RuggedRouter® User Guide
Parameters Value Comments
At IPsec Startup Add connection We wish to add the connection when the client
starts it.
Authenticate by rsasig X.509 certificates provide RSA
Connection Type Tunnel
Encryption Protocols As desired
Compress Data As desired
Perfect Forwarding Secrecy As desired Recommend “yes”
NAT Traversal No Required when the router acts as a client and
is behind a NAT firewall.
Left System Settings Router's side
Public IP Address Address or hostname ..
(IP of public gateway)
System Identifier Default
Private subnet behind system 10.0.0.0/8
System's public key Certificate File
(router.pem)
Next hop to other system Default
Right System Settings Laptop1 side
Public IP Address Automatic
System Identifier Default
Private subnet behind system 10.0.1.0/24 Assign IP based on client from within this
subnet
System's public key Entered below (%cert) Derive identity from incoming certificate
Next hop to other system Default
Apply the configuration to restart the server and create an ipsec0 interface.
Firewall IPSec Configuration
Create firewall Zones “vpn” and net. Ensure that the WAN interface (here w1ppp)
and ipsec0 interface are present in the Shorewall Network Interfaces. The WAN
interfaces should be in zone “net” while ipsec0 should be in zone “vpn”.
Add the following firewall rules:
Action Source-Zone Destination-Zone Protocol Dest-Port
ACCEPT all fw ah
ACCEPT all fw esp
ACCEPT all fw udp 500
ACCEPT vpn loc
Restart the firewall to install the rules.
Ethernet Port Configuration
Because the remote client will be assigned a local IP address but is reachable only
through the IPSec connection, proxy ARP must be employed. Activate proxy ARP on
the Ethernet interface that hosts the local network (here eth1) via the Networking
Menu, Ethernet sub-menu boot time entry Proxy ARP setting. When a host on
eth1 arps for the remote client address, the router will answer on behalf of the client.
150 RuggedCom