C613-16035-00 REV E

www.alliedtelesis.com

AlliedWare

How To |

Introduction

This document describes how to provide secure remote access through IP security (IPSec)

Virtual Private Networks (VPN).

This VPN solution is suitable for any business deployment and provides your office with

secure internet access and firewall protection, plus remote encrypted VPN access for

travelling staff.

The solution allows for IPsec NAT Traversal, which permits VPN clients to communicate

through Network Address Translation (NAT) gateways over the Internet. For example,

business travellers (road warriors) commonly use IPsec on their laptop to gain remote VPN

access to the central office. When working off-site, these users sometimes need to connect

to the Internet through a NAT gateway such as from a hotel. Also, NAT gateways are often

part of a company’s firewall and let its Local Area Network (LAN) appear as one IP address

to the world.

For more information about NAT gateways, see RFC

The IP Network Address Translator

(NAT), and the Network Address Translation section in the Firewall chapter of your device's

Software Reference.

If you do not want to enable NAT-T support, use the companion Note How To Create A VPN

Between An Allied Telesis Router And A Microsoft Windows 2000 Client, Without Using NAT-T

instead. This companion How To Note is available from www.alliedtelesis.com/resources/

literature/howto.aspx.

1. Windows is a registered trademark of Microsoft Corporation in the United States and other countries.

Create a VPN between an Allied Telesis Router

and a Microsoft Windows 2000

Client,

over NAT-T

Page 2 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, over NAT-T

Introduction

Consider the following typical scenario:

You are the manager of a small business and you have purchased an AR4

5S for your small

office premises. You have five PCs networked together with a server in your office. You

intend to use your AR4

5S as your Internet gateway and for it to provide firewall protection.

You also have a team of five sales people who travel widely around the globe. You would like

these staff members to have secure (encrypted) remote access through the Internet to the

servers in your office, to allow them to access files, the private Intranet, and business email.

The travelling staff members will get secure remote access from any hotel or location with

Internet access through the use of IPSec VPN. Each staff member has a laptop or other

portable device with Windows 2000 installed.

This document describes how to configure the Windows system to use IPSec VPN to

connect to your office through the AR4

5S router. The solution uses NAT-T, so your IPsec

VPN will still work even if the remote location uses a NAT gateway or firewall for Internet

access. It would also work if your office router used a separate NAT gateway, such as an

ADSL modem.

When your staff want to connect to the office they simply use the VPN icon on their desktop

to initiate the IPSec VPN connection.

Example Network

The following figure shows three possible scenarios that need NAT-T: travelling workers

behind a NAT gateway, a remote office behind a NAT gateway, and the main office behind a

NAT gateway.

Office

office’s public

IP address

VPN router

Internet

travelling

client

NAT gateway

Hotel

remote

worker

remote

worker

NAT gateway

Remote office

NAT gateway

Office PCs and servers

network.eps