rules applied to public interfaces. IPsec policies are applied only on the public interface. The policy definit
Resumo do conteúdo contido na página número 6
How to configure VPNs in typical corporate networks This section describes a typical corporate network using secure VPN. The network consists of a headquarters (HQ) router and two branch office routers. The headquarters router is acting as a VPN Access Concentrator, and allows for VPN access from either of the branch office sites or from roaming laptop VPN clients. The network is illustrated in the following figure. branch office 1 Telco’s ADSL ISP’s headquarters VPN router exchange route
Resumo do conteúdo contido na página número 7
2. The branch office 1 router, which provides: an ADSL PPPoA Internet connection. Note that the PPPoA connection requires an ATM DSLAM VPN access to headquarters using IPsec tunnel mode incoming VPN client access from roaming users a fixed Internet address so that roaming VPN clients have a known target for the branch office end of the VPN 3. The branch office 2 router, which provides: an ADSL PPPoEoA Internet connection VPN access to headquarters using IPsec tunnel mode a dynamically a
Resumo do conteúdo contido na página número 8
How to configure the headquarters VPN access concentrator Before you begin to configure your router, ensure that it is running the appropriate software release, patch and GUI files and has no configuration. set inst=pref rel= pat= gui= set conf=none disable system security restart reboot Note: A software QoS extension to this configuration, to prioritise VoIP traffic over the VPNs, is available in "How to prioritise outgoing VoIP traffic from the headquarters r
Resumo do conteúdo contido na página número 9
2. Configure IP for internet access Give a fixed public address to the interface eth0, which is the Internet connection interface. You can replace eth0 with ppp0 if you use a leased line. enable ip add ip int=eth0 ip=200.200.200.1 Give a fixed private address to the interface vlan1, which connects the router to the headquarters LAN. add ip int=vlan1 ip=192.168.140.254 Set the default route. The next hop is the gateway address provided by the ISP. add ip rou=0.0.0.0 mask=0.0.0.0 int=eth0 next=2
Resumo do conteúdo contido na página número 10
remote security officers (RSOs). RSO definitions specify trusted remote addresses for security officer users. add user rso ip=[-] enable user rso enable telnet server 4. Capture status information remotely, if desired If desired, set the router to send log messages to a syslog server. create log output=2 destination=syslog server= syslogformat=extended add log out=2 filter=1 sev=>3 If desired, you can configure SNMP to inform you or your service provider of
Resumo do conteúdo contido na página número 11
6. Check feature licences Check that you have a 3DES feature licence for the ISAKMP policies. show feature You can purchase feature licences from your Allied Telesis distributor. If necessary, install the licence, using the password provided by your distributor. enable feature=3des pass= 7. Configure the VPNs for the branch offices and roaming clients Enable IPsec enable ipsec In this example, IPsec SA specifications propose: ISAKMP as the key management protocol ESP as the I
Resumo do conteúdo contido na página número 12
Create IPsec policies to bypass IPsec for ISAKMP messages and the “port floated” key exchange that NAT-T uses. create ipsec pol=isakmp int=eth0 ac=permit lp=500 rp=500 create ipsec pol=isakmp_float int=eth0 ac=permit lp=4500 Create an IPsec policy for the VPN traffic between headquarters and branch office 1. Identify the traffic by its local and remote addresses—in this example the subnet used on the LAN at branch office 1 (remote) is 192.168.141.0/24. Note that the local address selector is
Resumo do conteúdo contido na página número 13
the branch office policies use a different encryption transform—3des2key—than the roaming policy. When a new incoming ISAKMP message starts, this lets the router identify whether to match it to the roaming policy or one of the branch office policies. the policies include local IDs. These allow the remote peers to identify incoming ISAKMP packets from the headquarters router through any NAT gateways in the path. Create an ISAKMP policy for the VPN to branch 1, with a fixed address. Use ISAKM
Resumo do conteúdo contido na página número 14
can trust traffic arriving on the dynamic interfaces because—in this example configuration—it can only come from an authenticated and encrypted VPN connection. create firewall policy=hq dynamic=roaming add firewall policy=hq dynamic=roaming user=any add firewall policy=hq int=dyn-roaming type=private Define NAT definitions to use when traffic from the local LAN accesses the Internet and to allow Internet access for remote VPN client users. add firewall policy=hq nat=enhanced int=vlan1 gblin=et
Resumo do conteúdo contido na página número 15
The rule for the private interface uses both source and destination addresses to identify outgoing VPN traffic. add firewall policy=hq ru=5 ac=non int=vlan1 prot=all ip=192.168.140.1-192.168.140.254 rem=192.168.141.0-192.168.144.254 If you configured SSH (recommended), create a rule to allow SSH traffic to pass through the firewall. add firewall policy=hq ru=6 ac=allo int=eth0 prot=tcp po=22 ip=200.200.200.1 gblip=200.200.200.1 gblp=22 If you instead stayed with telnet (not recommended) an
Resumo do conteúdo contido na página número 16
How to configure the AR440S router at branch office 1 Before you begin to configure your router, ensure that it is running the appropriate software release, patch and GUI files and has no configuration. set inst=pref rel= pat= gui= set conf=none disable system security restart reboot Note: A software QoS extension to this configuration, to prioritise VoIP traffic over the VPNs, is available in "How to prioritise outgoing VoIP traffic from the branch office 1 ro
Resumo do conteúdo contido na página número 17
2. Configure ADSL for internet access Create your Asymmetric Digital Subscriber Line (ADSL) connection. Asynchronous Transfer Mode (ATM) is always used over ADSL. enable adsl=0 create atm=0 over=adsl0 add atm=0 channel=1 3. Configure PPP for PPPoA Create your PPPoA link, and define the username and password needed for Internet access. This is provided by your Internet Service Provider (ISP). create ppp=0 over=atm0.1 echo=10 lqr=off bap=off idle=off set ppp=0 username="branch office 1" password
Resumo do conteúdo contido na página número 18
5. Configure remote management access, if desired If you need remote management access, we strongly recommend that you use Secure Shell (SSH). You should not telnet to a secure gateway. To configure SSH, define appropriate RSA encryption keys, then enable the SSH server. create enco key=2 type=rsa length=1024 description="host key" format=ssh create enco key=3 type=rsa length=768 description="server key" format=ssh enable ssh server serverkey=3 hostkey=2 Enable the user who connects via SSH
Resumo do conteúdo contido na página número 19
7. Configure dynamic PPP over L2TP connections You need to configure dynamic PPP over L2TP to accept incoming Windows VPN client connections. Create an IP pool to allocate unique internal payload addresses to incoming VPN clients. create ip pool=roaming ip=192.168.144.1-192.168.144.50 Define a PPP template. This defines authentication and uses the IP pool of addresses. create ppp template=1 set ppp template=1 bap=off ippool=roaming authentication=chap echo=10 lqr=off Configure L2TP. When the r
Resumo do conteúdo contido na página número 20
(for site-to-site VPNs) 3DESOUTER as the encryption algorithm for ESP (for site-to-site VPNs) SHA as the hashing algorithm for ESP authentication (for roaming client VPNs) four possible variants of VPN encryption, for added flexibility. We propose the most secure option first. Create an SA specification for the headquarters office site-to-site VPN. This SA specification uses tunnel mode by default. create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha Create a group of SA specifica
