237126406 Allied Telesis

8/18/2019 237126406 Allied Telesis

1/41

Helpful Configuration

Scripts for the

AR Router Series

8/18/2019 237126406 Allied Telesis

2/41

Revision History

Author

Revision Date Modifications

ST 5.8.4 5 March 2001 E 5.!" Correction to fire#all rule 1 interface

E !.$" %ire#all rule 2 an& $ re'o(e&" rule 4 renu')ere& to 2"rule $ *internal +nonat,- a&&e&

E !.4" Hea&ing a&uste&" /ote a&uste&" %ire#all rule $ a&&e&

E !.5" Hea&ing a&uste&" Co''ents a&uste&

E !.!" T#o ate#as ea'ple a&&e&

E !." 3Sec Testing notes a&&e&

ST 5.8.5 1 March 2001 E !.$" A&& +isa, para'eter to associate ipsec polic #ithspecific isa6'p polic. Create separate isa6'p policies

for re'office an& roa'ing 7/ clients. Rena'e isa6'ppolicies on (pn client. A&&e& specific configuration for router

E !.!" A&& +isa, para'eter to associate ipsec polic #ithspecific isa6'p polic. Create separate isa6'p policiesfor re'office an& roa'ing 7/ clients. Rena'e isa6'ppolicies on (pn client.

ST 5.8.! $ April 2001 E !.$" +sen&notif, para'eter a&&e&

E !.$.19 !.4.19 !." 7/ Client interface &efine& as +&ialup,

E !.5" Re'o(e& ppp0 on site A. Mo&ifie& A:S; pinhole&etails. Correcte& eth0 a&&ress at site .

E !.! )eco'es E !.

E !.! inserte&" 3Sec an& %ire#all through t#o /AT gate#as*eg< A:S;-

ST 5.8. 5 April 2001 E 5.!" %ire#all :M= 'o&ifie& to &ual polic fire#allE !.2" +re'oteip, para'eter a&&e& to fire#all rule 1

E !.59 !." +sen&notif, para'eter a&&e&

E !.!" Rena'e& 3S an& 3SA polic na'es" >se +isa,para'eter in 3S polic" A&& 3nternet 3S polic

E !.8" /otes eten&e& to gi(e )asic initial &e)ugging 'o&es.

E !.$9 !.49 !.5" Secoff user an& secure&ela &efine&

T? 5.8.8 4 @ul 24 Septe')er 2002

E 1.4 Change& file na'es for section

E 1.4 A&&e& lin6 to tftp ser(er soft#are

E 1.5 A&&e& client licences" :elete& Manual 6e generation

E 4.2 A&&e& C3RB3R an& MT> settings

E 4.$ :elete&

E 5.1.$ %ire#all >: (i&eoB(oice perfor'ance settings

E 5.$ :elete&

E 5. :elete&

E !.1 :elete& SA configuration &etails an& ip settings

E !.2 :elete& SA configuration &etails an& ip settings

E !.$ ol&e& sections an& re'o(e& rna'e in routerBclient

E !.4 >p&ate& for >: 7/ client

T? 05B08B0 01B0B04 Ea'ples using a&& pppD0 o(erDsn change& to eth1

:elete& 'ost of the 3S:/Bppp ea'ples

E $.1 A&&e& FE ea'ple

E 2.1.$ A&&e& 3S:/ settings for teleco' B telstraclear

8/18/2019 237126406 Allied Telesis

3/41

AT3 are 'anufacturers of the AR router an& are specialists in ;aer $ s#itches an& secure net#or6ing &e(ices. More&etaile& infor'ation on the AR pro&ucts is a(aila)le on AT3,s ?orl& ?i&e ?e) site ###.allie&telesn.net.nG

:ocu'ent tet ) Mathe# @ur AT3 Technical Consultant9 Talor ?il6ins AT3 /et#or6 Engineer

an& Shale Tas6er /et#or6 Engineer9 ATR Custo'er Ser(ices roup Allie& Telesn offers technical assistance in partnership #ith our authorise& &istri)utors an& resellers. %or technicalassistance9 please contact the authorise& &istri)utor or reseller in our area. lease refer to http

8/18/2019 237126406 Allied Telesis

4/41

Contents

1.Iuic6 Co''an& Reference................................................................................................................5

1.1.Configurations...............................................................................................................................51.2.%iling9 Re)oots9 an& %eature ;icences.........................................................................................5

1.$.Co''an& Actions.........................................................................................................................5

1.4.>pgra&e rocess..........................................................................................................................!

1.5.enerating an Encrption Je......................................................................................................!

2. o(er ::S for 3nternet */AT to SMT Ser(er- an& ri(ate net#or6s..........................................

2.1. o(er 3S:/ 3nternet Access...................................................................................................8

2.1.1.Ea'ple 2.5 #ith 2 channels al#as up.............................................................................

2.1.2.Ea'ple 2.5 #ith CiscoKs at the 3S......................................................................................

2.1.$.3S:/ territor for Teleco' B Telstraclear...............................................................................

$.FE ..............................................................................................................................................10

$.1.FE an& %ire#all (ia TelstraclearB?ooshB ?ire& Countr *3H>-....................................... 10

4. Ti'e :i(ision Mulipleing *T:M- .....................................................................................................12

5.%ra'e Rela......................................................................................................................................12

5.1.Stan&ar& %ra'e Rela for ;M3 RE7 1........................................................................................1$

5.2.Stan&ar& %ra'e Rela 3S Access............................................................................................14

5.$.Stan&ar& %ra'e Rela 3S Access #ith fire#all an& :M=.........................................................15

5.4.;ogical interfacing to %ra'e Rela9 3nternet connection (ia 3S #ith ri(ate /et#or6..............1!

5.4.1.FS% on the pri(ate net#or69 4.4 continue&.......................................................................1

!.Si'ple %ire#all o(er Ethernet #ith internal 'ail ser(er ....................................................................1!.1.2.3/3/9 E'ail notification9 accounting9 an& logging........................................................20

!.1.$.3nternet Access to %ire#all Router.......................................................................................20

!.1.4.>: 7i&eo lin6 through fire#all perfor'ance t#ea6........................................................... 20

!.2.ri(ate %ra'e Rela #ith %ire#all on 3S 3nternet 7C.............................................................21

!.$.%ire#all o(er Ethernet #ith ri(ate 3 a&&esses onl on the ;A/..............................................22

!.4.%ire#all #ith A:S;......................................................................................................................2$

!.5.%ire#all o(er #ith a :M= ;A/............................................................................................24

.7/.................................................................................................................................................... 25

.1.RE Tunnel9 /AT9 an& 3nternet..................................................................................................25

!.2.;2T Tunnel9 %ire#all an& 3nternet.............................................................................................2!.2.3Sec *#ith 3SAJM-9 %ire#all9 an& 7/ Client.........................................................................2

.2.1.3Sec Client option for Ea'ple !.$....................................................................................28

.$.3Sec *#ith Manual Je- an& %ire#all #ith /AT &e(ice *eg< A:S;-9 plus 7/ Client*#ithManual Je-......................................................................................................................................28

.$.1.3Sec Client option for Ea'ple !.4....................................................................................$1

.4. 3Sec L 3SAJM *#ith ;2T- an& %ire#all router9 )ehin& /AT &e(ice *eg

8/18/2019 237126406 Allied Telesis

5/41

Allied Telesyn router helpful configs

1.Quick Command Reference

1.1.Configurations

Task CommandSho the log

7ie# the current release an& patch

Sho the sste' 3nfor'ation

Sa(e the current configuration

Change the )oot configuration file

?hat is the current configuration file

Sho the current RAM configuration

Sho log

Sho install

Sho ss

Create configDconfigN.cfg

Set confDconfigN.cfg

Sho conf

Sho conf &n

Sho conf &nDsu) sectionN

1.2.Filing, Reboots, and Feature icencesTask CommandSho file contents in %;ASH or /7S

Sho files

To E&it a file

?ar' )oot the router

Iuic6 )oot *for appling ne# configurations-

Ena)le a ne# feature licence

Sho fiDfile.etN

Sho fi

E&it file.etN

Restart re)oot

Restart router

Ena)le featureDfeatureN passDpass#or&N

1.!.Command Actions

To config To Remo"e from Configuration To "ie# and modify A&&

Create

Acti(ate

Ena)le

:elete

:estro

:eacti(ate

:isa)le

Sho

Set

Reset

urge

Allie& Telesn router helpful configs age 5 Allie& Telesn router helpful configs

8/18/2019 237126406 Allied Telesis

6/41


1.$.%pgrade &rocessTo loa& the file on the router ou nee& a tri(ial ftp ser(er soft#are. A #in&o#s (ersion is a(ali)le here

Allie& Telesn tftp ser(er

%pgrade process CommandsMa6e space9 &elete the ol& files

;oa& files

Appl a Help file

Sa(e the config

Ena)le the release licence

Set the current release an& patch file

?ar' )oot the router

:el fiDol&file.etN

;oa& fiDfile.reGN &estDflash ser(Dser(er ipN

;oa& fiDfile.paGN &estDflash ser(Dser(er ipN

;oa& fiDfile.hlpN &estDflash ser(Dser(er ipN

Set helpDhelpN.hlp

Create confDcurrent configN

Ena)le relDrelease.reGN nu'DreleaseN passDpass#or&N

Set instDpref relDrelease.reGN patDpatch.paGN

Restart re)oot

1.'.(enerating an )ncryption *ey

Chec6 ;ist for Encrtion1- :o ou ha(e full client licences to generate 6esO

2- $:ES licence *eport per'it-$- EMACBEAC Encrption Car&O

Task Command

A&& securit le(el user

Jeep securit officer access for 10Minutes

Turn on Securit at )oth en&s

Create the 3SAJM 6e

7ie# the 6e an&

Enter the 3SAJM 6e at the other en&

Allo# re'ote Securit officer access an&

Specif re'ote 3 a&&ress ranges

A&& userDsecoff passDsecoff pri(Dsecurit

Set user secure&elaD!00

Ena)le sste' securit

At router KAKNCreate enco 6eD1 tpeDgen ran&o'

At router KAKNSho enco 6eD1

*tip< cop an& paste this 6e to router -

At router KKNCreate enco 6eD1 tpeDgen(alDrouter +A, 6eN

Ena)le user rso

A&& user rso ipDre'ote access ipN 'as6D'as6N

8/18/2019 237126406 Allied Telesis

7/41


2.&&& o"er ++ for -nternet /AT to

0T& er"er and &ri"ate net#orks

Cent reCFM A R 3 0 0

AccessRouter ;A/ ?A/ SPST EM

; 3 /

J

T Q

R Q

C o l l

Site A192.168.10.0 200.200.200.0/30

InternetPrivate NAT Public

Cent reCFM A R 3 0 0

AccessRouter ;A/ ?A/ SP STEM

; 3 /

J

T

Q

R

Q

C o l l

192.168.20.0

192.168.254.0

ppp0

ppp0

Site B

ppp1

Mail Server

192.168.10.2

/ote< e a#are that #ith 'an 3nternet ro(i&ers it 'a )e 'ore suita)le to turn ;IR *lin6 ualit reporting- off on lin6s9 an& instea& use ;C Echo Request an& Echo Reply 'essages to &eter'ine lin6 ualit *echoDon-. Si'pl a&&+lrDoff echoDon, to the creation co''an&.

Router A Router #

# PPP Configuration

#

create ppp=0 over=syn0


#

# IP Configuration

#

enable ip

add ip int=eth0 ip=192.16.10.1

add ip int=ppp1 ip=192.16.2!".1

add ip int=ppp0 ip=200.200.200.1 as$=2!!.2!!.2!!.2!2

add ip route=0.0.0.0 ne%t=0.0.0.0 int=ppp0


enable ip nat

enable ip nat log=all

add ip nat ip=192.16.0.0 as$=2!!.2!!.0.0gblip=200.200.200.1

add ip nat ip=192.16.10.2 as$=2!!.2!!.2!!.2!! port=stp

gblip=200.200.200.1 gblport=stp proto=tcp

#

# PPP Configuration

#


#

# IP Configuration

#

enable ip




Allie& Telesn router helpful configs age Allie& Telesn router helpful configs

8/18/2019 237126406 Allied Telesis

8/41


2.1.&&& o"er -+/ -nternet Access

CentreCFM AR300 AccessRout er ;A/ ?A/ SPSTEM

; 3 /

J

T Q R Q

C o l l

Site A

192.168.10.0

Internet

Private NAT Public

ISD

D!na"ic IP


Router A#

# &yste Configuration

set sys territory='countrycode(

#

# I&)* Configuration

add isdn call=internet nu=12+"! prec=out

#

# PPP Configuration

# *ote, 2nd - channel on deand

create ppp=0 over=isdninternet idle=60 bap=off ipre/=on user='usernae( pass='passord(

add ppp=0 over=isdninternet type=deand

#

# IP Configuration

enable ip

enable ip re


add ip int=ppp0 ip=0.0.0.0


enable ip nat

enable ip nat log=all

add ip nat ip=192.16.10.0 as$=2!!.2!!.2!!.0 gblint=ppp0


8/18/2019 237126406 Allied Telesis

9/41


2.1.1.)3ample 2.' #ith 2 channels al#ays up/ote< So'e 3S:/ pro(i&ers an& Bor 3S pro(i&ers charge per 'inute an& this option 'a not)e affor&a)le. This alternati(e is inten&e& #here an affor&a)le fie& 'onthl charge account

has )een offere& ) 3S:/ an& 3S pro(i&ers.

/ote< e a#are that #ith 'an 3nternet ro(i&ers it 'a )e 'ore suita)le to turn ;IR *lin6 ualit reporting- off on lin6s9 an& instea& use ;C Echo Request an& Echo Reply 'essages to &eter'ine lin6 ualit *echoDon-.Si'pl a&& +lrDoff echoDon, to the creation co''an&.

-+/ 4 &&& Configuration modifications for 2 channels al#ays up

#

# I&)* Configuration

#

add isdn call=internet nu=12+"! prec=out $eepup=on

#

# PPP Configuration

# *ote, *o idle paraeter user and passord re/uired if going into an I&P

create ppp=0 over=isdninternet nu=2 bap=off user='usernae( passord='passord(3

2.1.2.)3ample 2.' #ith Cisco5s at the -&

&&& Configuration modifications for Cisco at the -&#

# PPP Configuration

# *ote, 2nd - channel on deand

create ppp=0 over=isdninternet idle=60 bap=off l/r=off echo=on user='user nae(pass='passord(

add ppp=0 over=isdninternet type=deand

2.1.!.-+/ territory for Telecom 6 Telstraclear

-+/ settings for Telecom 6 Telstraclear

#

# I&)* settings for 4eleco

set syste territory=ne5ealand

#

# I&)* settings for 4elstraclear

set syste territory=europe

8/18/2019 237126406 Allied Telesis

10/41


!.&&&7)

!.1.&&&7) and Fire#all "ia Telstraclear68oosh68ired Country -9%(


8/18/2019 237126406 Allied Telesis

11/41


/ote ro arp 'ust )e turne& off on a u)lic Share& Ethernet /et#or6


Router Acreate ppp#0 i$le#999999 %ver#et&0'A(

)et ppp#0 ipre*ue)t#%n u)erna"e#+te)t,i)p.c%.n-+ pa))%r$#+te)t+

)et ppp#0 %ver#et&0'A( l*r#%// ec&%#10

enable ip

enable ip re"%te

a$$ ip int#ppp0 ip#0.0.0.0 "a)#0.0.0.0

a$$ ip int#vlan1 ip#10.0.0.1 "a)#255.255.255.0

a$$ ip int#et&0 ip#1.1.1.1 "a)#255.255.255.0

)et ip int#et&0 pr%!#%//

a$$ ip r%u#0.0.0.0 "a)#0.0.0.0 int#ppp1 net#0.0.0.0

enable /ireall

create /ireall p%lic!#+ppp%e+

enable /ireall p%lic!#+ppp%e+ ic"p/#all

a$$ /ireall p%lic!#+ppp%e+ int#vlan1 t!pe#private

a$$ /ireall p%lic!#+ppp%e+ int#ppp0 t!pe#public

a$$ /ireall p%li#+ppp%e+ nat#en&ance$ int#vlan1 3blin#ppp0

8/18/2019 237126406 Allied Telesis

12/41


$. Time +i"ision 0uliple3ing T+0

'.Frame Relay


Router A Router A Continued#

# PI configuration

# Note:"CRC" mode may need to be set to "off" or

# "checking" for the link to become active

# depending on the Telco configuration

# Note : RJ 4 !inouts for !R devices arent

# standardi$ed% check your NT& if using RJ 4'

# termination

set pri=0 ode=td

set pri=0 crc=reporting

#

# 4)7 configuration

#

create td group=site8b interface=pri0 slots=1

create td group=site8c interface=pri0 slots=6

#

# PPP Configuration

#

create ppp=1 over=tdsite8b idle=60 cop=on

create ppp=2 over=tdsite8c idle=60 cop=on

#

# IP Configuration

#

enable ip


add ip int=ppp1 ip=192.16.2!".1as$=2!!.2!!.2!!.2!2

add ip int=ppp2 ip=192.16.2!".!as$=2!!.2!!.2!!.2!2



Router

#

# PPP Configuration

#


#

# IP Configuration

# Note: Router C change eth and ppp ! address

enable ip




CentreCFM AR300 AccessRouter

;A/ ?A/ SPSTEM

; 3 / J

T Q

R Q

C o l l

Site A

A 395

192.168.10.0

192.168.254.0/30

DM

Mail Server

192.168.10.2

192.168.254.4/30

Site

Site B

CentreCFM AR300 Access Router ;A/ ?A/ SPSTEM

; 3 / J

T Q

R Q

C o l l

CentreCFM AR300 Access Router

;A/ ?A/ SPSTEM

; 3 / J

T Q

R Q

C o l l

192.168.2.0

192.168.1.0

ppp1

ppp2

2M PI

8/18/2019 237126406 Allied Telesis

13/41


'.1.tandard Frame Relay for 0- R): 1*So'eti'es referre& to as cisco ;M3 tpe-

Site A192.168.1.0

Site

Site B

192.168.3.0

192.168.2.0

Site D

7ra"e

ela!

Me)&e$

CentreCFM AR300

AccessRouter ; A/ ?A/ SPSTEM

; 3 /

J

T Q

R Q

C o l l

CentreCFM AR300 AccessRouter ; A/ ?A/ SPSTEM

; 3 /

J

T Q

R Q

C o l l

CentreCFM AR300 AccessRouter ;A/ ?A/ SPS TEM

; 3 / J

T Q

R Q

C o l l

CentreCFM AR300 AccessRouter ;A/ ?A/ SPS TEM

; 3 / J

T Q

R Q

C o l l

192.168.4.0

192.168.254.4 192.168.254.3

192.168.254.2192.168.254.1

D:#101

D:#103

D:#102

D:#104

Router A#

# :rae elay Configuration

# *ote, -y default ;7I is set to

8/18/2019 237126406 Allied Telesis

14/41


'.2.tandard Frame Relay -& Access

The fra'e net#or6 in /= uses a MT> of 1500 this nee&s to )e altere& on the routers )ecause the&efault is 1!00.

Router A# &yn

# set syn to the speed the telco is providing eg 17bit =102"000

set syn=syn0 speed=20"000

#



8/18/2019 237126406 Allied Telesis

15/41

8/18/2019 237126406 Allied Telesis

16/41


'.$.ogical interfacing to Frame Relay, -nternet

connection "ia -& #ith &ri"ate /et#ork

D:#102

Site A192.168.1.0

Site

Site B

192.168.3.0

192.168.2.0

CentreCFM AR300 AccessRouter

;A/ ?A/ SPSTEM

; 3 /

J

T Q R Q

C o l l

CentreCFM AR300 AccessRouter ;A/ ?A/ SPSTEM

; 3 / J

T Q

R Q

C o l l

CentreCFM AR300 AccessRouter ;A/ ?A/ SPSTEM

; 3 / J

T Q

R Q

C o l l

200.200.200.1/30 192.168.254.2

192.168.254.1D:#101

Internet

D:#104200.200.200.2/30

D:#103

Mail Server

192.168.1.2

Router A#



8/18/2019 237126406 Allied Telesis

17/41


'.$.1.7&F on the pri"ate net#ork, $.$ continued

Router A First remo"e the 2 static routes to the pri"ate net#ork sites, lea"e default route#



8/18/2019 237126406 Allied Telesis

18/41

8/18/2019 237126406 Allied Telesis

19/41


Firewall Configs

8/18/2019 237126406 Allied Telesis

20/41


8/18/2019 237126406 Allied Telesis

21/41


8/18/2019 237126406 Allied Telesis

22/41


8/18/2019 237126406 Allied Telesis

23/41


8/18/2019 237126406 Allied Telesis

24/41


8/18/2019 237126406 Allied Telesis

25/41

8/18/2019 237126406 Allied Telesis

26/41


8/18/2019 237126406 Allied Telesis

27/41


>.2.-&ec #ith -A*0&, Fire#all, and :&/ ClientThis configuration illustrates t#o 3Sec tunnels9 allo#ing for a re'ote office9 a re'ote 7/ client*roa'ing user-9 an& 3nternet access. The :&/ client may use dynamic ip address. Thise3ample is not suitable behind a /ATing de"ice eg= A+. the intro&uction of the %ire#all nonat action sho#n in this ea'ple.

Router Aset user securedelay=600add user=secoff pass='your passord( priv=sec# ppp configurationcreate ppp=0 over=syn0# optional set ppp=0 over=syn0 l/r=off echo=onenable ip@dd ip int=eth0 ip=192.16.10.1 as$=2!!.2!!.2!!.0@dd ip int=ppp0 ip=200.200.200.1add ip rou=0.0.0.0 ne%t=0.0.0.0 int=ppp0# :ireall# 4o enable out going ping see e%aple !.1.1enable firecreate fire poli=ainadd fire poli=ain int=eth0 type=privateadd fire poli=ain int=ppp0 type=publicadd fire poli=ain nat=enhanced int=eth0 gblint=ppp0add fire poli=ain rule=1 int=ppp0 action=allo ip=200.200.200.1 prot=udp port=!00 gblip=200.200.200.1gblpo=!00add fire poli=ain rule=2 int=ppp0 action=nonat prot=all ip=192.16.10.1192.16.10.2!" encap=ipsec# ule + for internally initiated HP* traffic to eote ?fficeadd fireall poli=ain ru=+ ac=nonat int=eth0 prot=all ip=192.16.10.1192.16.10.2!"set fireall poli=ain ru=+ reoteip=192.16.20.1192.16.20.2!"# IP&ec# Includes HP* client configuration for user oaing1>ena ipseccreate ips sas=1 prot=esp hasha=null encalg=des $ey=isa$pcreate ips sas=2 prot=ah ode=tunn hasha=sha $ey=isa$pcreate ips bundle=1 $ey=isa$p string=>1 and 2>create ips pol=isa$p int=ppp0 act=perit lpo=!00 rpo=!00create ips pol=reoffice int=ppp0 act=ipsec $ey=isa$p bund=1 peer=222.222.222.1 isa=reofficeset ips pol=reoffice lad=192.16.10.0 las$=2!!.2!!.2!!.0 rad=192.16.20.0 ras$=2!!.2!!.2!!.0

create ips pol=roaing1 int=ppp0 act=ipsec $ey=isa$p bund=1 peer=dynaic isa=roaing1set ips pol=roaing1 lad=192.16.10.0 la=2!!.2!!.2!!.0create ips pol=internet int=ppp0 act=perit# I&@7P# *ote, Ase &ection 1.! to enable syste security and generate an Gncryption ey of type FG*G@; on# router @ and -# 4his e%aple uses the sae netor$ $ey for all I&@7P G%changescre isa pol=reoffice peer=222.222.222.1 hashalg=sha $ey=1set isa pol=reoffice senddeletes=on setcoitbit=on sendnotify=on# ?nly one policy is re/uired for all dial up users.cre isa pol=roaing1 peer=any hashalg=sha $ey=1 ode=aggressiveset isa pol=roaing1 senddeletes=on setcoitbit=on sendnotify=onenable isa$p# ?ptional authentication of reote sites to be done at the head office using a A@) or adius &erver#set isa pol=roaing1 %auth=server %authtype=generic#add radius server=192.16.10.2!" secret=secret# ? add user=boblogin pass=bobpass

Router

CentreCFM AR300

A c c e s sR outer

;A/

?A/

S P S T E M

;3/J

TQ

RQ

C l

l

Site B

192.168.10.0 192.168.20.0

CentreCFM AR300 A c c e s s R outer

;

T

;3

/J TQ

RQ

Coll

Site A

200.200.200.1 222.222.222 .1

:irtual Tunnel

Internet Acce))

D!na"ic IP =P lient%a"in >)er

8/18/2019 237126406 Allied Telesis

28/41


set sys nae=reofficeset user securedelay=600add user=secoff pass='your passord( priv=sec


enable ipadd ip int=eth0 ip=192.16.20.1add ip int=ppp0 ip=222.222.222.1add ip rou=0.0.0.0 as$=0.0.0.0 int=ppp0 ne%t=0.0.0.0

# :ireall# 4o enable out going ping see e%aple !.1.1enable fireallcreate fireall policy=

8/18/2019 237126406 Allied Telesis

29/41


/ote< >se the Manual Je option to get through a /ATing &e(ice *eg< A:S;- )et#eenrouters9 or use e3ample DP 500 c%rrectl!

Manual e!) )%"eti"e) re*uire$)%"eti"e) $ue t% p%%r pin&%lin % >DP500 %n )%"e ADS: r%uter).

222.222.222.1

te)t

8/18/2019 237126406 Allied Telesis

30/41


Router Aset user securedelay=600add user=secoff pass='your passord( priv=sec# IP

#enable ip@dd ip int=eth0 ip=192.16.10.1@dd ip int=eth1 ip=192.16.1.2!+add ip rou=0.0.0.0 ne%t=192.16.1.2!" int=eth1# :ireall# 4o enable out going ping see e%aple !.1.1enable firecreate fire poli=ainadd fire poli=ain int=eth0 type=privateadd fire poli=ain int=eth1 type=publicadd fire poli=ain nat=enhanced int=eth0 gblint=eth1add fireall poli=ain ru=1 ac=allo int=eth1 prot=udp po=!00 ip=200.200.200.1 gblip=200.200.200.1gblpo=!00add fireall poli=ain ru=2 ac=allo int=eth1 prot=udp po=2"6 ip=200.200.200.1 gblip=200.200.200.1gblpo=2"6add fire poli=ain rule=+ int=eth1 action=nonat ip=192.16.10.1192.16.10.2!" prot=all encap=ipsec# ule " for internally initiated HP* traffic to eote ?ffice

add fireall poli=ain ru=" ac=nonat int=eth0 prot=all ip=192.16.10.1192.16.10.2!"set fireall poli=ain ru=" reoteip=192.16.20.1192.16.20.2!"add fireall poli=ain ru=! ac=nonat int=eth0 prot=all ip=192.16.10.1192.16.10.2!"set fireall poli=ain ru=! reoteip=192.16.+0.2192.16.+0.+

# IP&ec# Includes HP* client configuration for user oaing1>. 4he sae $ey is used for the reote office# and the reote HP* client PC DlaptopE.# *ote, Ase &ection 1.! to enable syste security and generate an Gncryption ey of type )G& on# router @ for KPc1L M KPc2L and type general> for isa$p.# 7anual $ey e%aples are included because soe adsl odes pinholes do not support isa$p correctly.create ipsec sas=1 $ey=isa$p prot=esp enc=des hasha=shacreate ipsec sas=+ $ey=anual prot=esp enc=des hasha=sha enc$ey=1 inspi=1!! outspi=1!!create ipsec sas=" $ey=anual prot=esp enc=des hasha=sha enc$ey=1 inspi=1!! outspi=1!!create ipsec bund=1 $ey=isa$p string=

8/18/2019 237126406 Allied Telesis

31/41


>.!.1.-&ec Client option for )3ample

8/18/2019 237126406 Allied Telesis

32/41


>.$. -&ec 4 -A*0& #ith 2T& and Fire#all

router, behind /AT de"ice eg=A+This configuration illustrates an 3Sec tunnel o(er ;2T to a re'ote office9 an& allo#s for 3nternetaccess./ote< This solution uses %ire#all #ith /AT an& 3Sec9 supporte& fro' release 1..$. ;2T isuse& to Tunnel 3SAJMB3Sec through /AT process )et#een routers *eg< A:S;-. This is NOT an IPec client solution!


Router A

Site B

192.168.10.0 192.168.20.0

CentreCFM AR300 c c e s s R ter ;A/ ?A/ S P S T E M

;3 /J TQ RQ Col l

Site A Internet

Acce))

200.200.200.1

222.222.222.1

:irtual Tunnel

A:S;

192.168.1.254

192.168.1.253

NAT

192.168.5.1 192.168.5.2 CentreCFM AR300 c c e s s R ter ;A/ ?A/ S P S T E M ;3/J TQ RQ Col l

A:S;3/Hole >: port 101 *;2T- through to Router interface.

8/18/2019 237126406 Allied Telesis

33/41


set user securedelay=600add user=secoff pass='your passord( priv=sec## ;24P Configurationenable l2tpenable l2tp server=bothadd l2tp call=

8/18/2019 237126406 Allied Telesis

34/41


set user securedelay=600add user=secoff pass='your passord( priv=sec## ;24P Configurationenable l2tp

enable l2tp server=bothset l2tp passord=

8/18/2019 237126406 Allied Telesis

35/41


>.'.-&ec and Fire#all through t#o /ATgate#ays eg= A+

This configuration illustrates an 3Sec tunnel through t#o /ATing &e(ices *eg< /ATing A:S;gate#a &e(ices-. 3t uses release 2.2.19 #hich allo#s 3SAJM through /ATing &e(ices #ithoutthe nee& of ;2T9 )ecause of the intro&uction of the +locali&, an& +re'otei&, para'eters. 3t alsoallo#s for 3nternet access.

A future (ersion of this ea'ple #ill also acco''o&ate 7/ clients9 using a ne# release (ersionof the 7/ client.

Router Aset sys nae=

8/18/2019 237126406 Allied Telesis

36/41


set sys nae=

8/18/2019 237126406 Allied Telesis

37/41


>.)er

=irtual IPSectunnel)

192.168.10.254

VPN Gateway RouterFirewall

Eistin! "efault Gateway

(Firewall)

Pri#ate Office $AN(Protected)

Office %"irty& $AN('nrotected)

Valid Internet addresses

Office Main Gateway

(Not NATin!)

8/18/2019 237126406 Allied Telesis

38/41


set syste nae=

8/18/2019 237126406 Allied Telesis

39/41


set syste nae=

8/18/2019 237126406 Allied Telesis

40/41


>.>./otes on -&ec Testing and :erification

Testing of an -&ec tunnel.

The follo#ing are precautions to testing through 3Sec tunnels<

· The +ip local, ip a&&ress is )est left at &efault. 3f +ip local, is set to an a&&ress other &efault9 this 'ain(ali&ate 3SAJM negotiation.

· :o not epect to test sen&ing traffic through the 3Sec tunnel ) pinging fro' 3Sec router to 3Secrouter. Pou 'ust test )et#een hosts or ser(ers )ehin& the 3Sec router gate#as *;A/ to ;A/-9 toensure this traffic #ill 'atch the 3Sec tunnel polic a&&ress selectors.

:erification of an -&ec tunnel.

3t is goo& practice to confir' that traffic is )eing encrpte&. A goo& initial chec6 is to o)ser(e the3SAJM negotiation entries in the sste' log *+sh log,-. This 3SAJM chec6 is onl (ali& if ou areusing 3SAJM *ie< not 'anual 6es-. There #ill )e se(eral phases of negotiation9 an& the shoul&in&icate successful co'pletion. 3f ou can see no negotiation entries in the log9 or if ou onl see aninitial start an& no co'plete& phases9 then this suggests a configuration error9 or no 3SAJMnegotition recei(e& fro' the peer. Chec6ing +sh fire e(ent, #ill allo# ou to see #hat traffic has )eenrecei(e& fro' the peer9 an& if it has )een allo#e& ) the fire#all.

Confir'ation that traffic is actuall )eing encrpte& is )est seen ) using a counter co''an& such asSH 3SEC F;3DT>//E; CF>/T. E(er ti'e ou ping a set of 5 pings9 the outrocess:onecounters *in the Fut)oun& ac6et rocessing Counters section- shoul& incre'ent ) 5. Also9 theecho repl traffic shoul& cause the inrocess:one counters *in the 3n)oun& ac6et rocessing

Counters section- to incre'ent ) 5.

It is important that the IPSec policies be configured in the correct order. 3f ou ha(e a per'it 3Sec olic #ith open polic a&&ress selectors9 *inten&e& to allo#unencrpte& 3nternet access-9 then this polic 'ust )e configure& last after the ACT3F/D3SECF;3C3ES. Fther#ise this er'it olic #ill process all traffic an& no traffic #ill )e encrpte&. Theor&er of the 3Sec policies can )e chec6e& ) the SH 3SEC F;3 co''an&. 3n the output of thisco''an&9 each polic is assigne& a position nu')er.

Troubleshooting of an -&ec tunnel.

3f pro)le's continue9 then 3SAJM an& 3Sec &e)ugging 'o&es 'a )e use&. Turning on all &e)ug 'o&es is rather (er)ose9 so #e reco''en& )asic 3SAJM &e)ugging initiall. The routine )elo# also illustrates a 'etho& to easil &isa)lethe &e)ugging 'o&e after testing.

· +&is isa6'p &e)ugDall, *This 'a gi(e an error9 )ut our intention is to ha(e this co''an& in the co''an& )uffer-

· +ena isa6'p &e)ugDstate, *This shoul& allo# ou to see if 3SAJM is operating-

· 3f 'ore &etail is nee&e& then issue this co''an& +ena isa6'p &e)ugDtrace,

· To &isa)le &e)ugging after our test9 si'pl press up arro# once *or t#ice- to recall the &isa)le co''an&9 then pressenter. *7T100 arro#s 'a nee& to )e ena)le&-.

3f the )asic 3SAJM &e)ugging 'o&es to not re(eal a pro)le' to ou9 then all &e)ugging 'o&es shoul& )e ena)le& an&capture& to a tet file an& sent to our support centre. lease capture the &e)ugging output fro' the router atte'pting toinitiate 3Sec an& 3SAJM ) using +ena ipsec poliDtunnel &e)ugDall, an& +ena isa6'p &e)ugDall,. Also capture +sh log, tosho# 3SAJM log entries *as 'entione& a)o(e-9 an& capture +sh fire e(ent, an& +sh &e)ug,. %or#ar& all this &e)ugging toour local technical support for analsis. Pour local support center also ha(e access to a&(ance& support centers if necessar. *Allie& Telesn offers technical assistance in partnership #ith our authorise& &istri)utors an& resellers. %or

technical assistance9 please contact the authorise& &istri)utor or reseller in our area-. lease refer tohttp

8/18/2019 237126406 Allied Telesis

41/41


237126406 Allied Telesis

Documents

Transcript of 237126406 Allied Telesis