shorewall_code/docs/VPN.xml

203 lines
5.9 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="VPN">
<!--$Id$-->
<articleinfo>
<title>VPN</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section id="vpn">
<title>Virtual Private Networking (VPN)</title>
<para>It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking (VPN).
The two most common means for doing this are IPSEC and PPTP. The basic
setup is shown in the following diagram:</para>
<graphic fileref="images/VPN.png" />
<para>A system with an RFC 1918 address needs to access a remote network
through a remote gateway. For this example, we will assume that the local
system has IP address 192.168.1.12 and that the remote gateway has IP
address 192.0.2.224.</para>
<para>If PPTP is being used, there are no firewall requirements beyond the
default loc-&gt;net ACCEPT policy. There is one restriction however: Only
one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
available at <ulink
url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
<para>If IPSEC is being used, you should configure IPSEC to use
<firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPSEC
packets (protocol 50 or 51) are encapsulated in UDP packets with
destination port 4500. Additionally, <firstterm>keep-alive
messages</firstterm> are sent frequently so that NATing gateways between
the end-points will retain their connection-tracking entries. This is the
way that I connect to the HP Intranet and it works flawlessly without
anything in Shorewall other than my ACCEPT loc-&gt;net policy. NAT
traversal is available as a patch for Windows 2K and is a standard feature
of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN"
pulldown.</para>
<para>Alternatively, if IPSEC is being used then you can try the
following: only one system may connect to the remote gateway and there are
firewall configuration requirements as follows:</para>
<table id="Table1">
<title>/etc/shorewall/rules</title>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">CLIENT PORT</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net:192.0.2.224</entry>
<entry>loc:192.168.1.12</entry>
<entry>50</entry>
<entry></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>DNAT</entry>
<entry>net:192.0.2.224</entry>
<entry>loc:192.168.1.12</entry>
<entry>udp</entry>
<entry>500</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>The above may or may not work — your milage may vary. NAT Traversal
is definitely a better solution. To use NAT traversal:<table id="Table2">
<title>/etc/shorewall/rules with NAT Traversal</title>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">CLIENT PORT</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net:192.0.2.224</entry>
<entry>loc:192.168.1.12</entry>
<entry>udp</entry>
<entry>4500</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>DNAT</entry>
<entry>net:192.0.2.224</entry>
<entry>loc:192.168.1.12</entry>
<entry>udp</entry>
<entry>500</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>If you want to be able to give access to all of your local systems
to the remote network, you should consider running a VPN client on your
firewall. As starting points, see <ulink
url="manpages/shorewall-tunnels.html">The /etc/shorewall/tunnels manpage</ulink>
or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
</section>
</article>