RuggedCom RX1100 ユーザーズマニュアル
RuggedRouter
User Guide
Parameters
Value
Comments
At IPsec Startup
Add connection
We wish to add the connection when the
client starts it.
client starts it.
Authenticate by
rsasig
X.509 certificates provide RSA
Connection Type
Tunnel
Encryption Protocols
As desired
Compress Data
As desired
Perfect Forwarding Secrecy
As desired
Recommend “yes”
NAT Traversal
No
Required when the router acts as a client and
is behind a NAT firewall.
Left System Settings
Router's side
Public IP Address
Address or hostname ..
(IP of public gateway)
System Identifier
Default
Private subnet behind system 10.0.0.0/8
System's public key
System's public key
Certificate File
(router.pem)
Next hop to other system
Default
Right System Settings
Laptop1 side
Public IP Address
Automatic
System Identifier
Default
Private subnet behind system 10.0.1.0/24
Assign IP based on client from within this
subnet
subnet
System's public key
Entered below (%cert)
Derive identity from incoming certificate
Next hop to other system
Default
Apply the configuration to restart the server and create an ipsec0 interface.
Firewall IPSec Configuration
Create firewall Zones “vpn” and net. Ensure that the WAN interface (here w1ppp)
and ipsec0 interface are present in the Shorewall Network Interfaces. The WAN
interfaces should be in zone “net” while ipsec0 should be in zone “vpn”.
Add the following firewall rules:
and ipsec0 interface are present in the Shorewall Network Interfaces. The WAN
interfaces should be in zone “net” while ipsec0 should be in zone “vpn”.
Add the following firewall rules:
Action
Source-Zone Destination-Zone Protocol Dest-Port
ACCEPT
all
fw
ah
ACCEPT
all
fw
esp
ACCEPT
all
fw
udp
500
ACCEPT
vpn
loc
Restart the firewall to install the rules.
Ethernet Port Configuration
Because the remote client will be assigned a local IP address but is reachable only
through the IPSec connection, proxy ARP must be employed. Activate proxy ARP
on the Ethernet interface that hosts the local network (here eth1) via the Networking
Menu, Ethernet sub-menu boot time entry Proxy ARP setting. When a host on
eth1 arps for the remote client address, the router will answer on behalf of the client.
through the IPSec connection, proxy ARP must be employed. Activate proxy ARP
on the Ethernet interface that hosts the local network (here eth1) via the Networking
Menu, Ethernet sub-menu boot time entry Proxy ARP setting. When a host on
eth1 arps for the remote client address, the router will answer on behalf of the client.
136 RuggedCom