
Page 50 | AlliedWare™ OS How To Note: VPNs for Corporate Networks
# Create an IPsec policy for branch 2 to headquarters VPN traffic.
create ipsec pol=hq int=ppp0 ac=ipsec key=isakmp bund=1
peer=200.200.200.1 isa=hq
set ipsec pol=hq lad=192.168.142.0 lma=255.255.255.0 rad=192.168.0.0
rma=255.255.0.0
# Create another IPsec policy to allow for direct Internet access
# such as web browsing.
create ipsec pol=internet int=ppp0 ac=permit
enable ipsec
# ISAKMP Configuration
create isakmp pol=hq pe=200.200.200.1 key=1 sendd=true heart=both
set isakmp pol=hq localid=branch2 encalg=3des2key
enable isakmp
# FIREWALL configuration
enable firewall
create firewall policy=branch2
enable firewall policy=branch2 icmp_f=all
# Specify the private and public interfaces.
add firewall policy=branch2 int=vlan1 type=private
add firewall policy=branch2 int=ppp0 type=public
# Create a NAT definition for traffic from the branch office 2 LAN to
# use when accessing the Internet.
add firewall poli=branch2 nat=enhanced int=vlan1 gblin=ppp0
# Create a rule to allow incoming ISAKMP negotiation to pass through
# the firewall. This rule specifies 0.0.0.0 as the global IP address
# because the PPP address of branch office 2 is dynamically assigned.
# The rule uses the LAN address to identify matching traffic.
add firewall poli=branch2 ru=1 ac=allo int=ppp0 prot=udp po=500
ip=192.168.142.254 gblip=0.0.0.0 gblp=500
# Create a pair of rules to allow office-to-office payload traffic to
# pass through the firewall without applying NAT.
# The rule for the public interface uses encapsulation=ipsec to
# identify incoming VPN traffic.
add firewall poli=branch2 ru=4 ac=non int=ppp0 prot=all enc=ips
# The rule for the private interface uses both source and destination
# addresses to identify outgoing VPN traffic.
add firewall poli=branch2 ru=5 ac=non int=vlan1 prot=all
ip=192.168.142.1-192.168.142.254
set firewall poli=branch2 ru=5 rem=192.168.140.0-192.168.144.254
# If you configured SSH, create a rule for SSH traffic.
add firewall policy=branch2 ru=6 ac=allo int=ppp0 prot=tcp po=22
ip=192.168.142.254 gblip=0.0.0.0 gblp=22