Chapter 5
Setup and Configuration
RUGGEDCOM ROX II
User Guide
374 Configuring the Firewall for a VPN in a DMZ
NOTE
The VPN host must be specified before the network host so the more specific VPN zone subnet
can be inspected first.
Table: Example
Host Interface Subnet IPsec Zone
vpn W1ppp 192.168.1.0/24 Yes
net W1ppp 0.0.0.0/0 No
10. Configure rules with the following parameter settings for the UDP, Authentication Header (AH) and
Encapsulation Security Payload (ESP) protocols:
NOTE
The IPsec protocol operates on UDP port 500, using protocols Authentication Header (AH) and
Encapsulation Security Payload (ESP) protocols. The firewall must be configured to accept this
traffic in order to allow the IPsec protocol.
Table: Example
Action Source-Zone Destination-Zone Protocol Dest-Port
Accept net fw ah —
Accept net fw esp —
Accept net fw udp 500
For more information about configuring rules, refer to Section 5.17.14, “Managing Rules”.
11. Configure the following rule to allow traffic from openswan, the IPsec daemon, to enter the firewall:
NOTE
IPsec traffic arriving at the firewall is directed to openswan, the IPsec daemon. Openswan
decrypts the traffic and then forwards it back to the firewall on the same interface that originally
received it. A rule is required to allow traffic to enter the firewall from this interface.
Table: Example
Action Source-Zone Destination-Zone Protocol Dest-Port
Accept vpn loc — —
For more information about configuring rules, refer to Section 5.17.14, “Managing Rules”.
Section 5.17.7
Configuring the Firewall for a VPN in a DMZ
When the firewall needs to pass VPN traffic through to another device, such as a VPN device in a Demilitarized
Zone (DMZ), then a DMZ zone and special rules are required.
To configure the firewall for a VPN in a DMZ, do the following:
1. Click Tools on the toolbar followed by CLI. The CLI terminal window appears.
To Next Page
Loading...
