Allied Telesis AlliedWare NetScreen Routers User Manual
AlliedWareTM OS
How To |
Create a VPN between an Allied Telesis and a
SonicWALL Router, with NAT-T
Today’s network managers often need to incorporate other vendors’ equipment into their
networks, as companies change and grow. To support this challenge, Allied Telesis routers are
designed to inter-operate with a wide range of equipment.
This How To Note details one of the inter-operation solutions from Allied Telesis: creating
virtual private networks between Allied Telesis and SonicWALL routers. It shows you how to
configure a VPN between a local Allied Telesis router and a remote SonicWALL router, stepby-step. On the Allied Telesis router, it uses the Site-To-Site VPN wizard for the VPN
configuration.
The wizard runs on selected AR400 Allied Telesis routers from the router’s web-based GUI
(graphical user interface). It asks you to enter a few details and from those it configures the
following settings:
z encryption to protect traffic over the VPN
z ISAKMP with a pre-shared key to manage the VPN
z the firewall, to protect the LANs and to allow traffic to use the VPN
z Network Address Translation (NAT), so that you can access the Internet from the private
LAN through a single public IP address. This Internet access does not interfere with the
VPN solution
z (in this example) NAT-Traversal because one end of the VPN tunnel is behind a separate
NAT device
C613-16098-00 REV E
www.alliedtelesis.com
What information will you find in this document?
This How To Note begins with the following information:
z "Related How To Notes" on page 2
z "Which products and software version does it apply to?" on page 2
Then it describes the configuration, in the following sections:
z "The network" on page 3
z "How to configure the Allied Telesis router" on page 4
z "How to configure the SonicWALL router" on page 12
z "How to test the tunnel" on page 29
z "How to use the CLI instead of the GUI" on page 30
Related How To Notes
Allied Telesis offers How To Notes with a wide range of VPN solutions, from quick and
simple solutions for connecting home and remote offices, to advanced multi-feature setups.
Notes also describe how to create a VPN between an Allied Telesis router and equipment
from a number of other vendors.
For a complete list of VPN How To Notes, see the Overview of VPN Solutions in How To Notes
in the How To Library at www.alliedtelesis.com/resources/literature/howto.aspx.
Which products and software version does it apply to?
The VPN wizard is available on the following Allied Telesis routers, running Software Version
1
or later:
2.9.
z AR4
z AR440S, AR44
You can use the command line to set up an equivalent configuration on AR700 and other
AR400 Series routers. See "How to use the CLI instead of the GUI" on page 30 for the
necessary commands.
We created this example with a SonicWALL TZ
SonicOS Standard does not support NAT-T draft 3, so this solution requires SonicOS
Enhanced.
The screenshots in this Note are from an Internet Explorer 6.0 browser running on
Windows XP.
1
5S
1
S, AR442S
1
70, running SonicOS Enhanced 2.5.1.1-65e.
Page 2 | AlliedWare™ OS How To Note: VPNs with SonicWALL routers
The network
vlan1:
192.168.1.1
eth0:
192.168.254.1/30
Allied Telesis
router
192.168.254.2/30
100.100.100.1/30
NAT device
SonicWALL
router
Internet
WAN:
200.200.200.1/30
workstation:
192.168.1.100 by
automatic address
assignment
VLAN:
192.168.2.1
workstation:
192.168.2.100 by
automatic address
assignment
VPN
tunnel
200.200.200.2/30
100.100.100.2/30
at-sonic.eps
This example illustrates a NAT-T solution, which you need when one or both of the routers
are behind a NAT device such as some xDSL and cable modems. In this example, an Allied
Te l e s i s A R 4
their interfaces and addresses.
1
5S router is behind a NAT device. The following diagram shows the LANs and
Initiating the
tunnel from
either end
Note: You can still use this example if you have no NAT device between the Allied Telesis
router and the Internet, or if you have a NAT device between the SonicWALL router and the
Internet, with slight alterations. See "Appendix: Using this example if you don’t have a NAT
device in the same position" on page 31 for details.
In this example, you can only initiate the tunnel from the Allied Telesis end, not the
SonicWALL end. If you want to let the SonicWALL initiate the VPN too, you have to
configure your NAT device to allow it. To do this, set up pinholes (allow rules) on the NAT
device to allow through UDP traffic on ports 500 and 4500.
Page 3 | AlliedWare™ OS How To Note: VPNs with SonicWALL routers
How to configure the Allied Telesis router
Before you
start
1. Install and configure the NAT device.
2. Access the router via its GUI.
3. Customise the router and set up vlan
1
always uses vlan
interface is configured on vlan
as the local LAN for the VPN connection, so you must make sure an IP
1
1
as the LAN interface. The site-to-site VPN wizard
before running the wizard.
4. Create a security officer. If you use the Basic Setup wizard to customise the router, this
creates one security officer, with a username of “secoff”.
5. Set up the WAN interface. This example uses a fixed IP address on the WAN interface—
modify it to use an appropriate interface for your network.
The router setup of steps 2-5 is described in How To Use the Allied Telesis GUI to Customise the
Router and Set Up An Internet Connection, which is available from www.alliedtelesis.com/
resources/literature/howto.aspx.
In this example, the Allied Telesis router has the following settings:
Interface Address Mask
Allied Telesis router LAN vlan
Allied Telesis router WAN eth0
Remote site’s WAN settings 200.200.200.
Remote site’s LAN settings
11
92.168.1.
1
92.168.254.
1
92.168.2.
1
1
1
1
255.255.255.0
255.255.255.252
255.255.255.0
The NAT device has the following settings:
Interface Address Mask
Private interface (towards the router) eth
Public interface (towards the Internet) eth0
11
92.168.254.2 255.255.255.252
1
00.100.100.
1
255.255.255.252
Page 4 | AlliedWare™ OS How To Note: VPNs with SonicWALL routers
Create the
VPN tunnel
1. Open the Configuration Wizards page
Log in as either the manager or the security officer. If you log in as the manager, the router
changes to secure mode when you finish the VPN wizard and at that stage prompts you to
log in again as the security officer.
The Site-To-Site VPN wizard is one of the options on the Configuration Wizards page. Make
sure your browser’s pop-up blocker is disabled—the wizard needs to open pop-ups. If you
access the Internet through a proxy server, make sure your browser bypasses the proxy for
this address.
The GUI opens at this page the first time you configure your router. After initial configuration
it may open at the System Status page instead. If so, click on the Wizards button in the lefthand menu to open the Configuration Wizards page.
Page 5 | AlliedWare™ OS How To Note: VPNs with SonicWALL routers
2. Start the Site-to-Site VPN wizard
Click on the Site-to-Site VPN button.
The wizard starts by displaying a
welcome message.
Click the Next button.
3. Name the VPN connection
Enter an appropriate VPN connection
name.
Click the Next button. If you have
multiple possible WAN interfaces
configured on the router, the wizard
next lets you select the appropriate
interface. In this example there is only
one WAN interface, so the wizard
selects it automatically and moves
directly to the remote site settings.
Page 6 | AlliedWare™ OS How To Note: VPNs with SonicWALL routers
4. Enter the remote site’s WAN IP address
Enter the public IP address of the other
end of the tunnel. In this example, this
is 200.200.200.
address of the SonicWALL WAN
interface.
Note that you can use the Tab key to
move between fields when entering the
address, but should not use the . key
(the period).
Click the Next button.
1
, which is the IP
5. Enter the remote site’s LAN IP address
Enter the SonicWALL router’s LAN
subnet address and mask. In this
example, this is
of 255.255.255.0.
Click the Next button.
1
92.168.2.0 and a mask
Page 7 | AlliedWare™ OS How To Note: VPNs with SonicWALL routers
6. Enter the shared secret key
Enter the secret key, which is an
alphanumeric string between 2 and 64
characters long. Both routers must use
the same secret key. On the
SonicWALL router, this is the Site-toSite Policy’s preshared key.
Click the Next button.
7. Check the settings
Check the summary. If necessary, use
the wizard’s Back button to return and
correct any settings you want to
change.
Once you are happy with the settings,
click the Advanced Settings button to
modify Peer ID settings.
Page 8 | AlliedWare™ OS How To Note: VPNs with SonicWALL routers
8. Specify Peer IDs
Peer IDs enable the routers to identify
each other when they exchange secret
key information. By default, the Peer
IDs are the router IP addresses. This
does not work when one (or both)
routers are behind a separate NAT
device, because the NAT device
changes the IP addresses.
Towards the bottom of the Advanced
Settings page, enter a local ID (to
identify this router) and a remote ID
(to identify the router at the other end
of the link). It does not matter what
text you use as the IDs, so long as each
ID is different.
Then click the OK button.
Page 9 | AlliedWare™ OS How To Note: VPNs with SonicWALL routers
9. Check the settings again
Check the summary. It now includes
the Peer ID settings. If necessary,
correct any settings you want to
change.
When all the settings are correct, click
the Apply button.
Security
officer
10. Finish the wizard
If you are logged in as the security
officer, the GUI displays a completion
message. Click the Finish button to
finish the Wizard and save the VPN
settings.
Page 10 | AlliedWare™ OS How To Note: VPNs with SonicWALL routers
Loading...