diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml
index 915368f2d..983a9b73b 100644
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@@ -15,7 +15,7 @@
- 2004-10-05
+ 2004-10-06
2001-2004
@@ -341,6 +341,11 @@
IPSEC
+
+ IPSEC using Kernel 2.6 and Shorewall
+ 2.1 or Later.
+
+
Kazaa
Filtering
diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml
index 02d345ab9..b0dad877f 100644
--- a/Shorewall-docs2/IPSEC-2.6.xml
+++ b/Shorewall-docs2/IPSEC-2.6.xml
@@ -15,7 +15,7 @@
- 2004-10-01
+ 2004-10-08
2004
@@ -35,13 +35,20 @@
- To use this support, your kernel and iptables must include the
- Netfilter+ipsec patches and policy match support and you must be running
- Shorewall 2.1.5 or later. The Netfilter patches are available from
- Netfilter Patch-O-Matic-NG and are also included in some commercial
- distributions (most notably SuSE 9.1).
+ To use the features described in this article, your kernel and
+ iptables must include the Netfilter+ipsec patches and policy match support
+ and you must be running Shorewall 2.1.5 or later. The Netfilter patches
+ are available from Netfilter Patch-O-Matic-NG and are also included in
+ some commercial distributions (most notably SuSE
+ 9.1).
+
+ You must have BOTH the
+ Netfilter+ipsec patches and the policy match patch. One without the other will not work.
+
+
As of this writing, the Netfilter+ipsec and policy match support are
broken when used with a bridge device. The problem has been reported to
@@ -112,7 +119,7 @@
must be matched against policies in the SPD and/or the appropriate
SA.
- Shorewall provides support for policy matching in two ways:
+ Shorewall provides support for policy matching in three ways:
@@ -129,6 +136,13 @@
file allows you to associate zones with traffic that will be encrypted
or that has been decrypted.
+
+
+ A new option (ipsec) has been
+ provided for entries in /etc/shorewall/hosts.
+ When an entry has this option specified, traffic to/from the hosts
+ described in the entry is assumed to be encrypted.
+
In summary, Shorewall 2.1.5 and later versions provide the
@@ -231,28 +245,37 @@ ipsec net 206.161.148.9
B:
#ZONE DISPLAY COMMENTS
-net Internet The big bad internet
vpn VPN Virtual Private Network
+net Internet The big bad internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+ Note that the vpn
zone is defined before the
+ net
zone. This is necessary if you are using a Shorewall
+ version earlier than 2.1.11.
+
+
Remember the assumption that both systems A and B have eth0 as their
internet interface.
You must define the vpn zone using the
- /etc/shorewall/hosts file.
+ /etc/shorewall/hosts file. The hosts file entries
+ below assume that you want the remote gateway to be part of the vpn zone —
+ If you don't wish the remote gateway included, simply omit it's IP address
+ from the HOSTS column.
/etc/shorewall/hosts — System A
- #ZONE HOSTS OPTIONS
-vpn eth0:10.0.0.0/8 ipsec
+ #ZONE HOSTS OPTIONS
+vpn eth0:10.0.0.0/8,134.28.54.2 ipsec
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/hosts — System B
- #ZONE HOSTS OPTIONS
-vpn eth0:192.168.1.0/24 ipsec
+ #ZONE HOSTS OPTIONS
+vpn eth0:192.168.1.0/24,206.161.148.9 ipsec
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
@@ -271,47 +294,86 @@ vpn loc ACCEPT
For full encrypted connectivity in this configuration (between the
subnets, between each subnet and the opposite gateway, and between the
- gateways), you will need six policies in
+ gateways), you will need eight policies in
/etc/racoon/setkey.conf. For example, on gateway
A:
- # First of all flush the SPD database
+ # First of all flush the SPD and SAD databases
spdflush;
+flush;
# Add some SPD rules
spdadd 192.168.1.0/24 10.0.0.0/8 any -P out ipsec esp/tunnel/206.161.148.9-134.28.54.2/require;
spdadd 192.168.1.0/24 134.28.54.2/32 any -P out ipsec esp/tunnel/206.161.148.9-134.28.54.2/require;
spdadd 206.161.148.9/32 134.28.54.2/32 any -P out ipsec esp/tunnel/206.161.148.9-134.28.54.2/require;
+spdadd 206.161.148.9/32 10.0.0.0/8 any -P out ipsec esp/tunnel/206.161.148.9-134.28.54.2/require;
spdadd 10.0.0.0/8 192.168.1.0/24 any -P in ipsec esp/tunnel/134.28.54.2-206.161.148.9/require;
spdadd 10.0.0.0/8 206.161.148.9/32 any -P in ipsec esp/tunnel/134.28.54.2-206.161.148.9/require;
-spdadd 134.28.54.2/32 192.168.1.0/24 any -P in ipsec esp/tunnel/134.28.54.2-206.161.148.9/require;
+spdadd 134.28.54.2/32 192.168.1.0/24 any -P in ipsec esp/tunnel/134.28.54.2-206.161.148.9/require;
+spdadd 134.28.54.2/32 206.161.148.9/32 any -P in ipsec esp/tunnel/134.28.54.2-206.161.148.9/require;
The setkey.conf file on gateway B would be
similar.
A sample /etc/racoon/racoon.conf file using
- pre-shared keys might look like:
+ X.509 certificates might look like:
- path pre_shared_key "/etc/racoon/psk.txt" ;
+ path certificates "/etc/certs" ;
-remote anonymous
+listen
+{
+ isakmp 206.161.148.9;
+}
+
+remote 134.28.54.2
{
exchange_mode main ;
- my_identifier address ;
+ certificate_type x509 "GatewayA.pem" "GatewayA_key.pem" ;
+ verify_cert on;
+ my_identifier asn1dn ;
+ peers_identifier asn1dn ;
+ verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
- authentication_method pre_shared_key ;
+ authentication_method rsasig ;
dh_group 2 ;
}
}
-sainfo anonymous
+sainfo address 192.168.1.0/24 any address 10.0.0.0/8 any
+{
+ pfs_group 2;
+ lifetime time 12 hour ;
+ encryption_algorithm 3des, blowfish, des, rijndael ;
+ authentication_algorithm hmac_sha1, hmac_md5 ;
+ compression_algorithm deflate ;
+}
+
+sainfo address 206.161.148.9/32 any address 10.0.0.0/8 any
+{
+ pfs_group 2;
+ lifetime time 12 hour ;
+ encryption_algorithm 3des, blowfish, des, rijndael ;
+ authentication_algorithm hmac_sha1, hmac_md5 ;
+ compression_algorithm deflate ;
+}
+
+sainfo address 206.161.148.9/32 any address 134.28.54.2/32 any
+{
+ pfs_group 2;
+ lifetime time 12 hour ;
+ encryption_algorithm 3des, blowfish, des, rijndael ;
+ authentication_algorithm hmac_sha1, hmac_md5 ;
+ compression_algorithm deflate ;
+}
+
+sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
{
pfs_group 2;
lifetime time 12 hour ;
@@ -327,6 +389,9 @@ sainfo anonymous
134.28.54.2 <the key>
+
+ Note that the same key must be used
+ in both directions.
@@ -349,10 +414,16 @@ sainfo anonymous
/etc/shorewall/zones — System A
#ZONE DISPLAY COMMENTS
-net Internet The big bad internet
vpn VPN Road Warriors
+net Internet The big bad internet
loc local Local Network (192.168.1.0/24)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+ Note that the vpn
zone is defined before the
+ net
zone. This is necessary if you are using a
+ Shorewall version earlier than 2.1.11.
+
In this instance, the mobile system (B) has IP address 134.28.54.2
@@ -459,6 +530,12 @@ net Net Internet
loc Local Local Network
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+ Note that the vpn
zone is defined before the
+ net
zone. This is advised if you are using a Shorewall
+ version earlier than 2.1.11.
+
+
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml
index c7732c6b9..92d717d30 100644
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@@ -15,7 +15,7 @@
- 2004-10-02
+ 2004-10-09
2001-2004
@@ -351,7 +351,7 @@ all all REJECT $LOG
Although most of our internal systems use one-to-one NAT, my
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
- does our laptop (192.168.3.8) and visitors with laptops.
+ does our laptop (192.168.1.8) and visitors with laptops.
The first entry allows access to the DSL modem and uses features
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
@@ -536,7 +536,6 @@ ACCEPT net dmz tcp
ACCEPT net dmz udp domain
ACCEPT net dmz udp 33434:33436
Mirrors net dmz tcp rsync
-ACCEPT net:$OMAK dmz tcp 22 #SSH from Omak
AllowPing net dmz
###############################################################################################################################################################################
#
@@ -596,8 +595,6 @@ ACCEPT dmz:206.124.146.177 loc:192.168.1.5 udp
#
REJECT net fw tcp www,ftp,https
ACCEPT net dmz udp 33434:33435
-ACCEPT net:$OMAK fw udp ntp
-ACCEPT net:$OMAK fw tcp 22 #SSH from Omak
###############################################################################################################################################################################
# Firewall to Internet
#
@@ -859,4 +856,4 @@ default via 192.168.1.254 dev br0
-
+
\ No newline at end of file