mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-09 23:28:13 +01:00
Update the IPSEC doc for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
0a8905f25b
commit
745e04823d
@ -295,8 +295,7 @@ ipsec net 206.162.148.9
|
|||||||
<para><filename><filename>/etc/shorewall/zones</filename></filename> —
|
<para><filename><filename>/etc/shorewall/zones</filename></filename> —
|
||||||
Systems A and B:</para>
|
Systems A and B:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
net ipv4
|
net ipv4
|
||||||
<emphasis role="bold">vpn ipv4</emphasis>
|
<emphasis role="bold">vpn ipv4</emphasis>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
@ -330,7 +329,7 @@ vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ips
|
|||||||
<filename>/etc/shorewall/policy</filename> entries on each system:</para>
|
<filename>/etc/shorewall/policy</filename> entries on each system:</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST:LIMIT
|
<programlisting>#SOURCE DEST POLICY LEVEL BURST:LIMIT
|
||||||
loc vpn ACCEPT
|
loc vpn ACCEPT
|
||||||
vpn loc ACCEPT</programlisting>
|
vpn loc ACCEPT</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
@ -339,7 +338,7 @@ vpn loc ACCEPT</programlisting>
|
|||||||
then you could add:</para>
|
then you could add:</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST:LIMIT
|
<programlisting>#SOURCE DEST POLICY LEVEL BURST:LIMIT
|
||||||
$FW vpn ACCEPT</programlisting>
|
$FW vpn ACCEPT</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
@ -348,7 +347,7 @@ $FW vpn ACCEPT</programlisting>
|
|||||||
from System B, add this rule on system A:</para>
|
from System B, add this rule on system A:</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#ACTION SOURCE DESTINATION PROTO POLICY
|
<programlisting>#ACTION SOURCE DEST PROTO POLICY
|
||||||
ACCEPT vpn:134.28.54.2 $FW</programlisting>
|
ACCEPT vpn:134.28.54.2 $FW</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
@ -458,8 +457,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
|
|||||||
through an ESP tunnel then the following entry would be
|
through an ESP tunnel then the following entry would be
|
||||||
appropriate:</para>
|
appropriate:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
|
sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
|
||||||
|
|
||||||
<para>You should also set FASTACCEPT=No in shorewall.conf to ensure
|
<para>You should also set FASTACCEPT=No in shorewall.conf to ensure
|
||||||
@ -493,8 +491,7 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<para><filename>/etc/shorewall/zones</filename> — System A</para>
|
<para><filename>/etc/shorewall/zones</filename> — System A</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
net ipv4
|
net ipv4
|
||||||
<emphasis role="bold">vpn ipsec</emphasis>
|
<emphasis role="bold">vpn ipsec</emphasis>
|
||||||
loc ipv4
|
loc ipv4
|
||||||
@ -536,8 +533,7 @@ vpn eth0:0.0.0.0/0
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<para><filename>/etc/shorewall/zones</filename> - System B:</para>
|
<para><filename>/etc/shorewall/zones</filename> - System B:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
vpn ipsec
|
vpn ipsec
|
||||||
net ipv4
|
net ipv4
|
||||||
loc ipv4
|
loc ipv4
|
||||||
@ -716,9 +712,8 @@ RACOON=/usr/sbin/racoon</programlisting>
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<para><filename>/etc/shorewall/zones</filename> — System A</para>
|
<para><filename>/etc/shorewall/zones</filename> — System A</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
et ipv4
|
||||||
net ipv4
|
|
||||||
vpn ipsec
|
vpn ipsec
|
||||||
<emphasis role="bold">l2tp ipv4</emphasis>
|
<emphasis role="bold">l2tp ipv4</emphasis>
|
||||||
loc ipv4
|
loc ipv4
|
||||||
@ -802,8 +797,7 @@ all all REJECT info
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||||
# PORT(S) PORT(S)
|
|
||||||
?SECTION ESTABLISHED
|
?SECTION ESTABLISHED
|
||||||
# Prevent IPsec bypass by hosts behind a NAT gateway
|
# Prevent IPsec bypass by hosts behind a NAT gateway
|
||||||
L2TP(REJECT) net $FW
|
L2TP(REJECT) net $FW
|
||||||
@ -890,9 +884,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE OPTIONS
|
||||||
net eth0 detect routefilter,dhcp,tcpflags
|
net eth0 routefilter,dhcp,tcpflags</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||||
|
|
||||||
@ -910,8 +903,7 @@ net ipv4</programlisting>
|
|||||||
<para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para>
|
<para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE HOST(S) OPTIONS
|
<programlisting>#ZONE HOST(S) OPTIONS
|
||||||
loc eth0:192.168.20.0/24
|
loc eth0:192.168.20.0/24</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para>It is worth noting that although <emphasis>loc</emphasis> is a
|
<para>It is worth noting that although <emphasis>loc</emphasis> is a
|
||||||
sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
|
sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
|
||||||
@ -928,8 +920,7 @@ net loc NONE
|
|||||||
loc net NONE
|
loc net NONE
|
||||||
net all DROP info
|
net all DROP info
|
||||||
# The FOLLOWING POLICY MUST BE LAST
|
# The FOLLOWING POLICY MUST BE LAST
|
||||||
all all REJECT info
|
all all REJECT info</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para>Since there are no cases where net<->loc traffic should
|
<para>Since there are no cases where net<->loc traffic should
|
||||||
occur, NONE policies are used.</para>
|
occur, NONE policies are used.</para>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user