30. Tunnelling
ROX™ v2.2 User Guide 304 RuggedBackbone™ RX5000
the two. If both digests match, the integrity of the certificate is verified (it was not tampered with), and
the public key in the certificate is assumed to be the valid public key of the connecting host.
30.1.1.6. NAT Traversal
Historically, IPSec has presented problems when connections must traverse a firewall providing
Network Address Translation (NAT). The Internet Key Exchange (IKE) used in IPSec is not NAT-
translatable. When IPSec connections must traverse a firewall IKE messages and IPSec-protected
packets must be encapsulated as User Datagram Protocol (UDP) messages. The encapsulation allows
the original untranslated packet to be examined by IPSec.
30.1.1.7. Other Configuration Supporting IPSec
If the router is to support a remote IPSec client and the client will be assigned an address in a subnet of
a local interface, you must activate proxy ARP for that interface. This will cause the router to respond
to ARP requests on behalf of the client and direct traffic to it over its connection.
IPSec relies upon the following protocols and ports:
• protocol 51, IPSEC-AH Authentication Header (RFC2402),
• protocol 50, IPSEC-ESP Encapsulating Security Payload (RFC2046),
• UDP port 500.
You must configure the firewall to accept connections on these ports and protocols. See Section 35.4,
“Configuring The Firewall And VPN” in Chapter 35, Firewall for details.
30.1.1.8. The Openswan Configuration Process
Each VPN connection has two ends: the local router and the remote router. The Openswan configuration
record describing a VPN connection can be used without change at either end. One side of the
connection (typically the local side) is designated the “left” side and the other is designated the “right”
side.
A convenient method is to configure both ends simultaneously with two command-line interface sessions
(or two web browsers) open at the same time. The relevant information is the same in both sessions.
30.1.1.9. IPsec and Router Interfaces
If IPsec works on an interface which could disappear, such as a ppp connection, or if the IP address
could change, you need to set the monitor-interface option for the IPsec connection. While this this
option is set, IPsec will be restarted when the interface disappears and reappears or the IP address
is changed.
For information on setting the monitor-interface option, see the Connection form at tunnel/ipsec/
connection/{line module}.
30.1.1.10. L2TPD
L2TP stands for “Layer Two Tunneling Protocol”. The main purpose of this protocol is to tunnel PPP
packets through an IP network, although it is also able to tunnel other layer 2 protocols.
On RuggedBackbone™, L2TPd is used in conjunction with Openswan and PPP to provide support for
establishing a secure, private connection with the router using the Microsoft Windows VPN/L2TP client.
L2TPD listens on UDP port 1701. The firewall will need to be configured to allow
connections to L2TPD via IPSec but to prevent connections to L2TPD directly without using
IPsec.
To Next Page
Loading...
Need help?
General
