From 4032f0bf70bc245396e5a86326014f59b91b07e0 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 9 Oct 2004 15:08:06 +0000 Subject: [PATCH] Doc updates from vacation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1672 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Documentation_Index.xml | 7 +- Shorewall-docs2/IPSEC-2.6.xml | 123 +++++++++++++++++++----- Shorewall-docs2/myfiles.xml | 9 +- 3 files changed, 109 insertions(+), 30 deletions(-) diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index 915368f2d..983a9b73b 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2004-10-05 + 2004-10-06 2001-2004 @@ -341,6 +341,11 @@ IPSEC + + IPSEC using Kernel 2.6 and Shorewall + 2.1 or Later. + + Kazaa Filtering diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml index 02d345ab9..b0dad877f 100644 --- a/Shorewall-docs2/IPSEC-2.6.xml +++ b/Shorewall-docs2/IPSEC-2.6.xml @@ -15,7 +15,7 @@ - 2004-10-01 + 2004-10-08 2004 @@ -35,13 +35,20 @@ - To use this support, your kernel and iptables must include the - Netfilter+ipsec patches and policy match support and you must be running - Shorewall 2.1.5 or later. The Netfilter patches are available from - Netfilter Patch-O-Matic-NG and are also included in some commercial - distributions (most notably SuSE 9.1). + To use the features described in this article, your kernel and + iptables must include the Netfilter+ipsec patches and policy match support + and you must be running Shorewall 2.1.5 or later. The Netfilter patches + are available from Netfilter Patch-O-Matic-NG and are also included in + some commercial distributions (most notably SuSE + 9.1). + + You must have BOTH the + Netfilter+ipsec patches and the policy match patch. One without the other will not work. + + As of this writing, the Netfilter+ipsec and policy match support are broken when used with a bridge device. The problem has been reported to @@ -112,7 +119,7 @@ must be matched against policies in the SPD and/or the appropriate SA. - Shorewall provides support for policy matching in two ways: + Shorewall provides support for policy matching in three ways: @@ -129,6 +136,13 @@ file allows you to associate zones with traffic that will be encrypted or that has been decrypted. + + + A new option (ipsec) has been + provided for entries in /etc/shorewall/hosts. + When an entry has this option specified, traffic to/from the hosts + described in the entry is assumed to be encrypted. + In summary, Shorewall 2.1.5 and later versions provide the @@ -231,28 +245,37 @@ ipsec net 206.161.148.9 B: #ZONE DISPLAY COMMENTS -net Internet The big bad internet vpn VPN Virtual Private Network +net Internet The big bad internet #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + + Note that the vpn zone is defined before the + net zone. This is necessary if you are using a Shorewall + version earlier than 2.1.11. + + Remember the assumption that both systems A and B have eth0 as their internet interface. You must define the vpn zone using the - /etc/shorewall/hosts file. + /etc/shorewall/hosts file. The hosts file entries + below assume that you want the remote gateway to be part of the vpn zone — + If you don't wish the remote gateway included, simply omit it's IP address + from the HOSTS column.
/etc/shorewall/hosts — System A - #ZONE HOSTS OPTIONS -vpn eth0:10.0.0.0/8 ipsec + #ZONE HOSTS OPTIONS +vpn eth0:10.0.0.0/8,134.28.54.2 ipsec #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/hosts — System B - #ZONE HOSTS OPTIONS -vpn eth0:192.168.1.0/24 ipsec + #ZONE HOSTS OPTIONS +vpn eth0:192.168.1.0/24,206.161.148.9 ipsec #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
@@ -271,47 +294,86 @@ vpn loc ACCEPT For full encrypted connectivity in this configuration (between the subnets, between each subnet and the opposite gateway, and between the - gateways), you will need six policies in + gateways), you will need eight policies in /etc/racoon/setkey.conf. For example, on gateway A:
- # First of all flush the SPD database + # First of all flush the SPD and SAD databases spdflush; +flush; # Add some SPD rules spdadd 192.168.1.0/24 10.0.0.0/8 any -P out ipsec esp/tunnel/206.161.148.9-134.28.54.2/require; spdadd 192.168.1.0/24 134.28.54.2/32 any -P out ipsec esp/tunnel/206.161.148.9-134.28.54.2/require; spdadd 206.161.148.9/32 134.28.54.2/32 any -P out ipsec esp/tunnel/206.161.148.9-134.28.54.2/require; +spdadd 206.161.148.9/32 10.0.0.0/8 any -P out ipsec esp/tunnel/206.161.148.9-134.28.54.2/require; spdadd 10.0.0.0/8 192.168.1.0/24 any -P in ipsec esp/tunnel/134.28.54.2-206.161.148.9/require; spdadd 10.0.0.0/8 206.161.148.9/32 any -P in ipsec esp/tunnel/134.28.54.2-206.161.148.9/require; -spdadd 134.28.54.2/32 192.168.1.0/24 any -P in ipsec esp/tunnel/134.28.54.2-206.161.148.9/require; +spdadd 134.28.54.2/32 192.168.1.0/24 any -P in ipsec esp/tunnel/134.28.54.2-206.161.148.9/require; +spdadd 134.28.54.2/32 206.161.148.9/32 any -P in ipsec esp/tunnel/134.28.54.2-206.161.148.9/require;
The setkey.conf file on gateway B would be similar. A sample /etc/racoon/racoon.conf file using - pre-shared keys might look like: + X.509 certificates might look like:
- path pre_shared_key "/etc/racoon/psk.txt" ; + path certificates "/etc/certs" ; -remote anonymous +listen +{ + isakmp 206.161.148.9; +} + +remote 134.28.54.2 { exchange_mode main ; - my_identifier address ; + certificate_type x509 "GatewayA.pem" "GatewayA_key.pem" ; + verify_cert on; + my_identifier asn1dn ; + peers_identifier asn1dn ; + verify_identifier on ; lifetime time 24 hour ; proposal { encryption_algorithm 3des; hash_algorithm sha1; - authentication_method pre_shared_key ; + authentication_method rsasig ; dh_group 2 ; } } -sainfo anonymous +sainfo address 192.168.1.0/24 any address 10.0.0.0/8 any +{ + pfs_group 2; + lifetime time 12 hour ; + encryption_algorithm 3des, blowfish, des, rijndael ; + authentication_algorithm hmac_sha1, hmac_md5 ; + compression_algorithm deflate ; +} + +sainfo address 206.161.148.9/32 any address 10.0.0.0/8 any +{ + pfs_group 2; + lifetime time 12 hour ; + encryption_algorithm 3des, blowfish, des, rijndael ; + authentication_algorithm hmac_sha1, hmac_md5 ; + compression_algorithm deflate ; +} + +sainfo address 206.161.148.9/32 any address 134.28.54.2/32 any +{ + pfs_group 2; + lifetime time 12 hour ; + encryption_algorithm 3des, blowfish, des, rijndael ; + authentication_algorithm hmac_sha1, hmac_md5 ; + compression_algorithm deflate ; +} + +sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any { pfs_group 2; lifetime time 12 hour ; @@ -327,6 +389,9 @@ sainfo anonymous
134.28.54.2 <the key>
+ + Note that the same key must be used + in both directions.
@@ -349,10 +414,16 @@ sainfo anonymous /etc/shorewall/zones — System A #ZONE DISPLAY COMMENTS -net Internet The big bad internet vpn VPN Road Warriors +net Internet The big bad internet loc local Local Network (192.168.1.0/24) #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + + + Note that the vpn zone is defined before the + net zone. This is necessary if you are using a + Shorewall version earlier than 2.1.11. +
In this instance, the mobile system (B) has IP address 134.28.54.2 @@ -459,6 +530,12 @@ net Net Internet loc Local Local Network #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + + Note that the vpn zone is defined before the + net zone. This is advised if you are using a Shorewall + version earlier than 2.1.11. + + /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml index c7732c6b9..92d717d30 100644 --- a/Shorewall-docs2/myfiles.xml +++ b/Shorewall-docs2/myfiles.xml @@ -15,7 +15,7 @@ - 2004-10-02 + 2004-10-09 2001-2004 @@ -351,7 +351,7 @@ all all REJECT $LOG
Although most of our internal systems use one-to-one NAT, my wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as - does our laptop (192.168.3.8) and visitors with laptops. + does our laptop (192.168.1.8) and visitors with laptops. The first entry allows access to the DSL modem and uses features introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the @@ -536,7 +536,6 @@ ACCEPT net dmz tcp ACCEPT net dmz udp domain ACCEPT net dmz udp 33434:33436 Mirrors net dmz tcp rsync -ACCEPT net:$OMAK dmz tcp 22 #SSH from Omak AllowPing net dmz ############################################################################################################################################################################### # @@ -596,8 +595,6 @@ ACCEPT dmz:206.124.146.177 loc:192.168.1.5 udp # REJECT net fw tcp www,ftp,https ACCEPT net dmz udp 33434:33435 -ACCEPT net:$OMAK fw udp ntp -ACCEPT net:$OMAK fw tcp 22 #SSH from Omak ############################################################################################################################################################################### # Firewall to Internet # @@ -859,4 +856,4 @@ default via 192.168.1.254 dev br0
- + \ No newline at end of file