RuggedCom RX1000, RX1100

Chapter 11 – Configuring The Firewall

IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon.

Openswan then decrypts the traffic and forwards it back to shorewall on the assigned

ipsecX interface. You will also need a rule to allow traffic to enter from this

interface. For example, if openswan creates interface ipsec0 when its connections are

established, and ipsec0 is in the zone vpn, you would need the following rule.

ACCEPT vpn loc

Note that if your firewall itself is required to communicate with the VPN you will

need rules such as the following.

ACCEPT vp n fw tcp ssh

Policy B ased Virtu al Private Networking

Begin configuration by creating local, network and vpn zones. Identify the network

interface that carries the encrypted IPsec traffic and make this interface part of zone

“ANY” in the interfaces menu as it will be carrying both traffic for both zones.

Visit the Zone Hosts menu and, for the network interface that carries the encrypted

IPsec traffic, create a zone host with zone VPN, the correct subnet and the IPsec zone

option checked. If you plan to have VPN tunnels to multiple remote sites ensure that

a zone host entry exists for each (or collapse them into a single subnet). Create

another zone host for the same interface with a network zone, using a wider subnet

mask such as 0.0.0.0/0. It is important that the vpn zone be declared before the net

zone since the more specific vpn zone subnet must be inspected first.

Host Zone Interface Subnet IPsec Zone?

vpn w1ppp 192.168.1.0/24 Yes

net w1ppp 0.0.0.0/0 No

The IPsec protocol operates on UDP port 500 and using protocols ah (Authentication

Header) and Encapsulating Security Payload (ESP) protocols. The firewall must

accept this traffic in order to allow IPsec.

Action Source-Zone Destination-Zone Protocol Dest-Port

ACCEPT net fw ah

ACCEPT net fw esp

ACCEPT net fw udp 500

IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon.

Openswan then decrypts the traffic and forwards it back to shorewall on the same

interface that originally received it. You will also need a rule to allow traffic to enter

from this interface.

ACCEPT vpn loc

Virtual Private Ne tworking To A DMZ

If the firewall is to pass the VPN traffic through to another device (e.g. a VPN device

in a DMZ) then establish a DMZ zone and install the following rules.

ACCEPT net dmz ah

ACCEPT net dmz esp

ACCEPT net dmz udp 500

ACCEPT dmz net ah

ACCEPT dmz net esp

ACCEPT dmz net udp 500

RuggedCom 111