Configuring Main Mode VPN between a 1st generation and 2nd generation NetVanta 2000 series unit using IKE and Pre-shared Keys

Version 1

    TECHNICAL SUPPORT NOTE
    Configuring Main Mode VPN between a 1st generation and 2nd generation NetVanta 2000 series unit using IKE and Pre-shared Keys

    In this Tech Note, NetVanta 2XXX refers to the entire NetVanta 2000 series product line running the Enhanced ADTRAN OS. Information pertaining to a particular product is discussed using the product name (e.g., NetVanta 2050).



     

    Introduction

    This Technical Support Note explains configuring a 1st Generation NetVanta 2XXX and a 2nd Generation NetVanta 2XXX (running the Enhanced ADTRAN OS) for VPN operation. The following information is included in this document:

    - Step-by-step instructions for configuring VPN (in AOS) on a 2nd Generation NetVanta 2XXX.

    - Full sample configuration for the NetVanta 2100 2nd generation with firewall and VPN.

    - Step-by-step instructions (with screen shots) for configuring VPN on a 1st Generation Netvanta 2XXX.

    * Before You Begin

    Please note that these examples are given for your study and consideration only. They are to help you reach a better understanding of the fundamental concepts before configuring your own application. It will be necessary for you to modify these examples to match your own network’s configuration.

    This Technical Support Note assumes both NetVanta 2XXX systems are already installed and have connectivity to the Internet.

    Contact your ISP and verify that they allow ESP traffic through their network (IP protocol 50).  ESP is the protocol that carries the encrypted VPN data across the Internet.  Some ISPs require a corporate or business class of service before allowing ESP traffic.

    Network Diagram

    Figure 1. Sample Network Diagram

    Site A
    The 1st Generation NetVanta 2XXX located at Site A is configured with the following parameters:

    Public Network Parameters:
    WAN IP = 172.21.0.2 (with a 30-bit mask of 255.255.255.252)
    Network Address Translation (NAT) is configured for basic internet access
    Firewall is enabled

    Private (LAN) Network Parameters:
    LAN IP = 192.168.21.1 (with a 24-bit mask of 255.255.255.0)

    Site B
    The 2nd Generation NetVanta 2XXX located at Site B is configured with the following parameters:

    Public Network Parameters:
    WAN IP = 172.32.0.2 (with a 30-bit mask of 255.255.255.252)
    NAT is configured for basic internet access
    Firewall is enabled

    Private (LAN) Network Parameters:
    LAN IP = 192.168.32.1 (with a 24-bit mask of 255.255.255.0)

    VPN Parameters
    Main Mode Internet Key Exchange (IKE) negotiation
    SHA1 hash algorithm for protecting the authentication traffic between sites
    Pre-shared key of 123456789012 for authentication
    Diffie-Hellman Group 1 for protecting the keys between the sites
    3DES encryption for protecting the traffic between the sites

     

    Configuring the 2nd Generation NetVanta 2XXX

    Step 1: Activate VPN

     

    VPN can only be activated from within the enable command security menus. Follow the steps below to enter the enable mode and activate VPN.  A list of all commands entered during this process is provided later in the document.

     

     

     

    1

    Enter the enable security mode.

    router> enable

    NOTE: If an enable password has been set, you will be prompted to enter it.

    2

    Enter the global configuration command set.

    router# config t

    3

    Activate the AOS VPN functionality.

    router(config)# ip crypto

     

     


    router> enable
    router# config t
    router(config)# ip crypto

     

    Figure 2.    Activate VPN

    Step 2: Create and Configure the IKE policy

    Internet Key Exchange (IKE) is implemented in the ADTRAN OS by using user-created IKE policies. Each IKE policy is given a priority number (unique number specified by the user) and maintained in a master list. As IKE traffic is received, the ADTRAN OS polls the IKE policy list (starting with the policy having the lowest priority) until a match is found for the received data (using the peer IP address).

    IKE policies are created and configured in three parts: 1) Create the policy and assign a priority number (used for placement in the master list), 2) Enter the attribute commands for the policy and configure the IKE parameters, and 3) Specify the parameters of the remote identification information for a peer connecting to the system.

    Follow the steps below to configure an IKE policy with the following parameters:

    Policy Priority = 10
    Peer Address = 172.21.0.2 (Site A NetVanta 2XXX WAN IP)
    Mode = initiate and respond to Main Mode
    Key = Pre-shared key of 123456789012 using Diffie-Hellman Group 1
    Key Lifetime = 1800 seconds
    Hash = SHA1
    Encryption = 3DES

    A list of all commands entered during this process is provided in Figure 3.

    Create the IKE Policy and Define the Remote Parameters

     

    Step

    Action

    Command

    1

    Create the IKE policy with a priority of 10. Valid priority range includes 1 to 65535. Priority values must be unique; two IKE policies cannot have the same assigned priority value.

    router(config)# crypto ike policy 10

    2

    Enter the IP address of the peer device. (This address will correspond to the public network address of the remote device.)

    router(config-ike)# peer 172.21.0.2

    3

    Specify to initiate negotiations using main mode.

    router(config-ike)# initiate main

    4

    Configure the IKE policy to respond to IKE negotiations initiated by peers using main mode.

    router(config-ike)# respond main

     

    Enter the Attribute Commands and Configure IKE

     

    Multiple attributes can be created for a single IKE policy. The attribute’s priority number specifies the order in which the resulting VPN proposals are processed. Using multiple attributes allows a user the flexibility to configure a preferred method of connection and a backup method (in the event that the peer device is unable to negotiate using the preferred method.) When creating multiple attributes, ensure that the “preferred” attribute has the lowest priority number associated with it.

     

     

     

    1

    Enter the IKE Policy Attribute command mode, assigning this attribute a priority of 10.

    router(config-ike)# attribute 10

    2

    Choose the 3DES encryption algorithm for this IKE policy to use when transmitting data over the IKE-generated connection (security association – SA).

    router(config-ike-attribute)# encryption 3des

    3

    Specify the hash SHA1 algorithm used to protect the authentication information when transmitted between host and peer devices.

    router(config-ike-attribute)# hash sha

    4

    Configure this IKE policy to use pre-shared secrets during IKE negotiation for peer validation.

    router(config-ike-attribute)#authentication pre-share

    5

    Specify the Diffie-Hellman Group 1 to be used by this IKE policy to generate the private keys (using a randomly generated number and the pre-shared secret).

    router(config-ike-attribute)# group 1

    6

    Specify the lifetime of the IKE generated connection (SA) in seconds. The shorter the lifetime, the more processing required for re-negotiation of the IKE SA.

    router(config-ike-attribute)# lifetime 1800

    7

    Exit the IKE attribute configuration.

    router(config-ike-attribute)# exit

     

    Specify the Identification Parameters for the Remote Peer

    The crypto ike remote-id command is used to specify the Remote-ID information for a peer connecting to the system. This command is also used to specify the pre-shared key associated with the specific Remote-ID. ADTRAN recommends using at least 12 characters for the pre-shared key.

     

    1

    Specify the remote ID (as the peer IP address) and associate it with a pre-shared key (123456789012).

    router(config)# crypto ike remote-id address 172.21.0.2 preshared-key 123456789012

     


    router(config)#crypto ike policy 1

    router(config-ike)#peer 172.21.0.2

    router(config-ike)#initiate main

    router(config-ike)#respond main

    router(config-ike)#attribute 10

    router(config-ike-attribute)#encryption 3des

    router(config-ike-attribute)#hash sha

    router(config-ike-attribute)#authentication pre-share

    router(config-ike-attribute)#group 1

    router(config-ike-attribute)#lifetime 1800

    router(config-ike-attribute)#exit

    router(config)#crypto ike remote-id address 172.21.0.2 preshared-key 123456789012

    Figure 3.    Create and Configure the IKE Policy

    Step 3: Configure the IPSec Transform

    A transform set defines the encryption and authentication algorithms used to secure the data transmitted over the VPN tunnel. In this example, a transform set named “SECURE” is created to use ESP with Authentication (3DES encryption and SHA1 authentication).

    A list of all commands entered during this process can be found in Figure 4.

     

    1

    Create a transform set (SECURE) consisting of two security algorithms (up to three algorithms may be defined).

    router(config)# crypto ipsec transform set SECURE esp-3des esp-sha-hmac

    2

    Place this transform set in tunnel mode.

    router(cfg-crypto-trans)# mode tunnel

     

     


    router(config)# crypto ipsec transform set SECURE esp-3des esp-sha-hmac

    router(cfg-crypto-trans)# mode tunnel

     

    Figure 4.    Configure the IPSec Transform

    Step 4: Configure the Access Control List (ACL)

    An extended Access Control List (ACL) defines the traffic sent securely over the VPN tunnel. The entries in the ACL are defined with respect to the traffic present on the local system. Assign a name to each created ACL to use when assigning the ACL to an interface. For this example, create an ACL called OUTBOUND_VPN_TRAFFIC that sends all traffic from the private LAN (192.168.32.0 network) through the secure VPN tunnel to the private LAN (192.168.21.0 network) on the remote side.

    A list of all commands entered during this process is provided in Figure 5.

     

     

    1

    Create an empty access list called OUTBOUND_VPN_TRAFFIC.

    router(config)# ip access-list extended OUTBOUND_VPN_TRAFFIC

    2

    Specify the traffic sent from one private LAN to the remote private LAN over the encrypted VPN tunnel.

    router(config-ext-nacl)# permit ip 192.168.32.0 0.0.0.255 192.168.21.0 0.0.0.255

     

     


    router(config)#ip access-list extended OUTBOUND_VPN_TRAFFIC

    router(config-ext-nacl)#permit ip 192.168.32.0 0.0.0.255 192.168.21.0 0.0.0.255

     

    Figure 5.    Configure the ACL

    Step 5: Create and Apply the Crypto Map

    A crypto map defines a set of encryption schemes used on a specified interface.Each configured crypto map must have a user-defined name and map index number. The map index number allows the ADTRAN OS device to rank the crypto maps when multiple maps are defined. The map index number determines the order in which the maps are considered (lowest numbers are evaluated first). The example crypto map (labeled CORPORATE_VPN with an index number of 10) encrypts traffic matching the OUTBOUND_VPN_TRAFFIC ACL using the defined IPSec transform (labeled SECURE), sets the IPSec lifetime seconds to 1800, and disables perfect forward secrecy (PFS) for this security association.

    A list of all commands entered during this process is provided in Figure 6.

     

    1

    Create the crypto map (CORPORATE_VPN with an index of 10) to define the tunnel.

    router(config)#crypto map CORPORATE_VPN 10 ipsec-ike

    2

    Assign the access list (labeled OUTBOUND_VPN_TRAFFIC) to this crypto map.

    router(config-crypto-map)#match address OUTBOUND_VPN_TRAFFIC

    3

    Assign the IPSec transform (labeled SECURE) to this crypto map.

    router(config-crypto-map)#set transform-set SECURE

    4

    Specify the lifetime (in seconds) for the IPSec SAs created by this map.

    router(config-crypto-map)#set security-association lifetime seconds 1800

    5

    Configure the map not to use PFS when creating new IPSec SAs.

    router(config-crypto-map)#no set pfs

    6

    Enter the interface command set for the interface to use this map.

    router(config-crypto-map)#interface eth 0/1

    7

    Apply the defined crypto map (CORPORATE_VPN) to the interface.

    router(config-eth0/1)#crypto map CORPORATE_VPN

     

     


    router(config)#crypto map CORPORATE_VPN 10 ipsec-ike

    router(config-crypto-map)#match address OUTBOUND_VPN_TRAFFIC

    router(config-crypto-map)#set transform-set SECURE

    router(config-crypto-map)#set security-association lifetime seconds 1800

    router(config-crypto-map)#no set pfs

    router(config-crypto-map)#interface eth 0/1

    router(config-eth 0/1)#crypto map CORPORATE_VPN

     

    Figure 6.    Create and Apply the Crypto Map

    Step 6: Configure the Firewall

    If the firewall feature is enabled on the 2nd Generation NetVanta 2XXX system, then Extended ACLs must be added to the configuration to permit incoming traffic from the remote device.

    The IP extended access-list “INBOUND_VPN_TRAFFIC” permits traffic from the 1st Generation NetVanta 2XXX LAN to the NetVanta 2100 2nd generation LAN and allows received IKE traffic.

    A list of all commands entered during this process is provided in Figure 7.

     

    1

    Create an empty access list called INBOUND_VPN_TRAFFIC.

    router(config)#ip access-list extended INBOUND_VPN_TRAFFIC

    2

    Specify the traffic received from the remote private LAN.

    router(config-ext-nacl)#permit ip 192.168.21.0 0.0.0.255 192.168.32.0 0.0.0.255

    3

    Specify all IKE traffic received.

    router(config-ext-nacl)#permit udp any host 172.32.0.2 eq isakmp

     

     

     


    router(config)#ip access-list extended INBOUND_VPN_TRAFFIC

    router(config-ext-nacl)#permit ip 192.168.21.0 0.0.0.255 192.168.32.0 0.0.0.255

    router(config-ext-nacl)#permit udp any host 172.32.0.2 eq isakmp

     

    Figure 8.    Configure the Firewall

    Modify the Access Policy Class PUBLIC

    ADTRAN OS access control policies (ACPs) are used to allow, discard, or manipulate (using NAT) data for each physical interface. Each ACP consists of a selector (access list) and an action (allow, discard, NAT). When packets are received on an interface, the configured ACPs are applied to determine whether the data will be processed or discarded.

    The Extended ACL (INBOUND_VPN_TRAFFIC) created in Step 6 must be added to the appropriate policy-class before it is applied to data flowing through the system. Policy-class names are case sensitive.

     

    The policy-class names used in this example reflect the current policy-class nomenclature and may need to be changed for your application. Use the show ip policy-class command to list all configured policies. If a discard list MATCHALLstatement is in the policy class, remove it using the no form of the command.

     

    The PUBLIC policy class is used for traffic coming from the Internet and applies to interface eth 0/1.Complete the following steps to modify the policy-class.

    A list of all commands entered during this process is provided in Figure 8.

     

    1

    Enter the configuration commands for the IP policy-class labeled PUBLIC.

    router(config)#ip policy-class PUBLIC

    2

    Remove the no discard list MATCHALLstatement from the PUBLIC ACP.

    router(config-policy-class)#no discard list MATCHALL

    3

    Add the ACL (labeled INBOUND_VPN_TRAFFIC) to the PUBLIC ACP.

    router(config-policy-class)#allow list INBOUND_VPN_TRAFFIC

     

     

     

     


    Router(config)#ip policy-class PUBLIC

    Router(config-policy-class)#no discard list MATCHALL

    Router(config-policy-class)#allow list INBOUND_VPN_TRAFFIC

     

     

    Figure 8.    Modify the PUBLIC ACP

     

    Modify the Access Policy Class PRIVATE

    The Extended ACL (OUTBOUND_VPN_TRAFFIC) created in Step 4 must be added to the appropriate policy-class before it is applied to data flowing through the system.Policy-class names are case sensitive.

     

    The policy-class names used in this example reflect the current policy-class nomenclature and may need to be changed for your application. Use the show ip policy-class command to list all configured policies. If a nat source list MATCHALLstatement is in the policy class, remove it using the no form of the command. This statement should be defined in the ACL list AFTER the other created ACLs in this example.

     

    The PRIVATE policy class is used for traffic coming on the private network (LAN) and applies to interface eth 0/2.Complete the following steps to modify the policy-class.

    A list of all commands entered during this process is provided in Figure 9.

     

    1

    Enter the configuration commands for the IP policy-class labeled PRIVATE.

    router(config)#ip policy-class PRIVATE

    2

    Remove the nat source list MATCHALLstatement from the PUBLIC ACP.

    router(config-policy-class)#no nat source list MATCHALL interface eth 0/1 overload

    3

    Add the ACL (labeled OUTBOUND_VPN_TRAFFIC) to the PRIVATE ACP.

    router(config-policy-class)#allow list OUTBOUND_VPN_TRAFFIC

    4

    Re-enter the nat source list MATCHALLstatement to the end of the ACL list.

    router(config-policy-class)#nat source list MATCHALL interface eth 0/1 overload

     

     

     

     


    Router(config)#ip policy-class PRIVATE

    Router(config-policy-class)#no nat source list MATCHALL interface eth 0/1 overload

    Router(config-policy-class)#allow list OUTBOUND_VPN_TRAFFIC

    Router(config-policy-class)#nat source list MATCHALL interface eth 0/1 overload

     

     

    Figure 9.    Modify the PRIVATE ACP

    The entire NetVanta 2100 2nd generation config used in the sample network is listed below.

    hostname "security"
    enable password password
    !
    ip routing
    !
    !
    username “admin” password password
    !
    ip firewall
    !
    ip crypto
    !
    crypto ike policy 10
      initiate main
      respond main
      peer 172.21.0.2
      attribute 10
        encryption 3des
        hash sha
        lifetime 1800
    !
    crypto ike remote-id address 172.21.0.2 preshared-key 123456789012
    !
    crypto ipsec transform-set SECURE esp-3des esp-sha-hmac 
      mode tunnel
    !
    crypto map CORPORATE_VPN 10 ipsec-ike
      match address OUTBOUND_VPN_TRAFFIC
      set peer 172.21.0.2
      set transform-set SECURE
      set security-association lifetime seconds 28800
    !
    !
    interface eth 0/1
      ip address  172.32.0.2  255.255.255.252
      access-policy PUBLIC
      crypto map CORPORATE_VPN
      no shutdown
    !
    interface eth 0/2
      ip address  192.168.32.1  255.255.255.0
      access-policy PRIVATE
      no shutdown
    !
    !
    ip access-list standard MATCHALL
      permit any
    !
    !
    ip access-list extended INBOUND_VPN_TRAFFIC
      permit ip 192.168.21.0 0.0.0.255  192.168.32.0 0.0.0.255
      permit udp any  host 172.32.0.2 eq isakmp
    !
    ip access-list extended OUTBOUND_VPN_TRAFFIC
      permit ip 192.168.32.0 0.0.0.255  192.168.21.0 0.0.0.255
    !
    ip policy-class PRIVATE
      allow list OUTBOUND_VPN_TRAFFIC
      nat source list MATCHALL interface eth 0/1 overload
    !
    ip policy-class PUBLIC
      allow list INBOUND_VPN_TRAFFIC
    !
    !
    ip route 0.0.0.0 0.0.0.0 172.32.0.1
    !
    no ip http server
    no ip snmp agent
    no ip ftp agent
    !
    !
    line con 0
      no login
    !
    line telnet 0 4
      login
      password "password"
    !
    end

     

    Configuring the 1st Generation NetVanta 2XXX

    Step 1: Create and Configure the IKE Policy

     

    Internet Key Exchange (IKE) is implemented in 1st Generation NetVanta 2XXX systems through user-created IKE policies. Each IKE policy is maintained in a master IKE list. As IKE traffic is received, the NetVanta 2XXX checks the IKE policy list (starting with the first policy listed) until a match is found for the received data (using the peer IP address).

    IKE policies are created and configured through the IKE Policy Configuration page. A screen shot with labeled step numbers is provided after the step definitions.

    Follow the steps below to configure an IKE policy with the following parameters:

    Policy Name = To2100
    Direction = Both Directions
    Exchange Type = Main Mode
    Local ID Type = IP Address
    Local ID Data & Local IP Address = 172.21.0.2
    Remote ID Type = IP Address
    Remote ID Data & Remote IP Address = 172.32.0.2 (Site B WAN IP Address)
    Encryption = 3DES
    Authentication Algorithm = SHA1
    Authentication Mode = Pre-shared key of 123456789012
    Key Lifetime = 1800 seconds
    DH (Diffie Hellman) Group = Group 1

     

     

    Create the New IKE Policy

    A picture with callouts for each step is provided in Figure 10.

    1

    Click the Policies listing (located in the header bar at the top of the screen).

    2

    Click VPN on the left-hand menu list.

    3

    Click IKE (under VPN).

    4

    Click the Add button to create a new IKE policy.

     

     

    Figure 10.    Create the New IKE Policy

     

     

    Configure the IKE Policy

    A picture with callouts for each step is provided in Figure 11 and Figure 12.

     

    1

    Enter To2100 in the Policy Name field.

    2

    Select Both Directions from the Direction drop down menu.

    3

    Select MainMode from the Exchange Type drop down menu.

    4

    Select IP Address from the Local ID Type drop down menu.

    5

    Enter 172.21.0.2 in the Local ID Data field. (This is the WAN IP of the local NetVanta 2XXX.)

    6

    Select IP Address from the Remote ID Type drop down menu for the first peer.

    7

    Enter 172.32.0.2 in the Remote ID Data field. (This is the WAN IP of the remote NetVanta 2XXX.)

    8

    Enter 172.21.0.2 in the Local IP Address field. (This is the WAN IP of the local NetVanta 2XXX.)

    9

    Enter 172.32.0.2 in the Remote IP Address field. (This is the WAN IP of the remote NetVanta 2XXX.)

    10

    Select 3DES from the Encrypt Algo (Encryption Algorithm) drop down menu.

    11

    Select SHA (SHA1) from the Auth Algo (Authentication Algorithm) drop down menu.

    12

    Select Pre-Shared Key from the Auth Mode (Authentication Mode) drop down menu.

    13

    Enter 123456789012 in the If Auth mode is Pre-Share Key enter the key field.

    14

    Enter 1800 in the Life time of key field.

    15

    Select Group1 from the DH Group (Diffie-Hellman Group) drop down menu.

    16

    Click the Submit button to accept the configuration.

    17

    Verify that the To2100 policy is listed in the IKE Policy list.

     

    Figure 11.    Configure the IKE Policy


    Figure 12.    IKE Policy List

    Step 2: Configure the Automatic IPSec Tunnel

    IPSec tunnels are implemented in 1st Generation NetVanta 2XXX systems through user-created IPSec policies. Each IPSec policy is maintained in a master policy list. As IPSec tunnels are initiated, the NetVanta 2XXX checks the IPSec policy list (starting with the first policy listed) until a match is found for the received data (using the peer IP address).

    IPSec policies are created and configured through the IPSec Policy Configuration page. A screen shot with labeled step numbers is provided after the step definitions.

    Follow the steps below to configure an IPSec policy with the following parameters:

    Policy Name = To2100
    Source IP Address = 192.168.21.0/24
    Destination IP Address = 192.168.32.0/24 (Site B LAN IP Address)
    Source and Destination Ports = ALL
    Protocol = ALL
    Peer Security Gateway = 172.32.0.2 (Site B WAN IP Address)
    Perfect Forward Secrecy = No
    Security Protocol = ESP with Authentication
    Authentication Algorithm = SHA1
    ESP Algorithm = 3DES
    Key Lifetime = 1800 seconds

    Create the New IPSec Policy

    A picture with callouts for each step is provided in Figure 13.

     

    1

    Click the Policies listing (located in the header bar at the top of the screen).

    2

    Click VPN on the left-hand menu list.

    3

    Click Tunnels (under VPN).

    4

    Click the Auto button to create a new IPSec policy.

     

     

    Figure 13.    Create the New IPSec Policy

     

     

    Configure the IPSec Policy

    A picture with callouts for each step is provided in Figure 14 and Figure 15.

    1

    Enter To2100 in the Policy Name field.

    2

    Select Enable from the Status drop down menu.

    3

    Select Other from the Source Address drop down menu.

    4

    Enter 192.168.21.0 in the Source IP Address field and 24 as the Mask. (This is the private network address and subnet mask of this NetVanta 2XXX.)

    5

    Select Other from the Dest Address (Destination Address) drop down menu.

    6

    Enter 192.168.32.0 in the Dest IP Address (Destination IP Address) field and 24as the Mask. (This is the private network address and subnet mask of the remote NetVanta 2XXX system.)

    7

    Select Any from the Source Port drop down menu.

    8

    Select Any from the Destination Port drop down menu.

    9

    Select All from the Protocol drop down menu.

    10

    Enter 172.32.0.2 in the Peer Security Gateway field. (This is the WAN IP of the remote NetVanta 2XXX.)

    11

    Select No from the Perfect Forward Secrecy drop down menu.

    12

    Select ESP with Auth from the Security Protocol drop down menu.

    13

    Select SHA1 from the AUTH Algorithm (Authentication Algorithm) drop down menu.

    14

    Select 3DES from the ESP Algorithm drop down menu.

    15

    Enter 1800 in the Life Time Secs field. It is good practice for this lifetime to be 1/3 of the Life time of key field in the configured IKE Policy.

    16

    Select Last Transform from both of the remaining Security Protocol drop down menus.

    17

    Click the Add button to accept the configuration parameters.

    18

    Verify that the To2100 IPSec policy is listed in the IPSec Policies table.

    Figure 14.    Configure the IPSec Policy

    Figure 15.    IPSec Policy List

    Step 3: Configure the Firewall (Using Access Policies)

    The default access policies must be modified to permit inbound and outbound traffic to and from the Private LAN behind the remote NetVanta 2XXX. In 1st Generation NetVanta 2XXX systems, access policies are divided into two categories: 1) To LAN and 2) From LAN. Each policy list displays the configured policies in order from top to bottom. When data traffic is ready for flow through the unit (either incoming or outgoing data), the NetVanta 2XXX searches through the policy lists (starting with the first policy listed) until a match for the data is found. Therefore, the placement of policies in the policy lists is crucial for proper operation. For this example, the To LAN access policy list must be modified to allow incoming traffic from the remote LAN to pass to the local LAN and the From LAN access policy list must be modified to allow outgoing traffic from the local LAN to pass to the remote LAN (all over the established VPN).

    Complete the following steps to modify the access poliies.

    Add a Policy to the To LAN Access Policy List

    A picture with callouts for each step is provided in Figure 16.

     

    1

    Click the Policies listing (located in the header bar at the top of the screen).

    2

    Click Access Policies: To LAN from the left-hand menu list.

    3

    Select Beginning from the Add drop down menu.

    4

    Click the Submit button to create the new policy.

     

    Figure 16.    Create a New To LAN Access Policy

    Configure the New To LAN Access Policy

    A picture with callouts for each step is provided in Figure 17 and Figure 18.

     

    1

    Select Other from the Source IP drop down menu.

    2

    Enter 192.168.32.0 in the If Source IP is Other field and 24 in the correspondingMask field. (This is the private LAN of the remote NetVanta 2XXX system.)

    3

    Select Other from the Destination IP drop down menu.

    4

    Enter 192.168.21.0 in the If Dest IP is Other field and 24 in the correspondingMask field. (This is the private LAN of the local NetVanta 2XXX system.)

    5

    Select Any from the Destination Port drop down menu.

    6

    Select All from the Protocol Type drop down menu.

    7

    Select Permit from the Action Type drop down menu.

    8

    Select the Yes radio button for the Enable Log parameter.

    9

    Select the No radio button for the Enable NAT parameter.

    10

    Select the Yes radio button for the Check for System VPN Policy field.

    11

    Click the Submit button to accept the configuration parameters.

    12

    Verify the new Policy is listed in the To LAN access policy list.

     

    Figure 17.    Configure the New To LAN Policy

    Figure 18.    To LAN Access Policy List

    Add a Policy to the From LAN Access Policy List

    A picture with callouts for each step is provided in Figure 19.

     

    1

    Click the Policies listing (located in the header bar at the top of the screen).

    2

    Click Access Policies: From LAN from the left-hand menu list.

    3

    Select Beginning from the Add drop down menu.

    4

    Click the Submit button to create the new policy.

     

    Figure 19.    Create a New From LAN Access Policy

    Configure the New From LAN Access Policy

    A picture with callouts for each step is provided in Figure 20 and Figure 21.

     

    1

    Select Other from the Source IP drop down menu.

    2

    Enter 192.168.21.0 in the If Source IP is Other field and 24 in the correspondingMask field. (This is the private LAN of the local NetVanta 2XXX system.)

    3

    Select Other from the Destination IP drop down menu.

    4

    Enter 192.168.32.0 in the If Dest IP is Other field and 24 in the correspondingMask field. (This is the private LAN of the remote NetVanta 2XXX system.)

    5

    Select Any from the Destination Port drop down menu.

    6

    Select All from the Protocol Type drop down menu.

    7

    Select Permit from the Action Type drop down menu.

    8

    Select the No radio button for the Enable Log parameter.

    9

    Select the No radio button for the Enable NAT parameter.

    10

    Select the Yes radio button for the Check for System VPN Policy field.

    11

    Click the Submit button to accept the configuration parameters.

    12

    Verify the new Policy is listed in the From LAN access policy list.

     

    Figure 20.    Configure the New From LAN Access Policy

    Figure 21.    From LAN Access Policy List

    Step 4: Save the Configuration Changes

    The 1st Generation NetVanta 2XXX requires a manual save of all configuration changes before the changes are permanent. If the system loses power before the settings are saved, all configuration changes are lost.

    Follow the steps below to save the configuration changes. A picture with callouts for each step is provided in Figure 22.

     

     

    1

    Click the Admin listing (located in the header bar at the top of the screen).

    2

    Click Save Settings from the left-hand menu list.

    3

    Click the Yes button to save the changes.

     

    Figure 22.    Save the Configuration Changes

    Initiating the VPN Tunnel

    After configuring both NetVanta 2XXX systems, initiate the VPN tunnel to test for connectivity between the two sites. The easiest way to accomplish this is to send a ping from a station on the local private LAN to a station on the remote private LAN.

    Use the 2nd Generation NetVanta 2XXX CLI to send a ping to the 1st Generation NetVanta 2XXX LAN IP and initiate the VPN tunnel. Enter the command as follows: ping 192.168.21.1 source 192.168.32.1.

     

    If you experience any problems using your ADTRAN product, please contact ADTRAN Technical Support.

     

    DISCLAIMER


    ADTRAN provides the foregoing application description solely for the reader's consideration and study, and without any representation or suggestion that the foregoing application is or may be free from claims of third parties for infringement of intellectual property rights, including but not limited to, direct and contributory infringement as well as for active inducement to infringe. In addition, the reader's attention is drawn to the following disclaimer with regard to the reader's use of the foregoing material in products and/or systems. That is:

     

    ADTRAN SPECIFICALLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ADTRAN BE LIABLE FOR ANY LOSS OR DAMAGE, AND FOR PERSONAL INJURY, INCLUDING BUT NOT LIMITED TO, COMPENSATORY, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER D