237126406 allied telesis
TRANSCRIPT
-
8/18/2019 237126406 Allied Telesis
1/41
Helpful Configuration
Scripts for the
AR Router Series
-
8/18/2019 237126406 Allied Telesis
2/41
Revision History
Author
Revision Date Modifications
ST 5.8.4 5 March 2001 E 5.!" Correction to fire#all rule 1 interface
E !.$" %ire#all rule 2 an& $ re'o(e&" rule 4 renu')ere& to 2"rule $ *internal +nonat,- a&&e&
E !.4" Hea&ing a&uste&" /ote a&uste&" %ire#all rule $ a&&e&
E !.5" Hea&ing a&uste&" Co''ents a&uste&
E !.!" T#o ate#as ea'ple a&&e&
E !." 3Sec Testing notes a&&e&
ST 5.8.5 1 March 2001 E !.$" A&& +isa, para'eter to associate ipsec polic #ithspecific isa6'p polic. Create separate isa6'p policies
for re'office an& roa'ing 7/ clients. Rena'e isa6'ppolicies on (pn client. A&&e& specific configuration for router
E !.!" A&& +isa, para'eter to associate ipsec polic #ithspecific isa6'p polic. Create separate isa6'p policiesfor re'office an& roa'ing 7/ clients. Rena'e isa6'ppolicies on (pn client.
ST 5.8.! $ April 2001 E !.$" +sen¬if, para'eter a&&e&
E !.$.19 !.4.19 !." 7/ Client interface &efine& as +&ialup,
E !.5" Re'o(e& ppp0 on site A. Mo&ifie& A:S; pinhole&etails. Correcte& eth0 a&&ress at site .
E !.! )eco'es E !.
E !.! inserte&" 3Sec an& %ire#all through t#o /AT gate#as*eg< A:S;-
ST 5.8. 5 April 2001 E 5.!" %ire#all :M= 'o&ifie& to &ual polic fire#allE !.2" +re'oteip, para'eter a&&e& to fire#all rule 1
E !.59 !." +sen¬if, para'eter a&&e&
E !.!" Rena'e& 3S an& 3SA polic na'es" >se +isa,para'eter in 3S polic" A&& 3nternet 3S polic
E !.8" /otes eten&e& to gi(e )asic initial &e)ugging 'o&es.
E !.$9 !.49 !.5" Secoff user an& secure&ela &efine&
T? 5.8.8 4 @ul 24 Septe')er 2002
E 1.4 Change& file na'es for section
E 1.4 A&&e& lin6 to tftp ser(er soft#are
E 1.5 A&&e& client licences" :elete& Manual 6e generation
E 4.2 A&&e& C3RB3R an& MT> settings
E 4.$ :elete&
E 5.1.$ %ire#all >: (i&eoB(oice perfor'ance settings
E 5.$ :elete&
E 5. :elete&
E !.1 :elete& SA configuration &etails an& ip settings
E !.2 :elete& SA configuration &etails an& ip settings
E !.$ ol&e& sections an& re'o(e& rna'e in routerBclient
E !.4 >p&ate& for >: 7/ client
T? 05B08B0 01B0B04 Ea'ples using a&& pppD0 o(erDsn change& to eth1
:elete& 'ost of the 3S:/Bppp ea'ples
E $.1 A&&e& FE ea'ple
E 2.1.$ A&&e& 3S:/ settings for teleco' B telstraclear
-
8/18/2019 237126406 Allied Telesis
3/41
AT3 are 'anufacturers of the AR router an& are specialists in ;aer $ s#itches an& secure net#or6ing &e(ices. More&etaile& infor'ation on the AR pro&ucts is a(aila)le on AT3,s ?orl& ?i&e ?e) site ###.allie&telesn.net.nG
:ocu'ent tet ) Mathe# @ur AT3 Technical Consultant9 Talor ?il6ins AT3 /et#or6 Engineer
an& Shale Tas6er /et#or6 Engineer9 ATR Custo'er Ser(ices roup Allie& Telesn offers technical assistance in partnership #ith our authorise& &istri)utors an& resellers. %or technicalassistance9 please contact the authorise& &istri)utor or reseller in our area. lease refer to http
-
8/18/2019 237126406 Allied Telesis
4/41
Contents
1.Iuic6 Co''an& Reference................................................................................................................5
1.1.Configurations...............................................................................................................................51.2.%iling9 Re)oots9 an& %eature ;icences.........................................................................................5
1.$.Co''an& Actions.........................................................................................................................5
1.4.>pgra&e rocess..........................................................................................................................!
1.5.enerating an Encrption Je......................................................................................................!
2. o(er ::S for 3nternet */AT to SMT Ser(er- an& ri(ate net#or6s..........................................
2.1. o(er 3S:/ 3nternet Access...................................................................................................8
2.1.1.Ea'ple 2.5 #ith 2 channels al#as up.............................................................................
2.1.2.Ea'ple 2.5 #ith CiscoKs at the 3S......................................................................................
2.1.$.3S:/ territor for Teleco' B Telstraclear...............................................................................
$.FE ..............................................................................................................................................10
$.1.FE an& %ire#all (ia TelstraclearB?ooshB ?ire& Countr *3H>-....................................... 10
4. Ti'e :i(ision Mulipleing *T:M- .....................................................................................................12
5.%ra'e Rela......................................................................................................................................12
5.1.Stan&ar& %ra'e Rela for ;M3 RE7 1........................................................................................1$
5.2.Stan&ar& %ra'e Rela 3S Access............................................................................................14
5.$.Stan&ar& %ra'e Rela 3S Access #ith fire#all an& :M=.........................................................15
5.4.;ogical interfacing to %ra'e Rela9 3nternet connection (ia 3S #ith ri(ate /et#or6..............1!
5.4.1.FS% on the pri(ate net#or69 4.4 continue&.......................................................................1
!.Si'ple %ire#all o(er Ethernet #ith internal 'ail ser(er ....................................................................1!.1.2.3/3/9 E'ail notification9 accounting9 an& logging........................................................20
!.1.$.3nternet Access to %ire#all Router.......................................................................................20
!.1.4.>: 7i&eo lin6 through fire#all perfor'ance t#ea6........................................................... 20
!.2.ri(ate %ra'e Rela #ith %ire#all on 3S 3nternet 7C.............................................................21
!.$.%ire#all o(er Ethernet #ith ri(ate 3 a&&esses onl on the ;A/..............................................22
!.4.%ire#all #ith A:S;......................................................................................................................2$
!.5.%ire#all o(er #ith a :M= ;A/............................................................................................24
.7/.................................................................................................................................................... 25
.1.RE Tunnel9 /AT9 an& 3nternet..................................................................................................25
!.2.;2T Tunnel9 %ire#all an& 3nternet.............................................................................................2!.2.3Sec *#ith 3SAJM-9 %ire#all9 an& 7/ Client.........................................................................2
.2.1.3Sec Client option for Ea'ple !.$....................................................................................28
.$.3Sec *#ith Manual Je- an& %ire#all #ith /AT &e(ice *eg< A:S;-9 plus 7/ Client*#ithManual Je-......................................................................................................................................28
.$.1.3Sec Client option for Ea'ple !.4....................................................................................$1
.4. 3Sec L 3SAJM *#ith ;2T- an& %ire#all router9 )ehin& /AT &e(ice *eg
-
8/18/2019 237126406 Allied Telesis
5/41
Allied Telesyn router helpful configs
1.Quick Command Reference
1.1.Configurations
Task CommandSho the log
7ie# the current release an& patch
Sho the sste' 3nfor'ation
Sa(e the current configuration
Change the )oot configuration file
?hat is the current configuration file
Sho the current RAM configuration
Sho log
Sho install
Sho ss
Create configDconfigN.cfg
Set confDconfigN.cfg
Sho conf
Sho conf &n
Sho conf &nDsu) sectionN
1.2.Filing, Reboots, and Feature icencesTask CommandSho file contents in %;ASH or /7S
Sho files
To E&it a file
?ar' )oot the router
Iuic6 )oot *for appling ne# configurations-
Ena)le a ne# feature licence
Sho fiDfile.etN
Sho fi
E&it file.etN
Restart re)oot
Restart router
Ena)le featureDfeatureN passDpass#or&N
1.!.Command Actions
To config To Remo"e from Configuration To "ie# and modify A&&
Create
Acti(ate
Ena)le
:elete
:estro
:eacti(ate
:isa)le
Sho
Set
Reset
urge
Allie& Telesn router helpful configs age 5 Allie& Telesn router helpful configs
-
8/18/2019 237126406 Allied Telesis
6/41
Allied Telesyn router helpful configs
1.$.%pgrade &rocessTo loa& the file on the router ou nee& a tri(ial ftp ser(er soft#are. A #in&o#s (ersion is a(ali)le here
Allie& Telesn tftp ser(er
%pgrade process CommandsMa6e space9 &elete the ol& files
;oa& files
Appl a Help file
Sa(e the config
Ena)le the release licence
Set the current release an& patch file
?ar' )oot the router
:el fiDol&file.etN
;oa& fiDfile.reGN &estDflash ser(Dser(er ipN
;oa& fiDfile.paGN &estDflash ser(Dser(er ipN
;oa& fiDfile.hlpN &estDflash ser(Dser(er ipN
Set helpDhelpN.hlp
Create confDcurrent configN
Ena)le relDrelease.reGN nu'DreleaseN passDpass#or&N
Set instDpref relDrelease.reGN patDpatch.paGN
Restart re)oot
1.'.(enerating an )ncryption *ey
Chec6 ;ist for Encrtion1- :o ou ha(e full client licences to generate 6esO
2- $:ES licence *eport per'it-$- EMACBEAC Encrption Car&O
Task Command
A&& securit le(el user
Jeep securit officer access for 10Minutes
Turn on Securit at )oth en&s
Create the 3SAJM 6e
7ie# the 6e an&
Enter the 3SAJM 6e at the other en&
Allo# re'ote Securit officer access an&
Specif re'ote 3 a&&ress ranges
A&& userDsecoff passDsecoff pri(Dsecurit
Set user secure&elaD!00
Ena)le sste' securit
At router KAKNCreate enco 6eD1 tpeDgen ran&o'
At router KAKNSho enco 6eD1
*tip< cop an& paste this 6e to router -
At router KKNCreate enco 6eD1 tpeDgen(alDrouter +A, 6eN
Ena)le user rso
A&& user rso ipDre'ote access ipN 'as6D'as6N
-
8/18/2019 237126406 Allied Telesis
7/41
Allied Telesyn router helpful configs
2.&&& o"er ++ for -nternet /AT to
0T& er"er and &ri"ate net#orks
Cent reCFM A R 3 0 0
AccessRouter ;A/ ?A/ SPST EM
; 3 /
J
T Q
R Q
C o l l
Site A192.168.10.0 200.200.200.0/30
InternetPrivate NAT Public
Cent reCFM A R 3 0 0
AccessRouter ;A/ ?A/ SP STEM
; 3 /
J
T
Q
R
Q
C o l l
192.168.20.0
192.168.254.0
ppp0
ppp0
Site B
ppp1
Mail Server
192.168.10.2
/ote< e a#are that #ith 'an 3nternet ro(i&ers it 'a )e 'ore suita)le to turn ;IR *lin6 ualit reporting- off on lin6s9 an& instea& use ;C Echo Request an& Echo Reply 'essages to &eter'ine lin6 ualit *echoDon-. Si'pl a&&+lrDoff echoDon, to the creation co''an&.
Router A Router #
# PPP Configuration
#
create ppp=0 over=syn0
create ppp=1 over=syn1
#
# IP Configuration
#
enable ip
add ip int=eth0 ip=192.16.10.1
add ip int=ppp1 ip=192.16.2!".1
add ip int=ppp0 ip=200.200.200.1 as$=2!!.2!!.2!!.2!2
add ip route=0.0.0.0 ne%t=0.0.0.0 int=ppp0
add ip route=192.16.20.0 ne%t=0.0.0.0 int=ppp1
enable ip nat
enable ip nat log=all
add ip nat ip=192.16.0.0 as$=2!!.2!!.0.0gblip=200.200.200.1
add ip nat ip=192.16.10.2 as$=2!!.2!!.2!!.2!! port=stp
gblip=200.200.200.1 gblport=stp proto=tcp
#
# PPP Configuration
#
create ppp=0 over=syn0
#
# IP Configuration
#
enable ip
add ip int=eth0 ip=192.16.20.1
add ip int=ppp0 ip=192.16.2!".2
add ip route=0.0.0.0 ne%t=0.0.0.0 int=ppp0
Allie& Telesn router helpful configs age Allie& Telesn router helpful configs
-
8/18/2019 237126406 Allied Telesis
8/41
Allied Telesyn router helpful configs
2.1.&&& o"er -+/ -nternet Access
CentreCFM AR300 AccessRout er ;A/ ?A/ SPSTEM
; 3 /
J
T Q R Q
C o l l
Site A
192.168.10.0
Internet
Private NAT Public
ISD
D!na"ic IP
/ote< e a#are that #ith 'an 3nternet ro(i&ers it 'a )e 'ore suita)le to turn ;IR *lin6 ualit reporting- off on lin6s9 an& instea& use ;C Echo Request an& Echo Reply 'essages to &eter'ine lin6 ualit *echoDon-. Si'pl a&&+lrDoff echoDon, to the creation co''an&.
Router A#
# &yste Configuration
set sys territory='countrycode(
#
# I&)* Configuration
add isdn call=internet nu=12+"! prec=out
#
# PPP Configuration
# *ote, 2nd - channel on deand
create ppp=0 over=isdninternet idle=60 bap=off ipre/=on user='usernae( pass='passord(
add ppp=0 over=isdninternet type=deand
#
# IP Configuration
enable ip
enable ip re
add ip int=eth0 ip=192.16.10.1
add ip int=ppp0 ip=0.0.0.0
add ip route=0.0.0.0 ne%t=0.0.0.0 int=ppp0
enable ip nat
enable ip nat log=all
add ip nat ip=192.16.10.0 as$=2!!.2!!.2!!.0 gblint=ppp0
Allie& Telesn router helpful configs age 8 Allie& Telesn router helpful configs
-
8/18/2019 237126406 Allied Telesis
9/41
Allied Telesyn router helpful configs
2.1.1.)3ample 2.' #ith 2 channels al#ays up/ote< So'e 3S:/ pro(i&ers an& Bor 3S pro(i&ers charge per 'inute an& this option 'a not)e affor&a)le. This alternati(e is inten&e& #here an affor&a)le fie& 'onthl charge account
has )een offere& ) 3S:/ an& 3S pro(i&ers.
/ote< e a#are that #ith 'an 3nternet ro(i&ers it 'a )e 'ore suita)le to turn ;IR *lin6 ualit reporting- off on lin6s9 an& instea& use ;C Echo Request an& Echo Reply 'essages to &eter'ine lin6 ualit *echoDon-.Si'pl a&& +lrDoff echoDon, to the creation co''an&.
-+/ 4 &&& Configuration modifications for 2 channels al#ays up
#
# I&)* Configuration
#
add isdn call=internet nu=12+"! prec=out $eepup=on
#
# PPP Configuration
# *ote, *o idle paraeter user and passord re/uired if going into an I&P
create ppp=0 over=isdninternet nu=2 bap=off user='usernae( passord='passord(3
2.1.2.)3ample 2.' #ith Cisco5s at the -&
&&& Configuration modifications for Cisco at the -&#
# PPP Configuration
# *ote, 2nd - channel on deand
create ppp=0 over=isdninternet idle=60 bap=off l/r=off echo=on user='user nae(pass='passord(
add ppp=0 over=isdninternet type=deand
2.1.!.-+/ territory for Telecom 6 Telstraclear
-+/ settings for Telecom 6 Telstraclear
#
# I&)* settings for 4eleco
set syste territory=ne5ealand
#
# I&)* settings for 4elstraclear
set syste territory=europe
-
8/18/2019 237126406 Allied Telesis
10/41
Allied Telesyn router helpful configs
!.&&&7)
!.1.&&&7) and Fire#all "ia Telstraclear68oosh68ired Country -9%(
Allie& Telesn router helpful configs age 10 Allie& Telesn router helpful configs
-
8/18/2019 237126406 Allied Telesis
11/41
Allied Telesyn router helpful configs
/ote ro arp 'ust )e turne& off on a u)lic Share& Ethernet /et#or6
Allie& Telesn router helpful configs age 11 Allie& Telesn router helpful configs
Router Acreate ppp#0 i$le#999999 %ver#et&0'A(
)et ppp#0 ipre*ue)t#%n u)erna"e#+te)t,i)p.c%.n-+ pa))%r$#+te)t+
)et ppp#0 %ver#et&0'A( l*r#%// ec&%#10
enable ip
enable ip re"%te
a$$ ip int#ppp0 ip#0.0.0.0 "a)#0.0.0.0
a$$ ip int#vlan1 ip#10.0.0.1 "a)#255.255.255.0
a$$ ip int#et&0 ip#1.1.1.1 "a)#255.255.255.0
)et ip int#et&0 pr%!#%//
a$$ ip r%u#0.0.0.0 "a)#0.0.0.0 int#ppp1 net#0.0.0.0
enable /ireall
create /ireall p%lic!#+ppp%e+
enable /ireall p%lic!#+ppp%e+ ic"p/#all
a$$ /ireall p%lic!#+ppp%e+ int#vlan1 t!pe#private
a$$ /ireall p%lic!#+ppp%e+ int#ppp0 t!pe#public
a$$ /ireall p%li#+ppp%e+ nat#en&ance$ int#vlan1 3blin#ppp0
-
8/18/2019 237126406 Allied Telesis
12/41
Allied Telesyn router helpful configs
$. Time +i"ision 0uliple3ing T+0
'.Frame Relay
Allie& Telesn router helpful configs age 12 Allie& Telesn router helpful configs
Router A Router A Continued#
# PI configuration
# Note:"CRC" mode may need to be set to "off" or
# "checking" for the link to become active
# depending on the Telco configuration
# Note : RJ 4 !inouts for !R devices arent
# standardi$ed% check your NT& if using RJ 4'
# termination
set pri=0 ode=td
set pri=0 crc=reporting
#
# 4)7 configuration
#
create td group=site8b interface=pri0 slots=1
create td group=site8c interface=pri0 slots=6
#
# PPP Configuration
#
create ppp=1 over=tdsite8b idle=60 cop=on
create ppp=2 over=tdsite8c idle=60 cop=on
#
# IP Configuration
#
enable ip
add ip int=eth0 ip=192.16.10.1
add ip int=ppp1 ip=192.16.2!".1as$=2!!.2!!.2!!.2!2
add ip int=ppp2 ip=192.16.2!".!as$=2!!.2!!.2!!.2!2
add ip route=192.16.1.0 ne%t=0.0.0.0 int=ppp1
add ip route=192.16.2.0 ne%t=0.0.0.0 int=ppp2
Router
#
# PPP Configuration
#
create ppp=0 over=syn0
#
# IP Configuration
# Note: Router C change eth and ppp ! address
enable ip
add ip int=eth0 ip=192.16.1.1
add ip int=ppp0 ip=192.16.2!".2
add ip route=0.0.0.0 ne%t=0.0.0.0 int=ppp0
CentreCFM AR300 AccessRouter
;A/ ?A/ SPSTEM
; 3 / J
T Q
R Q
C o l l
Site A
A 395
192.168.10.0
192.168.254.0/30
DM
Mail Server
192.168.10.2
192.168.254.4/30
Site
Site B
CentreCFM AR300 Access Router ;A/ ?A/ SPSTEM
; 3 / J
T Q
R Q
C o l l
CentreCFM AR300 Access Router
;A/ ?A/ SPSTEM
; 3 / J
T Q
R Q
C o l l
192.168.2.0
192.168.1.0
ppp1
ppp2
2M PI
-
8/18/2019 237126406 Allied Telesis
13/41
Allied Telesyn router helpful configs
'.1.tandard Frame Relay for 0- R): 1*So'eti'es referre& to as cisco ;M3 tpe-
Site A192.168.1.0
Site
Site B
192.168.3.0
192.168.2.0
Site D
7ra"e
ela!
Me)&e$
CentreCFM AR300
AccessRouter ; A/ ?A/ SPSTEM
; 3 /
J
T Q
R Q
C o l l
CentreCFM AR300 AccessRouter ; A/ ?A/ SPSTEM
; 3 /
J
T Q
R Q
C o l l
CentreCFM AR300 AccessRouter ;A/ ?A/ SPS TEM
; 3 / J
T Q
R Q
C o l l
CentreCFM AR300 AccessRouter ;A/ ?A/ SPS TEM
; 3 / J
T Q
R Q
C o l l
192.168.4.0
192.168.254.4 192.168.254.3
192.168.254.2192.168.254.1
D:#101
D:#103
D:#102
D:#104
Router A#
# :rae elay Configuration
# *ote, -y default ;7I is set to
-
8/18/2019 237126406 Allied Telesis
14/41
Allied Telesyn router helpful configs
'.2.tandard Frame Relay -& Access
The fra'e net#or6 in /= uses a MT> of 1500 this nee&s to )e altere& on the routers )ecause the&efault is 1!00.
Router A# &yn
# set syn to the speed the telco is providing eg 17bit =102"000
set syn=syn0 speed=20"000
#
# :rae elay Configuration
# *ote, -y default ;7I is set to
-
8/18/2019 237126406 Allied Telesis
15/41
-
8/18/2019 237126406 Allied Telesis
16/41
Allied Telesyn router helpful configs
'.$.ogical interfacing to Frame Relay, -nternet
connection "ia -& #ith &ri"ate /et#ork
D:#102
Site A192.168.1.0
Site
Site B
192.168.3.0
192.168.2.0
CentreCFM AR300 AccessRouter
;A/ ?A/ SPSTEM
; 3 /
J
T Q R Q
C o l l
CentreCFM AR300 AccessRouter ;A/ ?A/ SPSTEM
; 3 / J
T Q
R Q
C o l l
CentreCFM AR300 AccessRouter ;A/ ?A/ SPSTEM
; 3 / J
T Q
R Q
C o l l
200.200.200.1/30 192.168.254.2
192.168.254.1D:#101
Internet
D:#104200.200.200.2/30
D:#103
Mail Server
192.168.1.2
Router A#
# :rae elay Configuration
# *ote, -y default ;7I is set to
-
8/18/2019 237126406 Allied Telesis
17/41
Allied Telesyn router helpful configs
'.$.1.7&F on the pri"ate net#ork, $.$ continued
Router A First remo"e the 2 static routes to the pri"ate net#ork sites, lea"e default route#
# :rae elay Configuration
# *ote, -y default ;7I is set to
-
8/18/2019 237126406 Allied Telesis
18/41
-
8/18/2019 237126406 Allied Telesis
19/41
Allied Telesyn router helpful configs
Firewall Configs
-
8/18/2019 237126406 Allied Telesis
20/41
Allied Telesyn router helpful configs
-
8/18/2019 237126406 Allied Telesis
21/41
Allied Telesyn router helpful configs
-
8/18/2019 237126406 Allied Telesis
22/41
Allied Telesyn router helpful configs
-
8/18/2019 237126406 Allied Telesis
23/41
Allied Telesyn router helpful configs
-
8/18/2019 237126406 Allied Telesis
24/41
Allied Telesyn router helpful configs
-
8/18/2019 237126406 Allied Telesis
25/41
-
8/18/2019 237126406 Allied Telesis
26/41
Allied Telesyn router helpful configs
-
8/18/2019 237126406 Allied Telesis
27/41
Allied Telesyn router helpful configs
>.2.-&ec #ith -A*0&, Fire#all, and :&/ ClientThis configuration illustrates t#o 3Sec tunnels9 allo#ing for a re'ote office9 a re'ote 7/ client*roa'ing user-9 an& 3nternet access. The :&/ client may use dynamic ip address. Thise3ample is not suitable behind a /ATing de"ice eg= A+. the intro&uction of the %ire#all nonat action sho#n in this ea'ple.
Router Aset user securedelay=600add user=secoff pass='your passord( priv=sec# ppp configurationcreate ppp=0 over=syn0# optional set ppp=0 over=syn0 l/r=off echo=onenable ip@dd ip int=eth0 ip=192.16.10.1 as$=2!!.2!!.2!!.0@dd ip int=ppp0 ip=200.200.200.1add ip rou=0.0.0.0 ne%t=0.0.0.0 int=ppp0# :ireall# 4o enable out going ping see e%aple !.1.1enable firecreate fire poli=ainadd fire poli=ain int=eth0 type=privateadd fire poli=ain int=ppp0 type=publicadd fire poli=ain nat=enhanced int=eth0 gblint=ppp0add fire poli=ain rule=1 int=ppp0 action=allo ip=200.200.200.1 prot=udp port=!00 gblip=200.200.200.1gblpo=!00add fire poli=ain rule=2 int=ppp0 action=nonat prot=all ip=192.16.10.1192.16.10.2!" encap=ipsec# ule + for internally initiated HP* traffic to eote ?fficeadd fireall poli=ain ru=+ ac=nonat int=eth0 prot=all ip=192.16.10.1192.16.10.2!"set fireall poli=ain ru=+ reoteip=192.16.20.1192.16.20.2!"# IP&ec# Includes HP* client configuration for user oaing1>ena ipseccreate ips sas=1 prot=esp hasha=null encalg=des $ey=isa$pcreate ips sas=2 prot=ah ode=tunn hasha=sha $ey=isa$pcreate ips bundle=1 $ey=isa$p string=>1 and 2>create ips pol=isa$p int=ppp0 act=perit lpo=!00 rpo=!00create ips pol=reoffice int=ppp0 act=ipsec $ey=isa$p bund=1 peer=222.222.222.1 isa=reofficeset ips pol=reoffice lad=192.16.10.0 las$=2!!.2!!.2!!.0 rad=192.16.20.0 ras$=2!!.2!!.2!!.0
create ips pol=roaing1 int=ppp0 act=ipsec $ey=isa$p bund=1 peer=dynaic isa=roaing1set ips pol=roaing1 lad=192.16.10.0 la=2!!.2!!.2!!.0create ips pol=internet int=ppp0 act=perit# I&@7P# *ote, Ase &ection 1.! to enable syste security and generate an Gncryption ey of type FG*G@; on# router @ and -# 4his e%aple uses the sae netor$ $ey for all I&@7P G%changescre isa pol=reoffice peer=222.222.222.1 hashalg=sha $ey=1set isa pol=reoffice senddeletes=on setcoitbit=on sendnotify=on# ?nly one policy is re/uired for all dial up users.cre isa pol=roaing1 peer=any hashalg=sha $ey=1 ode=aggressiveset isa pol=roaing1 senddeletes=on setcoitbit=on sendnotify=onenable isa$p# ?ptional authentication of reote sites to be done at the head office using a A@) or adius &erver#set isa pol=roaing1 %auth=server %authtype=generic#add radius server=192.16.10.2!" secret=secret# ? add user=boblogin pass=bobpass
Router
CentreCFM AR300
A c c e s sR outer
;A/
?A/
S P S T E M
;3/J
TQ
RQ
C l
l
Site B
192.168.10.0 192.168.20.0
CentreCFM AR300 A c c e s s R outer
;
T
;3
/J TQ
RQ
Coll
Site A
200.200.200.1 222.222.222 .1
:irtual Tunnel
Internet Acce))
D!na"ic IP =P lient%a"in >)er
-
8/18/2019 237126406 Allied Telesis
28/41
Allied Telesyn router helpful configs
set sys nae=reofficeset user securedelay=600add user=secoff pass='your passord( priv=sec
create ppp=0 over=syn0
enable ipadd ip int=eth0 ip=192.16.20.1add ip int=ppp0 ip=222.222.222.1add ip rou=0.0.0.0 as$=0.0.0.0 int=ppp0 ne%t=0.0.0.0
# :ireall# 4o enable out going ping see e%aple !.1.1enable fireallcreate fireall policy=
-
8/18/2019 237126406 Allied Telesis
29/41
Allied Telesyn router helpful configs
/ote< >se the Manual Je option to get through a /ATing &e(ice *eg< A:S;- )et#eenrouters9 or use e3ample DP 500 c%rrectl!
Manual e!) )%"eti"e) re*uire$)%"eti"e) $ue t% p%%r pin&%lin % >DP500 %n )%"e ADS: r%uter).
222.222.222.1
te)t
-
8/18/2019 237126406 Allied Telesis
30/41
Allied Telesyn router helpful configs
Router Aset user securedelay=600add user=secoff pass='your passord( priv=sec# IP
#enable ip@dd ip int=eth0 ip=192.16.10.1@dd ip int=eth1 ip=192.16.1.2!+add ip rou=0.0.0.0 ne%t=192.16.1.2!" int=eth1# :ireall# 4o enable out going ping see e%aple !.1.1enable firecreate fire poli=ainadd fire poli=ain int=eth0 type=privateadd fire poli=ain int=eth1 type=publicadd fire poli=ain nat=enhanced int=eth0 gblint=eth1add fireall poli=ain ru=1 ac=allo int=eth1 prot=udp po=!00 ip=200.200.200.1 gblip=200.200.200.1gblpo=!00add fireall poli=ain ru=2 ac=allo int=eth1 prot=udp po=2"6 ip=200.200.200.1 gblip=200.200.200.1gblpo=2"6add fire poli=ain rule=+ int=eth1 action=nonat ip=192.16.10.1192.16.10.2!" prot=all encap=ipsec# ule " for internally initiated HP* traffic to eote ?ffice
add fireall poli=ain ru=" ac=nonat int=eth0 prot=all ip=192.16.10.1192.16.10.2!"set fireall poli=ain ru=" reoteip=192.16.20.1192.16.20.2!"add fireall poli=ain ru=! ac=nonat int=eth0 prot=all ip=192.16.10.1192.16.10.2!"set fireall poli=ain ru=! reoteip=192.16.+0.2192.16.+0.+
# IP&ec# Includes HP* client configuration for user oaing1>. 4he sae $ey is used for the reote office# and the reote HP* client PC DlaptopE.# *ote, Ase &ection 1.! to enable syste security and generate an Gncryption ey of type )G& on# router @ for KPc1L M KPc2L and type general> for isa$p.# 7anual $ey e%aples are included because soe adsl odes pinholes do not support isa$p correctly.create ipsec sas=1 $ey=isa$p prot=esp enc=des hasha=shacreate ipsec sas=+ $ey=anual prot=esp enc=des hasha=sha enc$ey=1 inspi=1!! outspi=1!!create ipsec sas=" $ey=anual prot=esp enc=des hasha=sha enc$ey=1 inspi=1!! outspi=1!!create ipsec bund=1 $ey=isa$p string=
-
8/18/2019 237126406 Allied Telesis
31/41
Allied Telesyn router helpful configs
>.!.1.-&ec Client option for )3ample
-
8/18/2019 237126406 Allied Telesis
32/41
Allied Telesyn router helpful configs
>.$. -&ec 4 -A*0& #ith 2T& and Fire#all
router, behind /AT de"ice eg=A+This configuration illustrates an 3Sec tunnel o(er ;2T to a re'ote office9 an& allo#s for 3nternetaccess./ote< This solution uses %ire#all #ith /AT an& 3Sec9 supporte& fro' release 1..$. ;2T isuse& to Tunnel 3SAJMB3Sec through /AT process )et#een routers *eg< A:S;-. This is NOT an IPec client solution!
/ote< e a#are that #ith 'an 3nternet ro(i&ers it 'a )e 'ore suita)le to turn ;IR *lin6 ualit reporting- off on lin6s9 an& instea& use ;C Echo Request an& Echo Reply 'essages to &eter'ine lin6 ualit *echoDon-. Si'pl a&&+lrDoff echoDon, to the creation co''an&.
Router A
Site B
192.168.10.0 192.168.20.0
CentreCFM AR300 c c e s s R ter ;A/ ?A/ S P S T E M
;3 /J TQ RQ Col l
Site A Internet
Acce))
200.200.200.1
222.222.222.1
:irtual Tunnel
A:S;
192.168.1.254
192.168.1.253
NAT
192.168.5.1 192.168.5.2 CentreCFM AR300 c c e s s R ter ;A/ ?A/ S P S T E M ;3/J TQ RQ Col l
A:S;3/Hole >: port 101 *;2T- through to Router interface.
-
8/18/2019 237126406 Allied Telesis
33/41
Allied Telesyn router helpful configs
set user securedelay=600add user=secoff pass='your passord( priv=sec## ;24P Configurationenable l2tpenable l2tp server=bothadd l2tp call=
-
8/18/2019 237126406 Allied Telesis
34/41
Allied Telesyn router helpful configs
set user securedelay=600add user=secoff pass='your passord( priv=sec## ;24P Configurationenable l2tp
enable l2tp server=bothset l2tp passord=
-
8/18/2019 237126406 Allied Telesis
35/41
Allied Telesyn router helpful configs
>.'.-&ec and Fire#all through t#o /ATgate#ays eg= A+
This configuration illustrates an 3Sec tunnel through t#o /ATing &e(ices *eg< /ATing A:S;gate#a &e(ices-. 3t uses release 2.2.19 #hich allo#s 3SAJM through /ATing &e(ices #ithoutthe nee& of ;2T9 )ecause of the intro&uction of the +locali&, an& +re'otei&, para'eters. 3t alsoallo#s for 3nternet access.
A future (ersion of this ea'ple #ill also acco''o&ate 7/ clients9 using a ne# release (ersionof the 7/ client.
Router Aset sys nae=
-
8/18/2019 237126406 Allied Telesis
36/41
Allied Telesyn router helpful configs
set sys nae=
-
8/18/2019 237126406 Allied Telesis
37/41
Allied Telesyn router helpful configs
>.)er
=irtual IPSectunnel)
192.168.10.254
VPN Gateway RouterFirewall
Eistin! "efault Gateway
(Firewall)
Pri#ate Office $AN(Protected)
Office %"irty& $AN('nrotected)
Valid Internet addresses
Office Main Gateway
(Not NATin!)
-
8/18/2019 237126406 Allied Telesis
38/41
Allied Telesyn router helpful configs
set syste nae=
-
8/18/2019 237126406 Allied Telesis
39/41
Allied Telesyn router helpful configs
set syste nae=
-
8/18/2019 237126406 Allied Telesis
40/41
Allied Telesyn router helpful configs
>.>./otes on -&ec Testing and :erification
Testing of an -&ec tunnel.
The follo#ing are precautions to testing through 3Sec tunnels<
· The +ip local, ip a&&ress is )est left at &efault. 3f +ip local, is set to an a&&ress other &efault9 this 'ain(ali&ate 3SAJM negotiation.
· :o not epect to test sen&ing traffic through the 3Sec tunnel ) pinging fro' 3Sec router to 3Secrouter. Pou 'ust test )et#een hosts or ser(ers )ehin& the 3Sec router gate#as *;A/ to ;A/-9 toensure this traffic #ill 'atch the 3Sec tunnel polic a&&ress selectors.
:erification of an -&ec tunnel.
3t is goo& practice to confir' that traffic is )eing encrpte&. A goo& initial chec6 is to o)ser(e the3SAJM negotiation entries in the sste' log *+sh log,-. This 3SAJM chec6 is onl (ali& if ou areusing 3SAJM *ie< not 'anual 6es-. There #ill )e se(eral phases of negotiation9 an& the shoul&in&icate successful co'pletion. 3f ou can see no negotiation entries in the log9 or if ou onl see aninitial start an& no co'plete& phases9 then this suggests a configuration error9 or no 3SAJMnegotition recei(e& fro' the peer. Chec6ing +sh fire e(ent, #ill allo# ou to see #hat traffic has )eenrecei(e& fro' the peer9 an& if it has )een allo#e& ) the fire#all.
Confir'ation that traffic is actuall )eing encrpte& is )est seen ) using a counter co''an& such asSH 3SEC F;3DT>//E; CF>/T. E(er ti'e ou ping a set of 5 pings9 the outrocess:onecounters *in the Fut)oun& ac6et rocessing Counters section- shoul& incre'ent ) 5. Also9 theecho repl traffic shoul& cause the inrocess:one counters *in the 3n)oun& ac6et rocessing
Counters section- to incre'ent ) 5.
It is important that the IPSec policies be configured in the correct order. 3f ou ha(e a per'it 3Sec olic #ith open polic a&&ress selectors9 *inten&e& to allo#unencrpte& 3nternet access-9 then this polic 'ust )e configure& last after the ACT3F/D3SECF;3C3ES. Fther#ise this er'it olic #ill process all traffic an& no traffic #ill )e encrpte&. Theor&er of the 3Sec policies can )e chec6e& ) the SH 3SEC F;3 co''an&. 3n the output of thisco''an&9 each polic is assigne& a position nu')er.
Troubleshooting of an -&ec tunnel.
3f pro)le's continue9 then 3SAJM an& 3Sec &e)ugging 'o&es 'a )e use&. Turning on all &e)ug 'o&es is rather (er)ose9 so #e reco''en& )asic 3SAJM &e)ugging initiall. The routine )elo# also illustrates a 'etho& to easil &isa)lethe &e)ugging 'o&e after testing.
· +&is isa6'p &e)ugDall, *This 'a gi(e an error9 )ut our intention is to ha(e this co''an& in the co''an& )uffer-
· +ena isa6'p &e)ugDstate, *This shoul& allo# ou to see if 3SAJM is operating-
· 3f 'ore &etail is nee&e& then issue this co''an& +ena isa6'p &e)ugDtrace,
· To &isa)le &e)ugging after our test9 si'pl press up arro# once *or t#ice- to recall the &isa)le co''an&9 then pressenter. *7T100 arro#s 'a nee& to )e ena)le&-.
3f the )asic 3SAJM &e)ugging 'o&es to not re(eal a pro)le' to ou9 then all &e)ugging 'o&es shoul& )e ena)le& an&capture& to a tet file an& sent to our support centre. lease capture the &e)ugging output fro' the router atte'pting toinitiate 3Sec an& 3SAJM ) using +ena ipsec poliDtunnel &e)ugDall, an& +ena isa6'p &e)ugDall,. Also capture +sh log, tosho# 3SAJM log entries *as 'entione& a)o(e-9 an& capture +sh fire e(ent, an& +sh &e)ug,. %or#ar& all this &e)ugging toour local technical support for analsis. Pour local support center also ha(e access to a&(ance& support centers if necessar. *Allie& Telesn offers technical assistance in partnership #ith our authorise& &istri)utors an& resellers. %or
technical assistance9 please contact the authorise& &istri)utor or reseller in our area-. lease refer tohttp
-
8/18/2019 237126406 Allied Telesis
41/41
Allied Telesyn router helpful configs