EasyManuals Logo

Siemens RUGGEDCOM ROX II User Manual

Siemens RUGGEDCOM ROX II
798 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #235 background imageLoading...
Page #235 background image
RUGGEDCOM ROX II
CLI User Guide
Chapter 6
Security
Configuring the Firewall for a VPN in a DMZ 189
5. Configure a host for the interface that carries the unencrypted IPsec traffic. Make sure the VPN zone is
associated with the interface. If VPN tunnels to multiple remote sites are required, make sure host entry
exists for each or collapse them into a single subnet. For more information about configuring hosts, refer to
Section6.9.11, “Managing Hosts”.
6. Configure a second host for the interface that carries the encrypted IPsec traffic. Make sure the interface is
associated with the network zone and specify a wider subnet mask, such as 0.0.0.0/0. For more information
about configuring hosts, refer to Section6.9.11, “Managing Hosts”.
NOTE
The VPN host must be specified before the network host so the more specific VPN zone subnet can
be inspected first.
The following are examples of possible host configurations:
Host Interface Subnet IPsec Zone
vpn W1ppp 192.168.1.0/24 Yes
net W1ppp 0.0.0.0/0 No
7. Configure rules with the following parameter settings for the UDP, Authentication Header (AH) and
Encapsulation Security Payload (ESP) protocols:
NOTE
The IPsec protocol operates on UDP port 500, using protocols Authentication Header (AH) and
Encapsulation Security Payload (ESP) protocols. The firewall must be configured to accept this
traffic in order to allow the IPsec protocol.
Action Source-Zone Destination-Zone Protocol Dest-Port
Accept net fw ah
Accept net fw esp
Accept net fw udp 500
For more information about configuring rules, refer to Section6.9.15, “Managing Rules”.
8. Configure the following rule to allow traffic from Libreswan, the IPsec daemon, to enter the firewall:
NOTE
IPsec traffic arriving at the firewall is directed to Libreswan, the IPsec daemon. Libreswan decrypts
the traffic and then forwards it back to the firewall on the same interface that originally received
it. A rule is required to allow traffic to enter the firewall from this interface.
Action Source-Zone Destination-Zone Protocol Dest-Port
Accept vpn loc
For more information about configuring rules, refer to Section6.9.15, “Managing Rules”.
Section6.9.7
Configuring the Firewall for a VPN in a DMZ
When the firewall needs to pass VPN traffic through to another device, such as a VPN device in a Demilitarized
Zone (DMZ), then a DMZ zone and special rules are required.

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Siemens RUGGEDCOM ROX II and is the answer not in the manual?

Siemens RUGGEDCOM ROX II Specifications

General IconGeneral
BrandSiemens
ModelRUGGEDCOM ROX II
CategoryNetwork Hardware
LanguageEnglish

Related product manuals