shorewall_code/Shorewall-docs/IPSEC.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
     
  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
  <title>Shorewall IPSec Tunneling</title>
         
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
     
  <meta name="ProgId" content="FrontPage.Editor.Document">
         
   
  </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
   <tr>
     <td width="100%">
     <h1 align="center"><font color="#FFFFFF">IPSEC Tunnels</font></h1>
     </td>
   </tr>
 </table>
 <h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a href="http://jixen.tripod.com">
 http://jixen.tripod.com</a>
. I highly recommend that you consult that site for information about confuring
FreeS/Wan.<2E><p><font color="#FF6633"><b>Warning: </b></font>Do not use Proxy ARP
 and FreeS/Wan on the same system unless you are prepared to suffer the
 consequences. If you start or restart Shorewall with an IPSEC tunnel active,
 the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device
 (ipsecX) rather than to the interface that you specify in the INTERFACE column
 of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
 can't say if it is a bug in the Kernel or in FreeS/Wan.&nbsp;</p>
 <p>You <b>might</b> be able to work around this problem using the following (I
 haven't tried it):</p>
 <p>In /etc/shorewall/init, include:</p>
 <p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
 <p>In /etc/shorewall/start, include:</p>
 <p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
 <h2>

<font color="#660066">IPSec Gateway
on the Firewall System
  </font></h2>
          
 <p>Suppose that we have the following sutuation:</p>
          
<font color="#660066">
          
<p align="Center"><font face="Century Gothic, Arial, Helvetica">
<img src="images/TwoNets1.png" width="745" height="427">
       </font></p>
          
  </font>
          
<p align="Left">We want systems
in the 192.168.1.0/24 sub-network to be able to communicate with systems
in the 10.0.0.0/8 network.</p>
          
<p align="Left">To make this work, we need to do two things:</p>
          
<p align="Left">a) Open the firewall so that the IPSEC tunnel can be established 
(allow the ESP and AH protocols and UDP Port 500). </p>
          
<p align="Left">b) Allow traffic through the tunnel.</p>
          
<p align="Left">Opening the firewall for the IPSEC tunnel is accomplished by 
adding an entry to the /etc/shorewall/tunnels file.</p>
          
<p align="Left">In /etc/shorewall/tunnels 
on system A, we need the following<6E></p>
          
<blockquote> 
  <table border="2" cellpadding="2" style="border-collapse: collapse">
          <tbody>
             <tr>
              <td><strong>
 TYPE</strong></td>
              <td><strong>
 ZONE</strong></td>
              <td><strong>
 GATEWAY</strong></td>
              <td><strong>
 GATEWAY ZONE</strong></td>
          </tr>
          <tr>
              <td>ipsec</td>
              <td>net</td>
              <td>134.28.54.2</td>
              <td>&nbsp;</td>
          </tr>
                 
    </tbody>         
  </table></blockquote>
            
  <p align="Left">In /etc/shorewall/tunnels
on system B, we would have:</p>
            
  <blockquote> 
    <table border="2" cellpadding="2" style="border-collapse: collapse">
          <tbody>
               <tr>
              <td><strong>
 TYPE</strong></td>
              <td><strong>
 ZONE</strong></td>
              <td><strong>
 GATEWAY</strong></td>
              <td><strong>
 GATEWAY ZONE</strong></td>
          </tr>
          <tr>
              <td>ipsec</td>
              <td>net</td>
              <td>206.161.148.9</td>
          <td>&nbsp;</td>
          </tr>
                   
      </tbody>           
    </table></blockquote>
             
    <p align="Left">You need to define a zone for the remote subnet or include 
    it in your local zone. In this example, we'll assume that you have created a 
    zone called &quot;vpn&quot; to represent the remote subnet.</p>
              
    <blockquote>
    <table border="2" cellpadding="2" style="border-collapse: collapse">
               <tr>
              <td><strong>ZONE</strong></td>
              <td><strong>DISPLAY</strong></td>
              <td><strong>COMMENTS</strong></td>
          </tr>
          <tr>
              <td>vpn</td>
              <td>VPN</td>
              <td>Remote Subnet</td>
          </tr>
                   
    </table>
 </blockquote>
             
    <p align="Left">At both
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn"
interface:</p>
              
    <blockquote> 
      <table border="2" cellpadding="2" style="border-collapse: collapse">
          <tbody>
                 <tr>
              <td><strong>
 ZONE</strong></td>
              <td><strong>
 INTERFACE</strong></td>
              <td><strong>
 BROADCAST</strong></td>
              <td><strong>
 OPTIONS</strong></td>
          </tr>
          <tr>
              <td>vpn</td>
              <td>ipsec0</td>
              <td>&nbsp;</td>
              <td>&nbsp;</td>
          </tr>
                     
        </tbody>             
      </table></blockquote>
                
      <p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and 
      the &quot;loc&quot; zone -- if you simply want to admit all traffic in both 
      directions, you can use the policy file:</p>
                
      
      <blockquote>
        <table border="2" cellpadding="2" style="border-collapse: collapse">
               <tr>
              <td><strong>SOURCE</strong></td>
              <td><strong>DEST</strong></td>
              <td><strong>POLICY</strong></td>
              <td><strong>LOG LEVEL</strong></td>
          </tr>
          <tr>
              <td>loc</td>
              <td>vpn</td>
              <td>ACCEPT</td>
          <td>&nbsp;</td>
          </tr>
                   
          <tr>
              <td>vpn</td>
              <td>loc</td>
              <td>ACCEPT</td>
          <td>&nbsp;</td>
          </tr>
                   
    </table>
 </blockquote>
                
      <p align="Left"> Once
you have these entries in place, restart Shorewall (type shorewall restart); 
you are now ready to configure the tunnel in <a href="http://www.xs4all.nl/%7Efreeswan/">
 FreeS/WAN</a>
 .</p>
                
      
      <h2><font color="#660066"><a name="RoadWarrior"></a>
 Mobile System (Road Warrior)</font></h2>
                
      <p>Suppose that you have
a laptop system (B) that you take with you when you travel and you want to
be able to establish a secure connection back to your local network.</p>
                
      <p align="Center"><strong><font face="Century Gothic, Arial, Helvetica">
      <img src="images/Mobile.png" width="677" height="426">
             </font></strong></p>
                
    <p align="Left">You need to define a zone for the laptop or include it in 
    your local zone. In this example, we'll assume that you have created a zone 
    called &quot;vpn&quot; to represent the remote host.</p>
              
    <blockquote>
    <table border="2" cellpadding="2" style="border-collapse: collapse">
               <tr>
              <td><strong>ZONE</strong></td>
              <td><strong>DISPLAY</strong></td>
              <td><strong>COMMENTS</strong></td>
          </tr>
          <tr>
              <td>vpn</td>
              <td>VPN</td>
              <td>Remote Subnet</td>
          </tr>
                   
    </table>
 </blockquote>
                
      <p align="Left"> In this
instance, the mobile system (B) has IP address 134.28.54.2 but that cannot
be determined in advance. In the /etc/shorewall/tunnels file on system A,
the following entry should be made:</p>
                
      <blockquote> 
        <table border="2" cellpadding="2" style="border-collapse: collapse">
          <tbody>
                   <tr>
              <td><strong>
 TYPE</strong></td>
              <td><strong>
 ZONE</strong></td>
              <td><strong>
 GATEWAY</strong></td>
              <td><strong>
 GATEWAY ZONE</strong></td>
          </tr>
          <tr>
              <td>ipsec</td>
              <td>net</td>
              <td>0.0.0.0/0</td>
              <td>vpn</td>
          </tr>
                       
          </tbody>               
        </table></blockquote>
                  
        <p>Note that the GATEWAY
ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the
gateway system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</p>
                 
        
        <p>You will need to configure /etc/shorewall/interfaces and establish 
        your &quot;through the tunnel&quot; policy as shown under the first example above.</p>
                 
        
        <p><font size="2"> Last
updated 8/20/2002 - </font><font size="2">
        <a href="support.htm">Tom Eastep</a></font>
 </p>
                 
        
        <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
        Copyright</font> <20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
  
</body>
        </html>