Section 36.1.4, Section 36.1.3.4 – Westermo RedFox Series User Manual
Page 842
Westermo OS Management Guide
Version 4.17.0-0
36.1.3.4
Managing traffic between VPN clients (hosts or gateways)
Traffic between VPN clients (Bob and Dave in
and
) will go via the
VPN Server (Alice), and will by default be handled by the WeOS firewall at Alice.
To allow client-client communication, there are two alternatives:
❼ Add ”allow” rule in firewall: (for layer-3 tunnels) The VPN Server Gateway
can add a appropriate filter allow rule for the given SSL interface. An ex-
ample is given below. Note that ssl0 is used both as incoming and outgoing
interface.
Example
alice:/config/#> ip
alice:/config/ip/#> firewall
alice:/config/ip/firewall/#> filter allow in ssl0 out ssl0
alice:/config/ip/firewall/#> leave
alice:/#>
❼ Enable client-to-client communication without involving the firewall: (for
layer-2 or layer-3 tunnels) With this setting, the VPN gateway (Alice) will
forward packets between clients without involving her firewall.
Example
alice:/config/#> tunnel
alice:/config/tunnel/#> ssl 0
alice:/config/tunnel/ssl-0/#> client-to-client
alice:/config/tunnel/ssl-0/#> leave
alice:/#>
Note
When using a NET-NET setup (layer-2 VPN) with multiple VPN client gateways
(Bob and Dave in
), then the ”client-to-client” setting must
be enabled at the VPN server (Alice) to enable traffic between the local
office networks (networks behind Bob and Dave). As of WeOS v4.17.0 the
alternative to enable the traffic via the firewall at Alice does not work for
layer-2 VPNs.
36.1.4
SSL Security Settings
SSL security settings include authentication settings for tunnel establishment,
and cipher suite settings (encryption and per packet authentication algorithms)
842
➞ 2015 Westermo Teleindustri AB