C613-16004-00 REV D

www.alliedtelesis.com

AlliedWare

How To |

Introduction

This document describes how to provide secure remote access through IP security (IPSec)

Virtual Private Networks (VPN).

This VPN solution is suitable for any business deployment and provides your office with

secure internet access and firewall protection, plus remote encrypted VPN access for staff

who work from home.

You should use the companion Note How To Create A VPN Between An Allied Telesis Router And

A Microsoft Windows 2000 Client, Over NAT-T instead, if:

z the Allied Telesis router is connected to the Internet through a NAT gateway device, such

as an ADSL modem, and/or

z you want to let travelling staff connect to your office from such places as hotel rooms.

This companion How To Note is available from www.alliedtelesis.com/resources/literature/

howto.aspx.

Consider the following typical scenario:

You are the manager of a small business and you have purchased an AR4

5S for your small

office premises. You have five PCs networked together with a server in your office. You

intend to use your AR4

5S as your Internet gateway and for it to provide firewall protection.

You also have people who sometimes work from home. You would like these staff members

to have secure (encrypted) remote access through the Internet to the servers in your office,

to allow them to access files, the private Intranet, and business email.

Each staff member has a laptop or PC with Windows 2000 installed.

1. Internet Explorer and Windows are registered trademarks of Microsoft Corporation in the United States and other countries.

Create a VPN between an Allied Telesis Router

and a Microsoft Windows 2000

Client, Without

Using NAT-T

Which products and releases does it apply to? >

Page 2 | AlliedWare™ OS How To Note: VPNs with Windows 2000 clients, without NAT-T

This document describes how to configure the Windows system to use IPSec VPN to connect

to your office through the AR4

5S router.

When your staff want to connect to the office they simply use the VPN icon on their desktop to

initiate the IPSec VPN connection.

Which products and releases does it apply to?

The following Allied Telesis routers are most suitable as VPN gateways because they have fast

hardware encryption support and high performance:

z AR4

5S, AR44xS series, and AR450S

z AR750S and AR770S

The AR4

5S achieves up to 90 Mbps throughput with 3DES or AES encryption.

You can also use older routers as VPN gateways, but they will not have as high performance. The

older routers depend on either the Encryption Mini Accelerator Card (EMAC) or the

Encryption PCI Accelerator Card (EPAC) to perform encryption. They include:

z AR725, AR745, AR720 and AR740 routers

z AR4

0 series routers

z AR300 series routers

Finally, you can also use the Rapier 24 and Rapier 24i switches as VPN gateways, but this is

usually not a recommended practice. Doing so means you will lose wire-speed switching of data,

because all traffic needs to be inspected by the firewall and IPSec at CPU processing speed.

Encryption algorithms such as 3DES and AES require a feature licence. This is included on some

models. See your Allied Telesis representative for more information.

The configuration is supported on all AlliedWare versions since 2.3.

and was tested using a PC

running Microsoft Windows 2000 Professional, Service Pack 4.

Related How To Notes

Allied Telesis offers How To Notes with a wide range of VPN solutions, from quick and simple

solutions for connecting home and remote offices, to advanced multi-feature setups. Notes also

describe how to create a VPN between an Allied Telesis router and equipment from a number of

other vendors.

For a complete list of VPN How To Notes, see the Overview of VPN Solutions in How To Notes in

the How To Library at www.alliedtelesis.com/resources/literature/howto.aspx.

The collection includes Notes that describe how to interoperate with Windows 2000, XP and

Vista clients.