Firewall IPSec Configuration | RuggedCom RX1000, RX1100 specs

RuggedRouter™ User Guide

Parameters	Value	Comments
At IPsec Startup	Add connection	We wish to add the connection when the
		client starts it.
Authenticate by	rsasig	X.509 certificates provide RSA
Connection Type	Tunnel
Encryption Protocols	As desired
Compress Data	As desired
Perfect Forwarding Secrecy	As desired	Recommend “yes”
NAT Traversal	No	Required when the router acts as a client and
		is behind a NAT firewall.

Left System Settings	Router's side
Public IP Address	Address or hostname ..
	(IP of public gateway)
System Identifier	Default
Private subnet behind system	10.0.0.0/8
System's public key	Certificate File
	(router.pem)
Next hop to other system	Default

Right System Settings		Laptop1 side
Public IP Address	Automatic
System Identifier	Default
Private subnet behind system	10.0.1.0/24	Assign IP based on client from within this
		subnet
System's public key	Entered below (%cert)	Derive identity from incoming certificate
Next hop to other system	Default

Apply the configuration to restart the server and create an ipsec0 interface.

Firewall IPSec Configuration

Create firewall Zones “vpn” and net. Ensure that the WAN interface (here w1ppp) and ipsec0 interface are present in the Shorewall Network Interfaces. The WAN interfaces should be in zone “net” while ipsec0 should be in zone “vpn”.

Add the following firewall rules:

Action	Source-Zone	Destination-Zone Protocol		Dest-Port
ACCEPT	all	fw	ah
ACCEPT	all	fw	esp
ACCEPT	all	fw	udp	500
ACCEPT	vpn	loc

Restart the firewall to install the rules.

Ethernet Port Configuration

Because the remote client will be assigned a local IP address but is reachable only through the IPSec connection, proxy ARP must be employed. Activate proxy ARP on the Ethernet interface that hosts the local network (here eth1) via the Networking Menu, Ethernet sub-menu boot time entry Proxy ARP setting. When a host on eth1 arps for the remote client address, the router will answer on behalf of the client.

136

RuggedCom

Image 138

RuggedCom RX1000, RX1100 manual Firewall IPSec Configuration, Ethernet Port Configuration

Contents

RuggedRouter Ruggedrouter User Guide Applicable Firmware Revision How To Use This User GuideAbout this User Guide Who Should Use This User Guide Document Conventions Quick Start Recommendations Basic Web Based Configuration Additional Configuration About this User Guide Table Of Contents Table Of Contents RuggedRouter User Guide 100 114 144 Page Table Of Contents Page 241 Page RuggedRouter Setup Main Menu Table Of Figures Scheduled Commands Displaying a Command T1/E1 Network Interfaces After Interface Creation Adsl Link Statistics Show Public Key Link Backup Status 162 Raw Socket Menu IRIGB/IEEE1588 General Configuration menu 230 255 IAS Window Edit Profile 282 Accounts And Password Management Setting Up And Administering The RouterAccess Methods Default Configuration Configuring Passwords Accessing The RuggedRouter Command PromptRuggedRouter Setup Shell From the Console Port Configuring IP Address Information Setting The HostnameConfiguring Radius Authentication Radius Server Configuration menu Enabling And Disabling The SSH and Web Server Configuring The Date, Time And Timezone Enabling And Disabling The Gauntlet Security Appliance Displaying Hardware Information RuggedRouter Hardware Information Menu Restoring a Configuration Selecting a configuration to reload SSL Certificate Warnings Using a Web Browser to Access the Web InterfaceRuggedRouter Web Interface Structure of the Web Interface RuggedRouter Web Interface Main Menu Window Using The LED Status Panel LED Status Panel Obtaining Chassis Information LED Name Description Webmin Configuration Webmin Configuration MenuIP Access Control Ports And Addresses Change Help Server Webmin Configuration Menu, Logging Logging Authentication Webmin Configuration Menu, Authentication Webmin Events Log Webmin Events Log This page intentionally blank Configuring The System Bootup And Shutdown Change Password Command Scheduled Commands Scheduled Commands Displaying a Command Scheduled Cron Jobs Webmin Scheduled Cron Jobs System Hostname System Time Configuring Networking Network Configuration Core Settings Dummy Interface Default Route Table Configured Static RoutesRouting And Gateways Manually Entered Static Routes Static Multicast Routing Static Multicast Routing End To End Backup DNS ClientHost Addresses Page Configuring End To End Backup Current Routing & Interface Table Vlan Interface Fundamentals Configuring Ethernet InterfacesEthernet Interface Fundamentals LED Designations PPPoE On Native Ethernet Interfaces Fundamentals RuggedRouter Functions Supporting VLANs Ethernet Ethernet Interfaces Editing Currently Active Interfaces Editing a Network Interface Edit Boot Time Interfaces Virtual InterfacesVirtual Lan Interfaces PPPoE On Native Ethernet Interfaces List PPPoE Interfaces Edit PPPoE Interface Editing a PPPoE Interface PPP Logs Current Routes & Interface Table Configuring Frame Relay/PPP And T1/E1 T1/E1 FundamentalsFrame Relay T1/E1 Location Of Interfaces And LabelingIncluded With T1E1 T1/E1 Network Interfaces Strategy For Creating Interfaces Editing a T1/E1 Interface Naming Of Logical Interfaces T1 Settings E1 Settings Editing a Logical Interface Frame Relay Frame Relay Link Parameters Editing a Logical Interface PPP Frame Relay DLCIs T1/E1 Statistics Link Statistics Frame Relay Interface Statistics Frame Relay Statistics PPP Interface Statistics PPP Link Statistics T1/E1 Loopback T1/E1 Loopback Menu Upgrading Software Upgrading Firmware Configuring Frame Relay/PPP And T3 T3 Fundamentals T3 Configuration T3 Network Interfaces Editing a T3 Interface Edit T3 Interface T3 Statistics Upgrading Software Page Configuring Frame Relay/PPP DDS Fundamentals DDS Configuration DDS Network Interfaces Edit Logical Interface Frame Relay, single Dlci DDS Statistics DDS Link Statistics DDS Loopback Frame Relay And PPP Interface StatisticsPage Configuring PPPoE/Bridged Mode On PPPoE/Bridged Mode FundamentalsAdsl Fundamentals Authentication, Addresses and DNS Servers PPPoE MTU IssuesBridged Mode Adsl Configuration Adsl Network InterfacesEditing a Logical Interface PPPoE Editing a Logical Interface Bridged Edit Logical Interface Bridged Adsl Statistics Adsl Link Statistics Current Routes & Interface Table When the Modem Connects Configuring PPP and ModemPPP Mode Fundamentals Modem Fundamentals Modem Configuration Modem Main Menu Blind dial Modem PPP Client Connections Modem PPP Client Modem PPP Server Modem Incoming Call Logs Modem PPP Logs PPP Logs Modem PPP Connection Logs PPP Connection LogsPage Stateless vs Stateful Firewalls Configuring The FirewallFirewall Fundamentals Linux netfilter, iptables And The Shoreline Firewall Network Address Translation Shorewall Quick Setup Port Forwarding ShoreWall Terminology And Concepts ZonesInterfaces Hosts Policy Masquerading And Snat Interface Subnet Address Protocol Ports Rules Reject Configuring The Firewall And VPN Route Based Virtual Private Networking Policy Based Virtual Private Networking Virtual Private Networking To a DMZ Firewall Main Menu Starting Shorewall Firewall Menu Shorewall Firewall Menu Network Zones Network Interfaces Editing a Firewall Network Interfaces Network Zone Hosts Firewall Zone Hosts Default Policies Masquerading Firewall Rules Editing a Masquerading Rule Static NAT Static NAT Actions When Stopped Creating a Static NAT EntryPage Page IPsec Modes Configuring An IPsec VPNVPN Fundamentals Policy Vs Route Based VPNs Supported Encryption Protocols Public Key And Pre-shared Keys Other Configuration Supporting IPSec X509 CertificatesNAT Traversal VPN Main Menu Openswan Configuration ProcessVPN Main Menu Before Key Generation IPsec and Router InterfacesPage Server Configuration IPsec VPN Configuration After Connections Have Been Created Public Key Preshared Keys List Certificates VPN ConnectionsIPsec VPN Connection Details Page Left/Right Systems Settings Export Configuration Showing IPsec Status IPsec Status IPSec X.509 Roaming Client Example Select a Certificate Authority VPN Networking Parameters Client Configuration Router IPSec ConfigurationGenerate X.509 Certificates Firewall IPSec Configuration Ethernet Port ConfigurationPage Configuring Dynamic Routing Quagga, RIP and OspfRIP Fundamentals Link State Advertisements Ospf FundamentalsKey Ospf And RIP Parameters Network Areas Hello Interval and Dead Interval Active/Passive Interface DefaultRouter-ID Redistributing Routes RIP Authentication Configuring Ospf Link CostsOspf Authentication Link Detect Administrative Distances Ospf And Vrrp Example Network Area And SubnetsVrrp Operation Enable Protocols Dynamic Routing Core Core Global ParametersCore Interface Parameters View Core Configuration Ospf Ospf Global ParametersPage Ospf Interfaces Ospf Interfaces View Ospf Configuration Ospf Network AreasOspf Status RIP Global Parameters RIP Global Parameters RIP Interfaces RIP Key Chains RIP Networks RIP Networks View RIP Configuration RIP StatusPage Configuring Link Backup Link Backup FundamentalsPath Failure Discovery Link Backup Main Menu Link Backup ConfigurationUse Of Routing Protocols And The Default Route Edit Link Backup Configuration Link Backup Logs Link Backup StatusTest Link Backup Page Page Vrrp Solution Configuring VrrpProblem With Static Routing Vrrp Fundamentals Vrrp Example Page Vrrp Configuration Vrrp Main Menu Editing a Vrrp Instance Vrrp Instance Viewing Vrrp Instances Status Vrrp Instances Status Priority Queues Configuring Traffic PrioritizationTraffic Prioritization Fundamentals Filters TOS Prioritization Included With Traffic Prioritization Prioritization Example Traffic Prioritization Main Menu Interface Prioritization Menu Prioritization Queues Prioritization FiltersPrioritization Transmit Queue Length Prioritization Statistics Prioritization Statistics Configuring Generic Routing Encapsulation GRE Fundamentals GRE Configuration Menu GRE Main MenuPage Network Utilities Network Utilities Main Menu Ping Menu Traceroute Menu Host Menu Trace MenuTcpdump a Network Interface Frame Relay Link Layer Trace a WAN Interface Serial Trace a Serial Server Port Interface Statistics Menu Interface Statistics Menu Current Routing & Interface Table Current Routing & Interface Table Interface Status Page Configuring Serial Protocols Serial IP Port Features RTU Polling Serial Protocols ApplicationsCharacter Encapsulation Broadcast RTU Polling Use Of Port Redirectors Serial Protocols Concepts And IssuesHost And Remote Roles Message Packetization Use of Turnaround Delays Serial Protocols Main Menu Port Settings Menu Assign Protocols MenuRawSocket Menu Page Protocol Specific Packet Error Statistics Serial Protocols Statistics Menu Serial Protocols Trace Menu Serial Protocols Trace Menu Serial Protocols Sertrace Utility Is providedPage Configuring Goose Tunnels IEC61850 Goose FundamentalsLayer 2 Tunnel Daemon Details Layer 2 Tunnels Main Menu Layer 2 Tunnels Main Menu General Configuration Menu Goose Tunnels Menu Goose Statistics Menu Activity Trace MenuPage Page Dhcp Network Organizations Configuring The Dhcp serverDhcp Fundamentals Dhcp Client OptionsPage Option 82 Support with Disable NAK Single Network With Dynamic IP Assignment Example Dhcp Scenarios And ConfigurationsSingle Network With Option82 Clients On One Switch Single Network With Static IP AssignmentPage Page Dhcp Server Main Menu Dhcp Server Menu Dhcp Shared Network Configuration Dhcp Shared Network Configuration Dhcp Subnet Configuration Dhcp Subnet Configuration Dhcp Group Configuration Dhcp Host Configuration Dhcp Pool Configuration Dhcp Pool Configuration Configuring NTP NTP Fundamentals NTP Sanity Limit NTP And The Precision Time Protocol CardIncluded With NTP NTP Server Main Menu Generic Options Servers Configuration Peers Configuration Viewing The NTP Status Viewing The NTP Log Viewing The GPS Status Viewing The GPS Log Configuring SSH SSH FundamentalsIncluded With SSH SSH Main Menu SSH Server Access Control NetworkingPage PTP Network Roles Configuring Irigb And IEEE1588IEEE1588 Fundamentals PTP Master Election Irigb Fundamentals Synchronizing NTP from IEEE1588Irigb Output Formats GPS Cable compensation Reference ClocksHow The Router Selects a Reference Clock General Configuration IRIGB/IEEE1588 Main Menu Irigb Configuration IEEE1588 Configuration Irigb Status IEEE1588 Status Irigb Log Page Which Interfaces To Monitor Configuring The Snort IDSSnort Fundamentals Snort Rules Global Configuration Snort IDS Main MenuPerformance And Resources Network Settings RulesetsRule Lookup by SID PreProcessors Alerts & Logging Edit Config File Maintaining The Router Alert SystemAlert Menu Alert Configuration Alert Configuration Menu Alert Filter Configuration Alert Definition Configuration Change Alert Definition Page Gauntlet Security What And How Gauntlet ProtectsGauntlet And The Firewall Gauntlet Status Menu Upgrading Gauntlet Backup And Restore System Backup And Restore General Configuration Setup Archive Backup Archive History Archive Restore Archive Difference Tool Archive Differences List Snmp Configuration Show Difference for selected file between two targets Snmp Configuration Main Menu System ConfigurationNetwork Addressing Configuration Access Control page, Snmp V1 and V2c 250 RuggedCom Trap Configuration Trap Configuration page, Trap Options MIB Support RuggedRouter supports the following MIBs Radius Authentication Radius Authentication Configuration Edit Radius Server Parameters Outgoing Mail Chassis Parameters Parameter Description Syslog Factory Defaults System Logs Remote Logging Changing a Syslog entry to remote log Upgrade System RuggedRouter Software Fundamentals When a Software Upgrade Requires a Reboot Automatic Upgrade Upgrade to RX1100 Change Repository Server Automatic Upgrading Upgrading All Packages Installing a New Package Pre-upgrade/Post-upgrade scripts Uploading And Downloading Files Upload/Download menu Security Considerations Security ActionsPage Appendix a Setting Up a Repository Initial Repository SetupRepository Server Requirements Setting Up The Routers Upgrading The RepositoryAn Alternate Approach Upgrading Considerations Appendix B Downgrading Router Software Appendix C Installing Apache Web Server On Windows Apache Default WebPage Appendix D Installing IIS Web Server On Windows Installing IIS Appendix E Radius Server Configuration Windows Internet Authentication ServiceFreeRadius Edit Profile window, Click Add... button 276 RuggedCom RuggedCom 277 Index Dhcp Goose NTP SSH Vrrp