Section 36.1.2, Fig. 36.1, Internet – Westermo RedFox Series User Manual
Page 837: Company intranet, Example, 2 tunnel transport settings
Westermo OS Management Guide
Version 4.17.0-0
10.0.0.0/24
Charlie
Backend
Authentication
Server (RADIUS)
iface: vlan1
10.0.0.1/24
alice.example.com
iface: ssl0
SSL VPN server
Dynamic (SSL)
iface: ssl0
Bob
Dynamic (DHCP)
iface: vlan2
SSL VPN client
iface: vlan1
Dynamic (DHCP)
Dave
10.0.2.1/24
10.0.0.5/24
Internet
Company
Intranet
Alice
Figure 36.1: SSL Host-NET setup. One or more SSL Clients (”roadwarriors” Bob
and Dave) can access the company private network via the SSL Server Gateway
(Alice).
The VPN server (Alice) may be reachable via a fixed IP address on her upstream
interface. But if Alice acquires her IP address dynamically from her ISP, it is
recommended that Alice use Dynamic DNS (DDNS) to bind her IP address to a
domain name, see
. The VPN client (Bob) would then use Alice
domain name when initiating the SSL tunnel (alice.example.com in
and
Example
bob:/config/#> tunnel
bob:/config/tunnel/#> ssl 0
bob:/config/tunnel/ssl-0/#> no server
bob:/config/tunnel/ssl-0/#> peer alice.example.com
bob:/config/tunnel/ssl-0/#> end
bob:/config/tunnel/#>
36.1.2
Tunnel Transport Settings
The WeOS SSL support assumes that there is an SSL Server unit and an SSL Client
unit, where the client (Bob) initiates the VPN connection to the server (Alice). The
SSL tunnel can be carried over UDP or TCP. By default UDP transport is used, with
UDP port number 1194.
In case the Bob is located behind a firewall, which outgoing traffic for UDP port
1194, an alternative can be to configure Alice and Bob to use TCP transport with
➞ 2015 Westermo Teleindustri AB
837