Allied Telesis Support Portal

Configuring a VPN with the Wizard on NGFW

How can I set a VPN with two Allied Telesis Firewalls?


A VPN (Virtual Private Network) is the connection between two devices using IPsec to protect data.

IPsec is a protocol suite for securing IP networks by authenticating and encrypting IP packets. IPsec protects one or more paths between a pair of hosts, a pair of security gateways, or a security gateway and a host.


What does IPsec do?

IPsec provides the following security services for traffic at network Layer 3 (IP):

  • Data origin authentication—Identifying who sent the data.

  • Confidentiality (encryption)—Ensuring that the data has not been read en route.

  • Connectionless integrity (authentication)—Ensuring the data has not been changed en route.

  • Replay protection—Detecting packets received more than once to help protect against denial of service attacks.

The operation of IPsec is based upon negotiated connections between peer devices. These connections are called Security Associations.

Starting the Wizard

When the Router is turned on for the first time, you can connect a network cable to port 1, this will make the Router configure the IP in Vlan 1, allowing access to the Graphical Interface of the unit. The Wizard uses Vlan 1 as part of the configuration, if you dont want to use the default IP address but still want to configure the VPN using the Wizard, assign the IP address of your choice to Vlan 1.

Log into the Router using the GUI and select the Wizard option from the left side menu.

User-added imageg

You need to configure the IP address that the Router will use to connect to the Internet in one of the ETHs port.
Select Setup >> Start Wizard >> Select Item; a drop down menu will appear, then select the proper method that the Router will use to get IP address, for this example "Fixed" is selected.

User-added image

Fill in the required information and select the interface (ETH1) you want to use.

User-added image

When the confirmation screen appears select "Apply".

Now the Router has an IP address that it uses to communicate over the Internet.

To Configure the VPN, select VPN >> Start Wizard, fill in the required information and select Next.

User-added image

Tunnel IP: Specify an IPv4 source address for packets being encapsulated in the IPsec tunnel.
Tunnel Source: Specify the interface name for packets being encapsulated in the IPsec tunnel.
Tunnel Destination: Specify a destination IPv4 address for the remote end of the tunnel (This should be the public IP that the other side of the VPN is using to reach out the Internet).
Tunnel Local Name: Specify an IPSec tunnel hostname to send to the peer for authentication when you apply tunnel protection IPsec to encrypt the packets and configure an ISAKMP key.
Tunnel Remote Name: Specify a tunnel remote name to authenticate the tunnel’s remote peer device when you apply tunnel protection IPsec to encrypt the packets and configure an ISAKMP key.
Crypto Preshared Key: Configure an ISAKMP authentication key.

When the confirmation screen appears select "Apply".

The Wizard will create the necessary firewall rules in order to stablish the VPN.

Remember to save the configuration by clicking the "Save" button in the upper right corner.


Configuration example in Command Line

Here is an example of the configuration that is created by the Wizard.
Router public IP address

interface eth1
 ip address

Firewall Zones and Entities

zone private
 network lan
  ip subnet interface vlan1
  ip subnet

zone public
 network wan
  ip subnet interface eth1
  host eth1
   ip address

Firewall and NAT rules

 rule 10 permit isakmp from public.wan.eth1 to public.wan
 rule 20 permit isakmp from public.wan to public.wan.eth1
 rule 30 permit esp from public.wan.eth1 to public.wan
 rule 40 permit esp from public.wan to public.wan.eth1
 rule 50 permit any from private to private
 rule 60 permit any from private to public
 rule 70 permit dns from public.wan.eth1 to public.wan

 rule 10 masq any from private to public

Applications needed for the VPN

application esp
 protocol 50

application isakmp
 protocol udp
 sport 500
 dport 500

Tunnel configuration

interface tunnel1
 tunnel source eth1
 tunnel destination
 tunnel local name TUNNEL10
 tunnel remote name TUNNEL10
 tunnel protection ipsec
 tunnel mode ipsec ipv4
 ip address

Default Gateway

ip route


Some Show commands

show ipsec peer
Use this command to show IPSec information on a per peer basis.

awplus#show ipsec peer
  Selectors (local:remote)
    Address: :
    Protocol: any:any
    Port:     any:any
    Mark:     16395:16395
  Profile: default
    SPI (In:Out): c5b7af17:ce882b06
      Proto:      ESP
      Mode:       tunnel
      Encryption: AES256
      Integrity:  SHA256
      Expires:    28606s

  LocalID:  TUNNEL10
  RemoteID: TUNNEL10
    Cookies (Initiator:Responder) 2e85e974129e5a50:34765833120d46d4
      Ver:            2             Lifetime: 82495s    State: Established
      Authentication: PSK           Group:    14
      Encryption:     AES256        NATT:     no
      Integrity:      SHA256        DPD:      yes

show ipsec sa
Use the command show ipsec sa to show the state of the IPsec security association formed between two IPsec peers.

awplus##show ipsec sa
Peer                  SPI (in:out)          Mode          Proto  Expires
                      Encryption            Integrity     PFS
TUNNEL10              c5b7af17:ce882b06     tunnel        ESP    28659s
      (  AES256                SHA256        -
show ipsec policy

Use the command show IPSec policies.

awplus#show ipsec policy
IPsec policy information
Name:           tunnel10
Local Address: (TUNNEL10)
Remote Address: (TUNNEL10)
Selectors (local:remote)
  Address: :
  Protocol: any:any
  Port:     any:any
  Mark:     16395:16395
Mode:     tunnel
Profile:  default

show isakmp key
Use the command show isakmp key to show the ISAKMP pre-shared key.

awplus#show isakmp key
Hostname/Address/Policy         PSK                   EAP
TUNNEL10                        <samplekey1>          -

For more information about IPSec and VPN, refer to the Internet Protocol Security (IPsec) Feature Overview and Configuration Guide