It is often the case that a system behind the firewall needs to be -able to access a remote network through Virtual Private Networking -(VPN). The two most common means for doing this are IPSEC and PPTP. The -basic setup is shown in the following diagram:
-
A system with an RFC 1918 address needs to access a -remote network through a remote gateway. For this example, we will -assume that the local system has IP address 192.168.1.12 and that the -remote gateway has -IP address 192.0.2.224.
-If PPTP is being used, there are no firewall -requirements beyond the default loc->net ACCEPT policy. There is one -restriction however: Only one local system at a time can be connected -to a single remote gateway unless you patch your kernel from the -'Patch-o-matic' patches available at -http://www.netfilter.org.
-If IPSEC is being used then only one system may connect -to the remote gateway and there are firewall configuration requirements -as follows:
---- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -CLIENT -
-PORTORIGINAL -
-DEST- -DNAT -net:192.0.2.224 -loc:192.168.1.12 -50 -- - - - - -DNAT -net:192.0.2.224 -loc:192.168.1.12 -udp -500 -- -
If you want to be able to give access to all of your local systems -to the remote network, you should consider running a VPN client on your -firewall. As starting points, see -http://www.shorewall.net/Documentation.htm#Tunnels or http://www.shorewall.net/PPTP.htm.
-Last modified 12/21/2002 - Tom -Eastep
-Copyright -© 2002 Thomas M. Eastep.
--