beautypg.com

Internet – Westermo RedFox Series User Manual

Page 791

background image

Westermo OS Management Guide

Version 4.17.0-0

lowed to pass through the established tunnel. Each peer will define the local
and remote subnet, and all traffic between these subnets is sent securely
through the tunnel. To secure all traffic between networks ”A” and ”B”,
Alice would define 192.168.10.0/24 as local subnet, and 192.168.11.0/24
as remote subnet in the tunnel configuration. Bob would do the opposite,
i.e., define 192.168.11.0/24 as local subnet, and 192.168.10.0/24 as remote
subnet.

More advanced settings for the local and remote subnet parameters are
possible, e.g., it is possible to configure the tunnel so that all traffic from
Network B is sent through the tunnel (i.e., not only the traffic heading for
Network A).

Outbound interface: The outbound interface denotes the interface, and im-

plicitly the IP address, a VPN gateway uses to tunnel the traffic through, and
to communicate with its peer. In

fig. 35.2

Alice outbound interface would be

her interface towards the Internet (and the same goes for Bob).

By default, the outbound interface is set to the interface leading to the de-
fault gateway (see

section 19.3

).

(192.168.10.0/24)

NetworkA

Alice

VPN
GW1

Bob

Secure tunnel

Responder

PC

client

VPN

Initiator

(192.168.12.49/32)

VPN Client IP address

Internet

Figure 35.3: IPsec VPNs can be used to provide secure connections between
individual hosts and a network behind a VPN gateway, a HOST-NETWORK VPN.

Another common use case is shown in fig.

35.3

. In this case Bob is an individ-

ual host, i.e., a PC with VPN client software installed. A WeOS switch is able
to act as VPN gateway in HOST-NETWORK scenarios. The host (Bob) should be
assigned a VPN client IP address (192.168.12.49 in fig.

35.3

), which is used to

communicate with the hosts in Network-A. For Alice the configuration is very sim-
ilar to the NETWORK-NETWORK example above, with the main difference being
that her remote-subnet defines an individual IP address (192.168.12.49/32, i.e.,
netmask 255.255.255.255) instead of a network. As in the NETWORK-NETWORK
use case, Bob’s PC can be configured as a road warrior connecting from different
IP addresses, and with NAT-T enabled he can connect from behind a NAT gateway.

➞ 2015 Westermo Teleindustri AB

791

This manual is related to the following products:
See also other documents in the category Westermo Equipment: