Policy Based Virtual Private Networking; Ruggedcom; Virtual Private Networking To A Dmz - RuggedCom RuggedRouter RX1000 User Manual
Ruggedcom router user manual
Hide thumbs
Also See for RuggedRouter RX1000:
- User manual (315 pages) ,
- Installation manual (50 pages)
Table of Contents
Advertisement
IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon.
Openswan then decrypts the traffic and forwards it back to shorewall on the assigned
ipsecX interface. You will also need a rule to allow traffic to enter from this
interface. For example, if openswan creates interface ipsec0 when its connections are
established, and ipsec0 is in the zone vpn, you would need the following rule.
ACCEPT
Note that if your firewall itself is required to communicate with the VPN you will
need rules such as the following.
ACCEPT
Policy Based Virtual Private Networking
Begin configuration by creating local, network and vpn zones. Identify the network
interface that carries the encrypted IPsec traffic and make this interface part of zone
"ANY" in the interfaces menu as it will be carrying both traffic for both zones.
Visit the Zone Hosts menu and, for the network interface that carries the encrypted
IPsec traffic, create a zone host with zone VPN, the correct subnet and the IPsec zone
option checked. If you plan to have VPN tunnels to multiple remote sites ensure that
a zone host entry exists for each (or collapse them into a single subnet). Create
another zone host for the same interface with a network zone, using a wider subnet
mask such as 0.0.0.0/0. It is important that the vpn zone be declared before the net
zone since the more specific vpn zone subnet must be inspected first.
Host Zone
vpn
net
The IPsec protocol operates on UDP port 500 and using protocols ah (Authentication
Header) and Encapsulating Security Payload (ESP) protocols. The firewall must
accept this traffic in order to allow IPsec.
Action
ACCEPT
ACCEPT
ACCEPT
IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon.
Openswan then decrypts the traffic and forwards it back to shorewall on the same
interface that originally received it. You will also need a rule to allow traffic to enter
from this interface.
ACCEPT
Virtual Private Networking To A DMZ
If the firewall is to pass the VPN traffic through to another device (e.g. a VPN device
in a DMZ) then establish a DMZ zone and install the following rules.
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
RuggedCom
vpn
loc
vpn
fw
Interface
Subnet
w1ppp
192.168.1.0/24
w1ppp
0.0.0.0/0
Source-Zone Destination-Zone Protocol Dest-Port
net
fw
net
fw
net
fw
vpn
loc
net
dmz
net
dmz
net
dmz
dmz
net
dmz
net
dmz
net
Chapter 11 – Configuring The Firewall
tcp
ssh
IPsec Zone?
Yes
No
ah
esp
udp
500
ah
esp
udp
500
ah
esp
udp
500
111
- Quick Links:
- Access Methods
- Default Configuration
- From Ssh
Hide quick links:
Advertisement
Table of Contents
