Configure Microsoft® Windows XP** Virtual Private Network (VPN) client interoperability with NAT-T support 18
# Rule 3 becomes the L2TP tunnel allow rule. Additional security is provided by
only allowing traffic from IPSec tunnels.
add fire policy=main rule=3 int=eth0 action=allow prot=udp ip=<office Internet
address> port=1701 gblip=<office Internet address> gblport=1701 encap=ipsec
# Using Secure Shell for remote management is encouraged. Telnet should not be
used to a secure gateway. You need to define appropriate RSA enco keys. See
the Secure Shell chapter and example in your software reference for more
information.
enable ssh server serverkey=2 hostkey=3 expirytime=12 logintimeout=60
add ssh user=secoff password=<secoff password> ipaddress=<trusted remote ip
address>
# IPSEC configuration
create ipsec saspecification=1 key=isakmp protocol=esp encalg=3desouter
hashalg=sha mode=transport
create ipsec saspecification=2 key=isakmp protocol=esp encalg=3desouter
hashalg=md5 mode=transport
create ipsec saspecification=3 key=isakmp protocol=esp encalg=des hashalg=sha
mode=transport
create ipsec sas=4 key=isakmp protocol=esp encalg=des hashalg=md5
mode=transport
# The ORDER of proposals is important. You should propose the strongest
encryption first.
create ipsec bundle=1 key=isakmp string="1 or 2 or 3 or 4"
# The first two IPSec permit rules allow for IKE /ISAKMP and the "port floated"
IKE plus NAT-T traffic port.
create ipsec policy="isakmp" int=eth0 ac=permit
set ipsec policy="isakmp" lp=500
create ipsec policy="isakmp_float" int=eth0 action=permit
set ipsec policy="isakmp_float" lport=4500
# This is a generic IPSec policy. Using the peer=any options allows multiple
IPSec remote PC clients to connect through this same policy.
create ipsec policy="all_roaming" int=eth0 action=ipsec key=isakmp
bundlespecification=1 isakmppolicy="roaming1" peer=any
set ipsec policy="all_roaming" transport=udp lport=1701
# If you need both VPN and internet-browsing access, use the following internet
policy. Do not use this policy for VPN only.
create ipsec policy="internet" int=eth0 action=permit
enable ipsec
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales