RuggedCom RX1100 ユーザーズマニュアル
Chapter 11 – Configuring The Firewall
IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon.
Openswan then decrypts the traffic and forwards it back to shorewall on the assigned
ipsecX interface. You will also need a rule to allow traffic to enter from this
interface. For example, if openswan creates interface ipsec0 when its connections are
established, and ipsec0 is in the zone vpn, you would need the following rule.
Openswan then decrypts the traffic and forwards it back to shorewall on the assigned
ipsecX interface. You will also need a rule to allow traffic to enter from this
interface. For example, if openswan creates interface ipsec0 when its connections are
established, and ipsec0 is in the zone vpn, you would need the following rule.
ACCEPT
vpn
loc
Note that if your firewall itself is required to communicate with the VPN you will
need rules such as the following.
need rules such as the following.
ACCEPT
vpn
fw
tcp
ssh
Policy Based Virtual Private Networking
Begin configuration by creating local, network and vpn zones. Identify the network
interface that carries the encrypted IPsec traffic and make this interface part of zone
“ANY” in the interfaces menu as it will be carrying both traffic for both zones.
Visit the Zone Hosts menu and, for the network interface that carries the encrypted
IPsec traffic, create a zone host with zone VPN, the correct subnet and the IPsec zone
option checked. If you plan to have VPN tunnels to multiple remote sites ensure that
a zone host entry exists for each (or collapse them into a single subnet). Create
another zone host for the same interface with a network zone, using a wider subnet
mask such as 0.0.0.0/0. It is important that the vpn zone be declared before the net
zone since the more specific vpn zone subnet must be inspected first.
interface that carries the encrypted IPsec traffic and make this interface part of zone
“ANY” in the interfaces menu as it will be carrying both traffic for both zones.
Visit the Zone Hosts menu and, for the network interface that carries the encrypted
IPsec traffic, create a zone host with zone VPN, the correct subnet and the IPsec zone
option checked. If you plan to have VPN tunnels to multiple remote sites ensure that
a zone host entry exists for each (or collapse them into a single subnet). Create
another zone host for the same interface with a network zone, using a wider subnet
mask such as 0.0.0.0/0. It is important that the vpn zone be declared before the net
zone since the more specific vpn zone subnet must be inspected first.
Host Zone
Interface
Subnet
IPsec Zone?
vpn
w1ppp
192.168.1.0/24
Yes
net
w1ppp
0.0.0.0/0
No
The IPsec protocol operates on UDP port 500 and using protocols ah (Authentication
Header) and Encapsulating Security Payload (ESP) protocols. The firewall must
accept this traffic in order to allow IPsec.
Header) and Encapsulating Security Payload (ESP) protocols. The firewall must
accept this traffic in order to allow IPsec.
Action
Source-Zone Destination-Zone Protocol Dest-Port
ACCEPT
net
fw
ah
ACCEPT
net
fw
esp
ACCEPT
net
fw
udp
500
IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon.
Openswan then decrypts the traffic and forwards it back to shorewall on the same
interface that originally received it. You will also need a rule to allow traffic to enter
from this interface.
Openswan then decrypts the traffic and forwards it back to shorewall on the same
interface that originally received it. You will also need a rule to allow traffic to enter
from this interface.
ACCEPT
vpn
loc
Virtual Private Networking To A DMZ
If the firewall is to pass the VPN traffic through to another device (e.g. a VPN device
in a DMZ) then establish a DMZ zone and install the following rules.
in a DMZ) then establish a DMZ zone and install the following rules.
ACCEPT
net
dmz
ah
ACCEPT
net
dmz
esp
ACCEPT
net
dmz
udp
500
ACCEPT
dmz
net
ah
ACCEPT
dmz
net
esp
ACCEPT
dmz
net
udp
500
RuggedCom 111