TECHNICAL SUPPORT NOTE
Configuring Main Mode VPN between a 1st generation and 2nd generation NetVanta 2000 series unit using IKE and Pre-shared Keys
| | In this Tech Note, NetVanta 2XXX refers to the entire NetVanta 2000 series product line running the Enhanced ADTRAN OS. Information pertaining to a particular product is discussed using the product name (e.g., NetVanta 2050). |
Introduction
This Technical Support Note explains configuring a 1st Generation NetVanta 2XXX and a 2nd Generation NetVanta 2XXX (running the Enhanced ADTRAN OS) for VPN operation. The following information is included in this document:
- Step-by-step instructions for configuring VPN (in AOS) on a 2nd Generation NetVanta 2XXX.
- Full sample configuration for the NetVanta 2100 2nd generation with firewall and VPN.
- Step-by-step instructions (with screen shots) for configuring VPN on a 1st Generation Netvanta 2XXX.
* Before You Begin
Please note that these examples are given for your study and consideration only. They are to help you reach a better understanding of the fundamental concepts before configuring your own application. It will be necessary for you to modify these examples to match your own network’s configuration. |
This Technical Support Note assumes both NetVanta 2XXX systems are already installed and have connectivity to the Internet.
Contact your ISP and verify that they allow ESP traffic through their network (IP protocol 50). ESP is the protocol that carries the encrypted VPN data across the Internet. Some ISPs require a corporate or business class of service before allowing ESP traffic.
Network Diagram
Figure 1. Sample Network Diagram
Site A
The 1st Generation NetVanta 2XXX located at Site A is configured with the following parameters:
Public Network Parameters:
WAN IP = 172.21.0.2 (with a 30-bit mask of 255.255.255.252)
Network Address Translation (NAT) is configured for basic internet access
Firewall is enabled
Private (LAN) Network Parameters:
LAN IP = 192.168.21.1 (with a 24-bit mask of 255.255.255.0)
Site B
The 2nd Generation NetVanta 2XXX located at Site B is configured with the following parameters:
Public Network Parameters:
WAN IP = 172.32.0.2 (with a 30-bit mask of 255.255.255.252)
NAT is configured for basic internet access
Firewall is enabled
Private (LAN) Network Parameters:
LAN IP = 192.168.32.1 (with a 24-bit mask of 255.255.255.0)
VPN Parameters
Main Mode Internet Key Exchange (IKE) negotiation
SHA1 hash algorithm for protecting the authentication traffic between sites
Pre-shared key of 123456789012 for authentication
Diffie-Hellman Group 1 for protecting the keys between the sites
3DES encryption for protecting the traffic between the sites
Configuring the 2nd Generation NetVanta 2XXX
Step 1: Activate VPN
VPN can only be activated from within the enable command security menus. Follow the steps below to enter the enable mode and activate VPN. A list of all commands entered during this process is provided later in the document.
1 | Enter the enable security mode. | router> enable |
NOTE: If an enable password has been set, you will be prompted to enter it. | ||
2 | Enter the global configuration command set. | router# config t |
3 | Activate the AOS VPN functionality. | router(config)# ip crypto |
router> enable router# config t router(config)# ip crypto |
Figure 2. Activate VPN
Step 2: Create and Configure the IKE policy
Internet Key Exchange (IKE) is implemented in the ADTRAN OS by using user-created IKE policies. Each IKE policy is given a priority number (unique number specified by the user) and maintained in a master list. As IKE traffic is received, the ADTRAN OS polls the IKE policy list (starting with the policy having the lowest priority) until a match is found for the received data (using the peer IP address).
IKE policies are created and configured in three parts: 1) Create the policy and assign a priority number (used for placement in the master list), 2) Enter the attribute commands for the policy and configure the IKE parameters, and 3) Specify the parameters of the remote identification information for a peer connecting to the system.
Follow the steps below to configure an IKE policy with the following parameters:
Policy Priority = 10
Peer Address = 172.21.0.2 (Site A NetVanta 2XXX WAN IP)
Mode = initiate and respond to Main Mode
Key = Pre-shared key of 123456789012 using Diffie-Hellman Group 1
Key Lifetime = 1800 seconds
Hash = SHA1
Encryption = 3DES
A list of all commands entered during this process is provided in Figure 3.
Create the IKE Policy and Define the Remote Parameters
Step | Action | Command |
1 | Create the IKE policy with a priority of 10. Valid priority range includes 1 to 65535. Priority values must be unique; two IKE policies cannot have the same assigned priority value. | router(config)# crypto ike policy 10 |
2 | Enter the IP address of the peer device. (This address will correspond to the public network address of the remote device.) | router(config-ike)# peer 172.21.0.2 |
3 | Specify to initiate negotiations using main mode. | router(config-ike)# initiate main |
4 | Configure the IKE policy to respond to IKE negotiations initiated by peers using main mode. | router(config-ike)# respond main |
Enter the Attribute Commands and Configure IKE
| Multiple attributes can be created for a single IKE policy. The attribute’s priority number specifies the order in which the resulting VPN proposals are processed. Using multiple attributes allows a user the flexibility to configure a preferred method of connection and a backup method (in the event that the peer device is unable to negotiate using the preferred method.) When creating multiple attributes, ensure that the “preferred” attribute has the lowest priority number associated with it. |
1 | Enter the IKE Policy Attribute command mode, assigning this attribute a priority of 10. | router(config-ike)# attribute 10 |
2 | Choose the 3DES encryption algorithm for this IKE policy to use when transmitting data over the IKE-generated connection (security association – SA). | router(config-ike-attribute)# encryption 3des |
3 | Specify the hash SHA1 algorithm used to protect the authentication information when transmitted between host and peer devices. | router(config-ike-attribute)# hash sha |
4 | Configure this IKE policy to use pre-shared secrets during IKE negotiation for peer validation. | router(config-ike-attribute)#authentication pre-share |
5 | Specify the Diffie-Hellman Group 1 to be used by this IKE policy to generate the private keys (using a randomly generated number and the pre-shared secret). | router(config-ike-attribute)# group 1 |
6 | Specify the lifetime of the IKE generated connection (SA) in seconds. The shorter the lifetime, the more processing required for re-negotiation of the IKE SA. | router(config-ike-attribute)# lifetime 1800 |
7 | Exit the IKE attribute configuration. | router(config-ike-attribute)# exit |
Specify the Identification Parameters for the Remote Peer
The crypto ike remote-id command is used to specify the Remote-ID information for a peer connecting to the system. This command is also used to specify the pre-shared key associated with the specific Remote-ID. ADTRAN recommends using at least 12 characters for the pre-shared key.
1 | Specify the remote ID (as the peer IP address) and associate it with a pre-shared key (123456789012). | router(config)# crypto ike remote-id address 172.21.0.2 preshared-key 123456789012 |
router(config)#crypto ike policy 1 router(config-ike)#peer 172.21.0.2 router(config-ike)#initiate main router(config-ike)#respond main router(config-ike)#attribute 10 router(config-ike-attribute)#encryption 3des router(config-ike-attribute)#hash sha router(config-ike-attribute)#authentication pre-share router(config-ike-attribute)#group 1 router(config-ike-attribute)#lifetime 1800 router(config-ike-attribute)#exit router(config)#crypto ike remote-id address 172.21.0.2 preshared-key 123456789012 |
Figure 3. Create and Configure the IKE Policy
Step 3: Configure the IPSec Transform
A transform set defines the encryption and authentication algorithms used to secure the data transmitted over the VPN tunnel. In this example, a transform set named “SECURE” is created to use ESP with Authentication (3DES encryption and SHA1 authentication).
A list of all commands entered during this process can be found in Figure 4.
1 | Create a transform set (SECURE) consisting of two security algorithms (up to three algorithms may be defined). | router(config)# crypto ipsec transform set SECURE esp-3des esp-sha-hmac |
2 | Place this transform set in tunnel mode. | router(cfg-crypto-trans)# mode tunnel |
router(config)# crypto ipsec transform set SECURE esp-3des esp-sha-hmac router(cfg-crypto-trans)# mode tunnel |
Figure 4. Configure the IPSec Transform
Step 4: Configure the Access Control List (ACL)
An extended Access Control List (ACL) defines the traffic sent securely over the VPN tunnel. The entries in the ACL are defined with respect to the traffic present on the local system. Assign a name to each created ACL to use when assigning the ACL to an interface. For this example, create an ACL called OUTBOUND_VPN_TRAFFIC that sends all traffic from the private LAN (192.168.32.0 network) through the secure VPN tunnel to the private LAN (192.168.21.0 network) on the remote side.
A list of all commands entered during this process is provided in Figure 5.
1 | Create an empty access list called OUTBOUND_VPN_TRAFFIC. | router(config)# ip access-list extended OUTBOUND_VPN_TRAFFIC |
2 | Specify the traffic sent from one private LAN to the remote private LAN over the encrypted VPN tunnel. | router(config-ext-nacl)# permit ip 192.168.32.0 0.0.0.255 192.168.21.0 0.0.0.255 |
router(config)#ip access-list extended OUTBOUND_VPN_TRAFFIC router(config-ext-nacl)#permit ip 192.168.32.0 0.0.0.255 192.168.21.0 0.0.0.255 |
Figure 5. Configure the ACL
Step 5: Create and Apply the Crypto Map
A crypto map defines a set of encryption schemes used on a specified interface.Each configured crypto map must have a user-defined name and map index number. The map index number allows the ADTRAN OS device to rank the crypto maps when multiple maps are defined. The map index number determines the order in which the maps are considered (lowest numbers are evaluated first). The example crypto map (labeled CORPORATE_VPN with an index number of 10) encrypts traffic matching the OUTBOUND_VPN_TRAFFIC ACL using the defined IPSec transform (labeled SECURE), sets the IPSec lifetime seconds to 1800, and disables perfect forward secrecy (PFS) for this security association.
A list of all commands entered during this process is provided in Figure 6.
1 | Create the crypto map (CORPORATE_VPN with an index of 10) to define the tunnel. | router(config)#crypto map CORPORATE_VPN 10 ipsec-ike |
2 | Assign the access list (labeled OUTBOUND_VPN_TRAFFIC) to this crypto map. | router(config-crypto-map)#match address OUTBOUND_VPN_TRAFFIC |
3 | Assign the IPSec transform (labeled SECURE) to this crypto map. | router(config-crypto-map)#set transform-set SECURE |
4 | Specify the lifetime (in seconds) for the IPSec SAs created by this map. | router(config-crypto-map)#set security-association lifetime seconds 1800 |
5 | Configure the map not to use PFS when creating new IPSec SAs. | router(config-crypto-map)#no set pfs |
6 | Enter the interface command set for the interface to use this map. | router(config-crypto-map)#interface eth 0/1 |
7 | Apply the defined crypto map (CORPORATE_VPN) to the interface. | router(config-eth0/1)#crypto map CORPORATE_VPN |
router(config-crypto-map)#match address OUTBOUND_VPN_TRAFFIC router(config-crypto-map)#set transform-set SECURE router(config-crypto-map)#set security-association lifetime seconds 1800 router(config-crypto-map)#no set pfs router(config-crypto-map)#interface eth 0/1 router(config-eth 0/1)#crypto map CORPORATE_VPN |
Figure 6. Create and Apply the Crypto Map
Step 6: Configure the Firewall
If the firewall feature is enabled on the 2nd Generation NetVanta 2XXX system, then Extended ACLs must be added to the configuration to permit incoming traffic from the remote device.
The IP extended access-list “INBOUND_VPN_TRAFFIC” permits traffic from the 1st Generation NetVanta 2XXX LAN to the NetVanta 2100 2nd generation LAN and allows received IKE traffic.
A list of all commands entered during this process is provided in Figure 7.
1 | Create an empty access list called INBOUND_VPN_TRAFFIC. | router(config)#ip access-list extended INBOUND_VPN_TRAFFIC |
2 | Specify the traffic received from the remote private LAN. | router(config-ext-nacl)#permit ip 192.168.21.0 0.0.0.255 192.168.32.0 0.0.0.255 |
3 | Specify all IKE traffic received. | router(config-ext-nacl)#permit udp any host 172.32.0.2 eq isakmp |
router(config-ext-nacl)#permit ip 192.168.21.0 0.0.0.255 192.168.32.0 0.0.0.255 router(config-ext-nacl)#permit udp any host 172.32.0.2 eq isakmp |
Figure 8. Configure the Firewall
Modify the Access Policy Class PUBLIC
ADTRAN OS access control policies (ACPs) are used to allow, discard, or manipulate (using NAT) data for each physical interface. Each ACP consists of a selector (access list) and an action (allow, discard, NAT). When packets are received on an interface, the configured ACPs are applied to determine whether the data will be processed or discarded.
The Extended ACL (INBOUND_VPN_TRAFFIC) created in Step 6 must be added to the appropriate policy-class before it is applied to data flowing through the system. Policy-class names are case sensitive.
| The policy-class names used in this example reflect the current policy-class nomenclature and may need to be changed for your application. Use the show ip policy-class command to list all configured policies. If a discard list MATCHALLstatement is in the policy class, remove it using the no form of the command. |
The PUBLIC policy class is used for traffic coming from the Internet and applies to interface eth 0/1.Complete the following steps to modify the policy-class.
A list of all commands entered during this process is provided in Figure 8.
1 | Enter the configuration commands for the IP policy-class labeled PUBLIC. | router(config)#ip policy-class PUBLIC |
2 | Remove the no discard list MATCHALLstatement from the PUBLIC ACP. | router(config-policy-class)#no discard list MATCHALL |
3 | Add the ACL (labeled INBOUND_VPN_TRAFFIC) to the PUBLIC ACP. | router(config-policy-class)#allow list INBOUND_VPN_TRAFFIC |
Figure 8. Modify the PUBLIC ACP |
Modify the Access Policy Class PRIVATE
The Extended ACL (OUTBOUND_VPN_TRAFFIC) created in Step 4 must be added to the appropriate policy-class before it is applied to data flowing through the system.Policy-class names are case sensitive.
| The policy-class names used in this example reflect the current policy-class nomenclature and may need to be changed for your application. Use the show ip policy-class command to list all configured policies. If a nat source list MATCHALLstatement is in the policy class, remove it using the no form of the command. This statement should be defined in the ACL list AFTER the other created ACLs in this example. |
The PRIVATE policy class is used for traffic coming on the private network (LAN) and applies to interface eth 0/2.Complete the following steps to modify the policy-class.
A list of all commands entered during this process is provided in Figure 9.
1 | Enter the configuration commands for the IP policy-class labeled PRIVATE. | router(config)#ip policy-class PRIVATE |
2 | Remove the nat source list MATCHALLstatement from the PUBLIC ACP. | router(config-policy-class)#no nat source list MATCHALL interface eth 0/1 overload |
3 | Add the ACL (labeled OUTBOUND_VPN_TRAFFIC) to the PRIVATE ACP. | router(config-policy-class)#allow list OUTBOUND_VPN_TRAFFIC |
4 | Re-enter the nat source list MATCHALLstatement to the end of the ACL list. | router(config-policy-class)#nat source list MATCHALL interface eth 0/1 overload |
Router(config-policy-class)#no nat source list MATCHALL interface eth 0/1 overload Router(config-policy-class)#allow list OUTBOUND_VPN_TRAFFIC Router(config-policy-class)#nat source list MATCHALL interface eth 0/1 overload |
Figure 9. Modify the PRIVATE ACP
The entire NetVanta 2100 2nd generation config used in the sample network is listed below.
hostname "security"
enable password password
!
ip routing
!
!
username “admin” password password
!
ip firewall
!
ip crypto
!
crypto ike policy 10
initiate main
respond main
peer 172.21.0.2
attribute 10
encryption 3des
hash sha
lifetime 1800
!
crypto ike remote-id address 172.21.0.2 preshared-key 123456789012
!
crypto ipsec transform-set SECURE esp-3des esp-sha-hmac
mode tunnel
!
crypto map CORPORATE_VPN 10 ipsec-ike
match address OUTBOUND_VPN_TRAFFIC
set peer 172.21.0.2
set transform-set SECURE
set security-association lifetime seconds 28800
!
!
interface eth 0/1
ip address 172.32.0.2 255.255.255.252
access-policy PUBLIC
crypto map CORPORATE_VPN
no shutdown
!
interface eth 0/2
ip address 192.168.32.1 255.255.255.0
access-policy PRIVATE
no shutdown
!
!
ip access-list standard MATCHALL
permit any
!
!
ip access-list extended INBOUND_VPN_TRAFFIC
permit ip 192.168.21.0 0.0.0.255 192.168.32.0 0.0.0.255
permit udp any host 172.32.0.2 eq isakmp
!
ip access-list extended OUTBOUND_VPN_TRAFFIC
permit ip 192.168.32.0 0.0.0.255 192.168.21.0 0.0.0.255
!
ip policy-class PRIVATE
allow list OUTBOUND_VPN_TRAFFIC
nat source list MATCHALL interface eth 0/1 overload
!
ip policy-class PUBLIC
allow list INBOUND_VPN_TRAFFIC
!
!
ip route 0.0.0.0 0.0.0.0 172.32.0.1
!
no ip http server
no ip snmp agent
no ip ftp agent
!
!
line con 0
no login
!
line telnet 0 4
login
password "password"
!
end
Configuring the 1st Generation NetVanta 2XXX
Step 1: Create and Configure the IKE Policy
Internet Key Exchange (IKE) is implemented in 1st Generation NetVanta 2XXX systems through user-created IKE policies. Each IKE policy is maintained in a master IKE list. As IKE traffic is received, the NetVanta 2XXX checks the IKE policy list (starting with the first policy listed) until a match is found for the received data (using the peer IP address).
IKE policies are created and configured through the IKE Policy Configuration page. A screen shot with labeled step numbers is provided after the step definitions.
Follow the steps below to configure an IKE policy with the following parameters:
Policy Name = To2100
Direction = Both Directions
Exchange Type = Main Mode
Local ID Type = IP Address
Local ID Data & Local IP Address = 172.21.0.2
Remote ID Type = IP Address
Remote ID Data & Remote IP Address = 172.32.0.2 (Site B WAN IP Address)
Encryption = 3DES
Authentication Algorithm = SHA1
Authentication Mode = Pre-shared key of 123456789012
Key Lifetime = 1800 seconds
DH (Diffie Hellman) Group = Group 1
Create the New IKE Policy
A picture with callouts for each step is provided in Figure 10.
1 | Click the Policies listing (located in the header bar at the top of the screen). |
2 | Click VPN on the left-hand menu list. |
3 | Click IKE (under VPN). |
4 | Click the Add button to create a new IKE policy. |
Figure 10. Create the New IKE Policy
Configure the IKE Policy
A picture with callouts for each step is provided in Figure 11 and Figure 12.
1 | Enter To2100 in the Policy Name field. |
2 | Select Both Directions from the Direction drop down menu. |
3 | Select MainMode from the Exchange Type drop down menu. |
4 | Select IP Address from the Local ID Type drop down menu. |
5 | Enter 172.21.0.2 in the Local ID Data field. (This is the WAN IP of the local NetVanta 2XXX.) |
6 | Select IP Address from the Remote ID Type drop down menu for the first peer. |
7 | Enter 172.32.0.2 in the Remote ID Data field. (This is the WAN IP of the remote NetVanta 2XXX.) |
8 | Enter 172.21.0.2 in the Local IP Address field. (This is the WAN IP of the local NetVanta 2XXX.) |
9 | Enter 172.32.0.2 in the Remote IP Address field. (This is the WAN IP of the remote NetVanta 2XXX.) |
10 | Select 3DES from the Encrypt Algo (Encryption Algorithm) drop down menu. |
11 | Select SHA (SHA1) from the Auth Algo (Authentication Algorithm) drop down menu. |
12 | Select Pre-Shared Key from the Auth Mode (Authentication Mode) drop down menu. |
13 | Enter 123456789012 in the If Auth mode is Pre-Share Key enter the key field. |
14 | Enter 1800 in the Life time of key field. |
15 | Select Group1 from the DH Group (Diffie-Hellman Group) drop down menu. |
16 | Click the Submit button to accept the configuration. |
17 | Verify that the To2100 policy is listed in the IKE Policy list. |
Figure 11. Configure the IKE Policy
Figure 12. IKE Policy List
Step 2: Configure the Automatic IPSec Tunnel
IPSec tunnels are implemented in 1st Generation NetVanta 2XXX systems through user-created IPSec policies. Each IPSec policy is maintained in a master policy list. As IPSec tunnels are initiated, the NetVanta 2XXX checks the IPSec policy list (starting with the first policy listed) until a match is found for the received data (using the peer IP address).
IPSec policies are created and configured through the IPSec Policy Configuration page. A screen shot with labeled step numbers is provided after the step definitions.
Follow the steps below to configure an IPSec policy with the following parameters:
Policy Name = To2100
Source IP Address = 192.168.21.0/24
Destination IP Address = 192.168.32.0/24 (Site B LAN IP Address)
Source and Destination Ports = ALL
Protocol = ALL
Peer Security Gateway = 172.32.0.2 (Site B WAN IP Address)
Perfect Forward Secrecy = No
Security Protocol = ESP with Authentication
Authentication Algorithm = SHA1
ESP Algorithm = 3DES
Key Lifetime = 1800 seconds
Create the New IPSec Policy
A picture with callouts for each step is provided in Figure 13.
1 | Click the Policies listing (located in the header bar at the top of the screen). |
2 | Click VPN on the left-hand menu list. |
3 | Click Tunnels (under VPN). |
4 | Click the Auto button to create a new IPSec policy. |
Figure 13. Create the New IPSec Policy
Configure the IPSec Policy
A picture with callouts for each step is provided in Figure 14 and Figure 15.
1 | Enter To2100 in the Policy Name field. |
2 | Select Enable from the Status drop down menu. |
3 | Select Other from the Source Address drop down menu. |
4 | Enter 192.168.21.0 in the Source IP Address field and 24 as the Mask. (This is the private network address and subnet mask of this NetVanta 2XXX.) |
5 | Select Other from the Dest Address (Destination Address) drop down menu. |
6 | Enter 192.168.32.0 in the Dest IP Address (Destination IP Address) field and 24as the Mask. (This is the private network address and subnet mask of the remote NetVanta 2XXX system.) |
7 | Select Any from the Source Port drop down menu. |
8 | Select Any from the Destination Port drop down menu. |
9 | Select All from the Protocol drop down menu. |
10 | Enter 172.32.0.2 in the Peer Security Gateway field. (This is the WAN IP of the remote NetVanta 2XXX.) |
11 | Select No from the Perfect Forward Secrecy drop down menu. |
12 | Select ESP with Auth from the Security Protocol drop down menu. |
13 | Select SHA1 from the AUTH Algorithm (Authentication Algorithm) drop down menu. |
14 | Select 3DES from the ESP Algorithm drop down menu. |
15 | Enter 1800 in the Life Time Secs field. It is good practice for this lifetime to be 1/3 of the Life time of key field in the configured IKE Policy. |
16 | Select Last Transform from both of the remaining Security Protocol drop down menus. |
17 | Click the Add button to accept the configuration parameters. |
18 | Verify that the To2100 IPSec policy is listed in the IPSec Policies table. |
Figure 14. Configure the IPSec Policy
Figure 15. IPSec Policy List
Step 3: Configure the Firewall (Using Access Policies)
The default access policies must be modified to permit inbound and outbound traffic to and from the Private LAN behind the remote NetVanta 2XXX. In 1st Generation NetVanta 2XXX systems, access policies are divided into two categories: 1) To LAN and 2) From LAN. Each policy list displays the configured policies in order from top to bottom. When data traffic is ready for flow through the unit (either incoming or outgoing data), the NetVanta 2XXX searches through the policy lists (starting with the first policy listed) until a match for the data is found. Therefore, the placement of policies in the policy lists is crucial for proper operation. For this example, the To LAN access policy list must be modified to allow incoming traffic from the remote LAN to pass to the local LAN and the From LAN access policy list must be modified to allow outgoing traffic from the local LAN to pass to the remote LAN (all over the established VPN).
Complete the following steps to modify the access poliies.
Add a Policy to the To LAN Access Policy List
A picture with callouts for each step is provided in Figure 16.
1 | Click the Policies listing (located in the header bar at the top of the screen). |
2 | Click Access Policies: To LAN from the left-hand menu list. |
3 | Select Beginning from the Add drop down menu. |
4 | Click the Submit button to create the new policy. |
Figure 16. Create a New To LAN Access Policy
Configure the New To LAN Access Policy
A picture with callouts for each step is provided in Figure 17 and Figure 18.
1 | Select Other from the Source IP drop down menu. |
2 | Enter 192.168.32.0 in the If Source IP is Other field and 24 in the correspondingMask field. (This is the private LAN of the remote NetVanta 2XXX system.) |
3 | Select Other from the Destination IP drop down menu. |
4 | Enter 192.168.21.0 in the If Dest IP is Other field and 24 in the correspondingMask field. (This is the private LAN of the local NetVanta 2XXX system.) |
5 | Select Any from the Destination Port drop down menu. |
6 | Select All from the Protocol Type drop down menu. |
7 | Select Permit from the Action Type drop down menu. |
8 | Select the Yes radio button for the Enable Log parameter. |
9 | Select the No radio button for the Enable NAT parameter. |
10 | Select the Yes radio button for the Check for System VPN Policy field. |
11 | Click the Submit button to accept the configuration parameters. |
12 | Verify the new Policy is listed in the To LAN access policy list. |
Figure 17. Configure the New To LAN Policy
Figure 18. To LAN Access Policy List
Add a Policy to the From LAN Access Policy List
A picture with callouts for each step is provided in Figure 19.
1 | Click the Policies listing (located in the header bar at the top of the screen). |
2 | Click Access Policies: From LAN from the left-hand menu list. |
3 | Select Beginning from the Add drop down menu. |
4 | Click the Submit button to create the new policy. |
Figure 19. Create a New From LAN Access Policy
Configure the New From LAN Access Policy
A picture with callouts for each step is provided in Figure 20 and Figure 21.
1 | Select Other from the Source IP drop down menu. |
2 | Enter 192.168.21.0 in the If Source IP is Other field and 24 in the correspondingMask field. (This is the private LAN of the local NetVanta 2XXX system.) |
3 | Select Other from the Destination IP drop down menu. |
4 | Enter 192.168.32.0 in the If Dest IP is Other field and 24 in the correspondingMask field. (This is the private LAN of the remote NetVanta 2XXX system.) |
5 | Select Any from the Destination Port drop down menu. |
6 | Select All from the Protocol Type drop down menu. |
7 | Select Permit from the Action Type drop down menu. |
8 | Select the No radio button for the Enable Log parameter. |
9 | Select the No radio button for the Enable NAT parameter. |
10 | Select the Yes radio button for the Check for System VPN Policy field. |
11 | Click the Submit button to accept the configuration parameters. |
12 | Verify the new Policy is listed in the From LAN access policy list. |
Figure 20. Configure the New From LAN Access Policy
Figure 21. From LAN Access Policy List
Step 4: Save the Configuration Changes
The 1st Generation NetVanta 2XXX requires a manual save of all configuration changes before the changes are permanent. If the system loses power before the settings are saved, all configuration changes are lost.
Follow the steps below to save the configuration changes. A picture with callouts for each step is provided in Figure 22.
1 | Click the Admin listing (located in the header bar at the top of the screen). |
2 | Click Save Settings from the left-hand menu list. |
3 | Click the Yes button to save the changes. |
Figure 22. Save the Configuration Changes
Initiating the VPN Tunnel
After configuring both NetVanta 2XXX systems, initiate the VPN tunnel to test for connectivity between the two sites. The easiest way to accomplish this is to send a ping from a station on the local private LAN to a station on the remote private LAN.
Use the 2nd Generation NetVanta 2XXX CLI to send a ping to the 1st Generation NetVanta 2XXX LAN IP and initiate the VPN tunnel. Enter the command as follows: ping 192.168.21.1 source 192.168.32.1.
If you experience any problems using your ADTRAN product, please contact ADTRAN Technical Support.
DISCLAIMER
ADTRAN SPECIFICALLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ADTRAN BE LIABLE FOR ANY LOSS OR DAMAGE, AND FOR PERSONAL INJURY, INCLUDING BUT NOT LIMITED TO, COMPENSATORY, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER D |
