Introduction. Quick Configuration Guide (QCG) Configuring a VPN for Multiple Subnets in AOS



Similar documents
Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Configuring RADIUS Authentication for Device Administration

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Figure 1 - T1/E1 Internet Access

VPN SECURITY POLICIES

Lab Configure a PIX Firewall VPN

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Configuring IP Load Sharing in AOS Quick Configuration Guide

First, we must set the Local Dialing Type to 7 or 10 digits. To do this, begin by clicking on Dial Plan under Voice.

TECHNICAL SUPPORT NOTE. 3-Way Call Conferencing with Broadsoft - TA900 Series

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

IPsec VPN Application Guide REV:

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

VPN. VPN For BIPAC 741/743GE

VPNC Interoperability Profile

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Creating a VPN with overlapping subnets

Chapter 4 Virtual Private Networking

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Configuring a FortiGate unit as an L2TP/IPsec server

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Interconnection between the Windows Azure

Planet CS TheGreenBow IPSec VPN Client. Configuration Guide.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Configure ISDN Backup and VPN Connection

GNAT Box VPN and VPN Client

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Connecting Remote Offices by Setting Up VPN Tunnels

Symantec Firewall/VPN 200

Micronet SP881. TheGreenBow IPSec VPN Client Configuration Guide.

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

Chapter 8 Virtual Private Networking

Cisco 1841 MyDigitalShield BYOG Integration Guide

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide.

Scenario: Remote-Access VPN Configuration

IPSec Pass through via Gateway to Gateway VPN Connection

How To Industrial Networking

ISG50 Application Note Version 1.0 June, 2011

Firewall Troubleshooting

ZyXEL ZyWALL P1 firmware V3.64

Deploying IPSec VPN in the Enterprise

IP Office Technical Tip

LAN-Cell to Cisco Tunneling

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Cyberoam IPSec VPN Client Configuration Guide Version 4

Using IPsec VPN to provide communication between offices

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Scenario 1: One-pair VPN Trunk

CCNA Security 1.1 Instructional Resource

Juniper NetScreen 5GT

Configuring a VPN for Dynamic IP Address Connections

VPN Wizard Default Settings and General Information

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Packet Tracer Configuring VPNs (Optional)

Quick Note 20. Configuring a GRE tunnel over an IPSec tunnel and using BGP to propagate routing information. (GRE over IPSec with BGP)

Windows XP VPN Client Example

Case Study for Layer 3 Authentication and Encryption

Cisco SA 500 Series Security Appliance

Chapter 6 Basic Virtual Private Networking

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Configure IPSec VPN Tunnels With the Wizard

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Interconnecting Cisco Networking Devices Part 2

Cisco RV 120W Wireless-N VPN Firewall

How to configure VPN function on TP-LINK Routers

How to configure VPN function on TP-LINK Routers

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Virtual Private Network (VPN)

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and SDM

Ingate Firewall. TheGreenBow IPSec VPN Client Configuration Guide.

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Quick Note 051. Common Passwords/ID errors in IPsec VPN negotiation for TransPort routers. DRAFT July 2015

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Branch Office VPN Tunnels and Mobile VPN

Configuring SSH Sentinel VPN client and D-Link DFL-500 Firewall

Table of Contents. Introduction

Virtual Private Network and Remote Access Setup

Watchguard Firebox X Edge e-series

How To Configure A Network Monitor Probe On A Network Wire On A Microsoft Ipv6 (Networking) Device (Netware) On A Pc Or Ipv4 (Network) On An Ipv2 (Netnet) Or Ip

Most Common DMVPN Troubleshooting Solutions

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

: Interconnecting Cisco Networking Devices Part 2 v1.1

Cisco QuickVPN Installation Tips for Windows Operating Systems

Chapter 5 Virtual Private Networking Using IPsec

This is a guide on how to create an IPsec VPN tunnel from a local client running Shrew Soft VPN Client to an Opengear device.

Using IPSec in Windows 2000 and XP, Part 2

7. Configuring IPSec VPNs

NetVanta Series (with Octal T1/E1 Wide Module)

Transcription:

Quick Configuration Guide (QCG) Configuring a VPN for Multiple Subnets in AOS Introduction After creating a VPN, it is often necessary to have access to a new subnet across the VPN. To add a subnet, there must be additional selectors placed in the VPN-selectors. Below is an example network of two routers that each has a single subnet connected. Above, there is a VPN that is established between 192.168.1.0 /24 and 10.10.20.0 /24. However, as time goes on, there may be a need for an extra subnet at each site to be accessible through the tunnel: In this scenario, there are now two subnets on both sides that need to be able to reach the remote location. At this point, the selectors must be modified to add an additional subnet

across the link. It is important to note here that by adding an additional subnet to both sides, additional security associations are being added. Note: Keep in mind the number of security associations that are available on the router. Adding additional subnets to VPN Selectors causes extra processing and extra resources to be used so keep an eye on the number of security associations that are created. Because the above subnets are discontiguous (10.10.10.0/24 and 10.10.20.0/24), it is necessary to add two statements to allow traffic to pass from Router A to Router B. If these two had been contiguous (s.a. 192.168.0.0/24 and 192.168.1.0/24), it would have been possible to still only use one security association and supernet the two networks (192.168.0.0/23). Hardware/Software Requirements/Limitations Software Requirements The following requirements are needed to be able to establish a multi-network VPN. If the VPN peer is not an AOS device, additional information will be needed: Public IP of Statically Addressed Device Network IP Addresses and Subnet Masks for all private networks o Example: 192.168.1.0 /24 and 10.10.10.0 /24 Hardware Requirements To implement an IPSec VPN tunnel, the following are needed: An Adtran OS Router o Example: Netvanta or Total Access Enhanced Feature Pack for each Adtran OS Device Web Interface Configuration After creating the initial VPN between the two sites, go into the VPN peers to find where additional subnets can be added:

Once this is open, additional subnets (local and remote) can be added to the selectors for the VPN Peer: At this point, the 192.168.2.0 subnet needs to be added to the peer so that it can communicate with the 10.10.10.0 subnet. To do this, add the local network of 192.168.2.0 255.255.255.0 under Step 3 in the VPN peers. After typing in the local network and local network mask, click add. Once this is done, both the 192.168.1.0 and 2.0 networks should have access to the 10.10.10.0 subnet:

Finally, to add access for these two networks to the 10.10.20.0 remote network, simply add this remote network to Step 4: After adding this subnet, all four subnets will have access to one another.

Configuration in CLI Adding additional subnets only requires one line via the command line for each subnet to get to another remote subnet. Going back to the first example, router A has only one subnet attached. Once the VPN has been created, the access-list for Router A s selectors will look similar to below: permit ip 192.168.1.0 0.0.0.255 10.10.20.0 0.0.0.255 The first step to take to get both subnets on A to router B is to add access to the 10.10.10.0 /24 subnet for the 192.168.1.0 /24 subnet: permit ip 192.168.1.0 0.0.0.255 10.10.20.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255 At this point, 192.168.1.0 should be able to reach all private subnets on Router B. From here, it is simply a process of adding the source network of 192.168.2.0 to allow access to the remote networks: permit ip 192.168.1.0 0.0.0.255 10.10.20.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255 permit ip 192.168.2.0 0.0.0.255 10.10.20.0 0.0.0.255 permit ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.0.255 Once done on router A, the settings can be reversed on router B so that both sides have access to the remote subnets:

permit ip 10.10.20.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 10.10.20.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255 After doing this, security associations should exist allowing access across both local networks to the other remote networks. Supernetting Going back to the example above, lets say that instead of 192.168.1.0 /24 and 192.168.2.0 /24, we have 192.168.0.0 /24 and 192.168.1.0 /24. Now it is possible to add a single selector limiting the number of security associations needed. permit ip 192.168.0.0 0.0.1.255 10.10.10.0 0.0.0.255 permit ip 192.168.0.0 0.0.1.255 10.10.20.0 0.0.0.255 In the same light, if subnets 10.10.0.0 /24 and 10.10.1.0 /24 on Router B s side are used, there is only one IPSEC security association in each direction instead of the 4 in the aforementioned section: permit ip 192.168.0.0 0.0.1.255 10.10.0.0 0.0.1.255 Troubleshooting After setting up the configurations, this can be tested by using the ping utility on the router. Since the tunnel is going to use the same IKE security association for the first tunnel, there shouldn t be any problem with the negotiation. To verify that the VPN selectors match, it still may be necessary to look at the output from debug crypto ike. To test this, ping from Router A to Router B and source an internal interface: ping 10.10.20.1 source 192.168.2.1 If the pings are successful, traffic should pass between the two subnets. If for some reason traffic doesn t pass, use the diagnostic command: show crypto ipsec sa from enable mode to verify that the tunnel is up. Below is a sample output from a single security association. From here, it should be possible to verify that packets are being transmitted through the tunnel. Switch#show crypto ipsec sa Using 2 SAs out of 2000 IPSec Security Associations: Peer IP Address: 10.19.243.13

Remote ID: 10.19.243.24 Crypto Map: VPN 10 Direction: Inbound Encapsulation: ESP SPI: 0x9010AE7D (2417012349) RX Bytes: 512 Selectors: Src:192.168.0.0/255.255.254.0 Port:ANY Proto:ALL IP Dst:10.10.0.0/255.255.254.0 Port:ANY Proto:ALL IP Hard Lifetime: 28800 Soft Lifetime: 0 Out-of-Sequence Errors: 0 Peer IP Address: 10.19.243.24 Remote ID: 10.19.243.24 Crypto Map: VPN 10 Direction: Outbound Encapsulation: ESP SPI: 0xE688CD89 (3867725193) TX Bytes: 512 Selectors: Src:10.10.0.0/255.255.254.0 Port:ANY Proto:ALL IP Dst:192.168.0.0/255.255.254.0 Port:ANY Proto:ALL IP Hard Lifetime: 28800 Soft Lifetime: 28710 DISCLAIMER ADTRAN provides the foregoing application description solely for the reader's consideration and study, and without any representation or suggestion that the foregoing application is or may be free from claims of third parties for infringement of intellectual property rights, including but not limited to, direct and contributory infringement as well as for active inducement to infringe. In addition, the reader's attention is drawn to the following disclaimer with regard to the reader's use of the foregoing material in products and/or systems. That is: ADTRAN SPECIFICALLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ADTRAN BE LIABLE FOR ANY LOSS OR DAMAGE, AND FOR PERSONAL INJURY, INCLUDING BUT NOT LIMITED TO, COMPENSATORY, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information