RuggedCom RX1100 Policy Based Virtual Private Networking, Virtual Private Networking To a DMZ

Chapter 11 – Configuring The Firewall

IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon. Openswan then decrypts the traffic and forwards it back to shorewall on the assigned ipsecX interface. You will also need a rule to allow traffic to enter from this interface. For example, if openswan creates interface ipsec0 when its connections are established, and ipsec0 is in the zone vpn, you would need the following rule.

Note that if your firewall itself is required to communicate with the VPN you will need rules such as the following.

Policy Based Virtual Private Networking

Begin configuration by creating local, network and vpn zones. Identify the network interface that carries the encrypted IPsec traffic and make this interface part of zone “ANY” in the interfaces menu as it will be carrying both traffic for both zones.

Visit the Zone Hosts menu and, for the network interface that carries the encrypted IPsec traffic, create a zone host with zone VPN, the correct subnet and the IPsec zone option checked. If you plan to have VPN tunnels to multiple remote sites ensure that

azone host entry exists for each (or collapse them into a single subnet). Create another zone host for the same interface with a network zone, using a wider subnet mask such as 0.0.0.0/0. It is important that the vpn zone be declared before the net zone since the more specific vpn zone subnet must be inspected first.

The IPsec protocol operates on UDP port 500 and using protocols ah (Authentication Header) and Encapsulating Security Payload (ESP) protocols. The firewall must accept this traffic in order to allow IPsec.

IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon. Openswan then decrypts the traffic and forwards it back to shorewall on the same interface that originally received it. You will also need a rule to allow traffic to enter from this interface.

Virtual Private Networking To A DMZ

If the firewall is to pass the VPN traffic through to another device (e.g. a VPN device in a DMZ) then establish a DMZ zone and install the following rules.