Improved guide to Firewalls, IPSec, OSPF and L2TP on the RuggedCom RX1500

Its been a while since I last played with the RX1500, and since then I've learned a few things. This post is an improved and updated version of the previous post on the topic.

The setup for this example is most easily demonstrated by the diagram below:rx1500-l2tp1

We are going to set our RX1500 so that it routes the 172.15.1.0/24 network out to the WAN (using OSPF), but if you want to connect to the 172.16.1.0/24 network you must do so via a IPSec/L2TP VPN (a 'road warrior' setup with PSK) which will assign you a address in the same subnet.  So essentially we have a public network, and a private network.

There are a couple of basic things that need to be set up first:

  • All devices should have the same time
  • Configure the internal VLAN range

The VLANs I used in this example are 1 for the private network, and 501 for the public network.  Note that the VLANs don't really matter, as all our traffic ends up being routed beyond our default gateway where VLANs don't mean anything.  I'll skip over the VLAN and interface configuration as this is straightforward, except to say that the switch.0001 interface has IP address 172.16.1.254/24 and switch.0501 has address 172.15.1.254/24.

First we set up the OSPF routing.  We will assume OSPF area 0 for our configuration, which makes things nice and easy.

routing ospf
 enabled
 no auto-cost-reference-bandwidth
 no compatible-rfc1583
 no default-information-originate
 no default-metric
 no distance
 no distance-ospf external
 no distance-ospf inter-area
 no distance-ospf intra-area
 no opaque-lsa
 passive-default
 no refresh-timer
 router-id       172.15.1.254
 area 0.0.0.0 172.15.1.0/24
 !
 interface fe-cm-1
  no authentication
  no dead-interval
  no dead-interval minimal-hello-multiplier
  no hello-interval
  passive
  no transmit-delay
 !
 interface ppp-l2tp-0
  no authentication
  no dead-interval
  no dead-interval minimal-hello-multiplier
  no hello-interval
  passive
  no transmit-delay
 !
 interface ppp-l2tp-1
  no authentication
  no dead-interval
  no dead-interval minimal-hello-multiplier
  no hello-interval
  passive
  no transmit-delay
 !
 interface switch.0001
  no authentication
  no dead-interval
  no dead-interval minimal-hello-multiplier
  no hello-interval
  passive
  no transmit-delay
 !
 interface switch.0501
  no authentication
  no dead-interval
  no dead-interval minimal-hello-multiplier
  no hello-interval
  no passive
  no transmit-delay
 !
!

Now we need to create our tunnel/l2tp configuration.  The important concepts for a road warrior l2tp configuration are noted as comments.

tunnel
 l2tp
  enabled
  local-ip       172.16.1.200				#we need to be sure that this address
  first-ip       172.16.1.201				#and these addresses will not be used elsewhere on the private network!
  max-connection 2
  ppp auth-local					
 !
 ipsec
  enabled
  no nat-traversal
  no keep-alive
  preshared-key any any					#use the same PSK no matter what IP the client connects from
   key [your password here]
  !
  connection vpnconnection
   startup           add				#'add' is important!
   authenticate      secret
   connection-type   transport				#This must be transport for L2TP, at least if you want to use the native Windows Client
   pfs               no					#This doesn't seem to work when PFS is enabled. Not sure why?
   l2tp
   monitor-interface switch.0501			#Probably not necessary to have this here in our example, but it doesn't hurt
   ike algorithm aes128 sha1 modp1024			#Make sure you use this combination for Windows
   !
   esp algorithm aes128 sha1				#Make sure you use this combination for Windows
   !
   left
    public-ip type address
    public-ip value 172.15.1.254			#Our public facing IP address
   !
   right
    public-ip type any					#Our client address.  We will allow any address for this connection
   !
  !
 !
 no l2tunneld enabled
!

Next we create a ppp dial-in profile, as we specified local authentication in the tunnel configuration above.

!
global
 ppp radius
  primary
   no address
   no password
  !
  secondary
   no address
   no password
  !
 !
 ppp profiles
  dial-in Username
   password Password
  !
 !
!

At this stage we should be able to create an IPsec tunnel to the switch. If we run tunnel ipsec status in config mode at the command line, we should see several lines beginning with

000 "ipsec1/1x0"
000 "ipsec1/2x0"

If you only see

000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}

something isn't right (check all the interfaces are up and your IPsec config is committed and ok).

Now we need to configure our Windows client:

Set up a new L2TP VPN connection with the correct secret key that was created above, and enable only MS-CHAPv2 authentication protocol. We will enable split tunneling by deselecting the 'Use default gateway on remote network' option in the advanced IPv4 Network Settings. This means that only the traffic for the private network will go via the VPN, not all traffic. Unfortunately the route that windows adds is based on the old class system, and because we are using a 172* network Windows assumes a Class B network and adds the 172.16.0.0/16 route via 172.16.1.200. This may be acceptable in many cases, in others you may want to disable the automatic route addition and add your own more specific route manually.

Now that we have a successful VPN, we can go about turning on the firewall...

Create a firewall configuration and add the following zones:

zone	type
wan	ipv4		#traffic to/from the outside networks
vpn	ipsec		#traffic to/from vpn clients
l2tp	ipv4		#traffic to/from the l2tp tunnels (inside the vpn zone if you like)
lan	ipv4		#traffic to/from the private network ie 172.16.1.0/24 in our case
fw	firewall	#traffic to/from interfaces that reside on the RX1500

Next, add the interfaces to the zones:

interface	zone
switch.0001	lan
switch.0501	wan
ppp+		l2tp	#the l2tp interfaces (the + means include ppp-l2tp-0, ppp-l2tp-1, ppp-l2tp-2 etc

And we also need to add a host which defines the vpn:

name	ipsec	zone	interface	ip address list
vpn	yes	vpn	switch.0501	0.0.0.0/0

This means that ipv4 traffic on interface switch.0501 will by default belong to the wan zone, unless it is encrypted, in which case it will get put into the vpn zone. Once the L2TP tunnel is created, any traffic over the tunnel will belong to the ppp+ interface, and will belong to the l2tp zone.

Next, create the policies - these define the general rules for new connections:

name		src-zone	dest-zone	policy
fw2allaccept	fw		all		accept	#allow fw outbound traffic
l2tp2lanaccept	l2tp		lan		accept	#allow l2tp traffic to the private network
l2tp2fwaccept	l2tp		fw		accept	#allow l2tp traffic to the firewall
denyall		all		all		drop	#default for all other traffic

Next we need to create some rules - exceptions to the policies:

name		policy		src-zone	dest-zone	protocol/port (d = dest, s = src)
vpnl2tp		accept		vpn		fw		udp/1701d	#accept only l2tp traffic over ipsec
netfwping	accept		wan		fw		icmp		#accept pings
allowhttps	accept		wan		fw		tcp/443d	#accept web traffic
allowssh	accept		wan		fw 		tcp/22d		#accept ssh traffic
allowipsec1	accept		wan		fw		udp/500
allowipsec2	accept		wan		fw		ah,esp
allowospf	accept		wan		fw		ospf

Our final firewall configuration should look like the following - note the routeback option specified on the switch.0501 interface.

!
security
 firewall
  enable
  work-config   fwconfig
  active-config fwconfig
  fwconfig fwconfig
   fwzone wan
    description "External network"
   !
   fwzone lan
    description "Internal network"
   !
   fwzone vpn
    type        ipsec
    description "VPN IPsec zone"
   !
   fwzone fw
    type        firewall
    description "Firewall zone"
   !
   fwzone l2tp
    description "VPN tunnel zone"
   !
   fwhost vpn
    zone      vpn
    interface switch.0501
    ipaddress 0.0.0.0/0
    options
     ipsec
    !
    no description
   !
   fwinterface switch.0501
    zone wan
    broadcast-addr detect
    options
     routeback
    !
    no description
   !
   fwinterface switch.0001
    zone lan
    no description
   !
   fwinterface ppp+
    zone l2tp
    no description
   !
   fwpolicy fw2allaccept
    source-zone fw
    destination-zone all
    policy accept
    no description
   !
   fwpolicy l2tp2lanaccept
    source-zone l2tp
    destination-zone lan
    policy accept
    no description
   !
   fwpolicy l2tp2fwaccept
    source-zone l2tp
    destination-zone fw
    policy accept
    no description
   !
   fwpolicy denyall
    source-zone all
    destination-zone all
    policy      drop
    log-level   info
    description "Default reject all"
   !
   fwrule allowipsec1
    action            accept
    source-zone wan
    destination-zone fw
    protocol          udp
    destination-ports 500
    no description
   !
   fwrule allowipsec2
    action   accept
    source-zone wan
    destination-zone fw
    protocol ah,esp
    no description
   !
   fwrule allowhttps
    action            accept
    source-zone wan
    destination-zone fw
    protocol          tcp
    destination-ports 443
    no description
   !
   fwrule allowping
    action   accept
    source-zone wan
    destination-zone fw
    protocol icmp
    no description
   !
   fwrule allowospf
    action   accept
    source-zone wan
    destination-zone fw
    protocol ospf
    no description
   !
   fwrule allowl2tp
    action            accept
    source-zone vpn
    destination-zone fw
    protocol          udp
    destination-ports 1701
    no description
   !
   fwrule allowsnmp
    action            accept
    source-zone wan
    destination-zone fw
    protocol          udp
    destination-ports 161
    no description
   !
   fwrule allowhttp
    action            accept
    source-zone all
    destination-zone fw
    protocol          tcp
    destination-ports 80
    no description
   !
   fwrule allowssh
    action            accept
    source-zone all
    destination-zone fw
    protocol          tcp
    destination-ports 22
    no description
   !
  !
 !
!

Don't forget to enable the firewall and set the default configuration to active, and we finally have a complete IPsec/L2TP with firewall implementation.

| April 23rd, 2015 | Posted in Networking |

2 Responses to “Improved guide to Firewalls, IPSec, OSPF and L2TP on the RuggedCom RX1500”

  1. Mathavan Says:

    I am working on project and am using one RX1500. As per the project, I have to configure the firewall for Modbus 502 port service. We can communicate two laptop with two different netwok. But while i enable that firewall configuration. Even I couldnt ping the two different network. Kindly help to configure the firewall for only port 502 service.

    Mathavan.R
    +966533162556

  2. Raggles Says:

    I can't really provide specific help here without seeing the configuration, but it sounds like you probably need to create a rule that allows traffic on port 502 (assume tcp if it is modbus) from your source zone to your destination zone. Also make sure you have assigned the interfaces to the correct zones. Repeat above for ping (icmp protocol) and any other services that you need.

    A handy debugging tool is to turn on logging for your policies and rules, then you can determine at what stage you packets are dropped by looking at the firewall logs.

Leave a Reply