diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml
index 9e1371bb7..87ce669dc 100644
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -30,7 +30,11 @@
2006
- 2009 Thomas M. Eastep
+ 2009
+
+ 2016
+
+ Thomas M. Eastep
@@ -71,8 +75,8 @@
While this article shows configuration of
IPsec using ipsec-tools, Shorewall
- configuration is exactly the same when using OpenSwan or
- FreeSwan.
+ configuration is exactly the same when using OpenSwan or any of the other Swan derivatives.
@@ -158,7 +162,7 @@
from MASQUERADE/SNAT using existing entries. If you want to
MASQUERADE/SNAT outgoing traffic that will later be encrypted, you
must include the appropriate indication in the IPSEC column in that
- file.
+ file.
@@ -321,6 +325,14 @@ vpn eth0:10.0.0.0/8,134.28.54.2 ips
vpn eth0:192.168.1.0/24,206.162.148.9 ipsec
+ If you want to keep things simple, you can simply not restrict the
+ set of addresses in the ipsec zones:
+
+
+ #ZONE HOSTS OPTIONS
+vpn eth0:0.0.0.0/o ipsec
+
+
Assuming that you want to give each local network free access to the
remote network and vice versa, you would need the following
/etc/shorewall/policy entries on each system:
@@ -450,12 +462,12 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
tunnel, then it is a good idea to set the MSS value for traffic from
those hosts explicitly in the
/etc/shorewall/zones file. For example, if hosts
- in the sec zone access the Internet
+ in the vpn zone access the Internet
through an ESP tunnel then the following entry would be
appropriate:
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
-sec ipsec mode=tunnel mss=1400
+vpn ipsec mode=tunnel mss=1400
You should also set FASTACCEPT=No in shorewall.conf to ensure
that both the SYN and SYN,ACK packets have their MSS field
@@ -469,6 +481,36 @@ sec ipsec mode=tunnel mss=1400
+
+ IPCOMP and IPSEC
+
+ IPSEC can be configured to perform data compression. This is
+ accomplished by compressing the original IP packet, then encapsulating it
+ in an ipcomp (protocol 108) packet. That packet is then encrypted and
+ encapsulated within an ESP packet. Because of the extra protocol header
+ required for compression, short IP packets (such as default ping packets)
+ are not compressed. The Linux IP stack handles these uncompressed packets
+ by creating an IPIP (protocol 4) SA. As a consequence, IPIP packets from
+ the remote gateway must be handled in Shorewall. The easiest way to
+ accomplish this is to add an ACCEPT rule for protocol 4 from the IPSEC vpn
+ zone to the $FW zone:
+
+
+ #ACTION SOURCE DEST PROTO DPORT ...
+ACCEPT vpn $FW 4
+
+
+ Note that the source IP address is these IPIP packets is that of the
+ remote peer, so the definition of the ipsec zone in shorewall-hosts(5) must
+ include the peer.
+
+ Finally, when IPCOMP is used, it is recommended that the OPTIONS
+ column of the ipsec zone's entry in shorewall-zones(5) be left
+ empty.
+
+
Mobile System (Road Warrior)