extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 06:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add a section on L2TP over IPSEC.

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7054 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
el_cubano 2007-08-04 22:02:40 +00:00
parent 5eec31cd75
commit cd771b971e
1 changed files with 157 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
docs/IPSEC-2.6.xml
View File

@ -13,6 +13,12 @@
<surname>Eastep</surname>
</author>
<author>
<firstname>Roberto</firstname>
<surname>Sanchez</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
@ -27,6 +33,12 @@
<holder>Thomas M. Eastep</holder>
</copyright>
<copyright>
<year>2007</year>
<holder>Roberto C. Sanchez</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
@ -648,6 +660,150 @@ RACOON=/usr/sbin/racoon</programlisting>
</warning>
</section>
<section id="RW-L2TP">
<title>Mobile System (Road Warrior) with Layer 2 Tunneling Protocol (L2TP)</title>
<para>This section is based on the previous section. Please make sure that
you read it thoroughly and understand it. The setup described in this
section is more complex because you are including an additional layer of
tunneling. Again, make sure that you have read the previous section and
it is highly recommended to have the IPSEC-only configuration working
first.</para>
<para>Additionally, this section assumes that you are running IPSEC, xl2tpd
and pppd on the same system that is running shorewall. However,
configuration of these additional services is beyond the scope of this
document.</para>
<para>Getting layer 2 tunneling to work is an endeavour unto itself.
However, if you succeed it can be very convenient. Reasons why you might
want configure layer 2 tunneling protocol (L2TP): </para>
<orderedlist>
<listitem>
<para>You want to give your road warrior an address that is in the same
segment as the other hosts on your network.</para>
</listitem>
<listitem>
<para>Your road warriors are using a legacy operating system (such as MS
Windows or Mac OS X) and you do not want them to have to install third
party software in order to connect to the VPN (both MS Windows and Mac OS
X include VPN clients which natively support L2TP over IPSEC, but not
plain IPSEC).</para>
</listitem>
<listitem>
<para>You like a challenge.</para>
</listitem>
</orderedlist>
<para>Since the target for a VPN including L2TP will (almost) never be a
road warrior running Linux, I will not include the client side of the
configuration.</para>
<para>The first thing that needs to be done is to create a new zone called
<quote>l2tp</quote> to represent the tunneled layer 2 traffic.</para>
<blockquote>
<para><filename>/etc/shorewall/zones</filename> — System A</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
vpn ipsec
l2tp ipv4
net ipv4
loc ipv4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
<para>Since the L2TP will require the use of pppd, you will end up with one
or more ppp interfaces (each representing an individual road warrior
connection) for which you will need to account. This can be done by
modifying the inerfaces file. (Modify with additional options as needed.)
</para>
<blockquote>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter
loc eth1 192.168.1.255
l2tp ppp+ -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
<para>The next thing that must be done is to adjust the policy so that the
traffic can go where it needs to go.</para>
<para>First, you need to decide if you want for hosts in your local zone to
be able to connect to your road warriors. You may or may not want to allow
this. For example, one reason you might want to allow this is so that your
support personnel can use ssh, VNC or remote desktop to fix a problem on
the road warrior's laptop.</para>
<para>Second, you need to decide if you want the road warrior to have
access to hosts on the local network. You generally want to allow this.
For example, if you have DNS servers on your local network that you want
the road warrior to use. Or perhaps the road warrior needs to mount NFS
shares or needs to access intranet sites which are not visible from the
public Internet.</para>
<para>Finally, you need to decide if you want the road warriors to be able
to access the public Internet. You probably want to do this, unless you
are trying to create a situation where when the road warrior connects to
the VPN, it is no longer possible to send traffic from the road warrior's
machine to the public Internet. Please note that this not really a strong
security measure. The road warrior could trivially modify the routing
table on the remote machine to have only traffic destined for systems on
the VPN local network go through the secure channel. The rest of the
traffic would simply travel over an Ethernet or wireless interface directly
to the public Internet. In fact, this latter situation is dangerous, as a
simple mistake could easily create a situation where the road warrior's
machine is acting as a router between your local network and the public
Internet, which you certainly do not want to happen. In short, it is best
to allow the road warrior to connect to the public Internet by
default.</para>
<blockquote>
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW all ACCEPT
loc net ACCEPT
loc l2tp ACCEPT # Allows local machines to connect to road warriors
l2tp loc ACCEPT # Allows road warriors to connect to local machines
l2tp net ACCEPT # Allows road warriors to connect to the Internet
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
<para>The final step is to modify your rules file. There are two important
components. First, you must allow the l2tp traffic to reach the xl2tpd
process running on the firewall machine. Second, you must add rules to
open up ports on the firewall to the road warrior for services which are
running on the firewall. For example, if you are running a webserver on
the firewall that must be accessible to road warriors. The reason for the
second step is that the policy does not by default allow unrestricted
access to the firewall itself.</para>
<blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
# l2tp over the IPsec VPN
ACCEPT vpn $FW udp 1701
# webserver that can only be accessed internally
HTTP/ACCEPT loc $FW
HTTP/ACCEPT l2tp $FW
HTTPS/ACCEPT loc $FW
HTTPS/ACCEPT l2tp $FW
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section id="Transport">
<title>Transport Mode</title>
@ -833,4 +989,4 @@ all all REJECT info
ipsec-tools source tree. It has a wide variety of sample racoon
configuration files.</para>
</section>
</article>
</article>