diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml
index 00463b71f..a1991fd77 100644
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -13,6 +13,12 @@
Eastep
+
+
+ Roberto
+
+ Sanchez
+
@@ -27,6 +33,12 @@
Thomas M. Eastep
+
+ 2007
+
+ Roberto C. Sanchez
+
+
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
@@ -648,6 +660,150 @@ RACOON=/usr/sbin/racoon
+
+ Mobile System (Road Warrior) with Layer 2 Tunneling Protocol (L2TP)
+
+ This section is based on the previous section. Please make sure that
+ you read it thoroughly and understand it. The setup described in this
+ section is more complex because you are including an additional layer of
+ tunneling. Again, make sure that you have read the previous section and
+ it is highly recommended to have the IPSEC-only configuration working
+ first.
+
+ Additionally, this section assumes that you are running IPSEC, xl2tpd
+ and pppd on the same system that is running shorewall. However,
+ configuration of these additional services is beyond the scope of this
+ document.
+
+ Getting layer 2 tunneling to work is an endeavour unto itself.
+ However, if you succeed it can be very convenient. Reasons why you might
+ want configure layer 2 tunneling protocol (L2TP):
+
+
+
+ You want to give your road warrior an address that is in the same
+ segment as the other hosts on your network.
+
+
+
+ Your road warriors are using a legacy operating system (such as MS
+ Windows or Mac OS X) and you do not want them to have to install third
+ party software in order to connect to the VPN (both MS Windows and Mac OS
+ X include VPN clients which natively support L2TP over IPSEC, but not
+ plain IPSEC).
+
+
+
+ You like a challenge.
+
+
+
+ Since the target for a VPN including L2TP will (almost) never be a
+ road warrior running Linux, I will not include the client side of the
+ configuration.
+
+ The first thing that needs to be done is to create a new zone called
+ l2tp
to represent the tunneled layer 2 traffic.
+
+ /etc/shorewall/zones — System A
+
+ #ZONE TYPE OPTIONS IN OUT
+# OPTIONS OPTIONS
+vpn ipsec
+l2tp ipv4
+net ipv4
+loc ipv4
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+ Since the L2TP will require the use of pppd, you will end up with one
+ or more ppp interfaces (each representing an individual road warrior
+ connection) for which you will need to account. This can be done by
+ modifying the inerfaces file. (Modify with additional options as needed.)
+
+
+
+ /etc/shorewall/interfaces:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+net eth0 detect routefilter
+loc eth1 192.168.1.255
+l2tp ppp+ -
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+ The next thing that must be done is to adjust the policy so that the
+ traffic can go where it needs to go.
+
+ First, you need to decide if you want for hosts in your local zone to
+ be able to connect to your road warriors. You may or may not want to allow
+ this. For example, one reason you might want to allow this is so that your
+ support personnel can use ssh, VNC or remote desktop to fix a problem on
+ the road warrior's laptop.
+
+ Second, you need to decide if you want the road warrior to have
+ access to hosts on the local network. You generally want to allow this.
+ For example, if you have DNS servers on your local network that you want
+ the road warrior to use. Or perhaps the road warrior needs to mount NFS
+ shares or needs to access intranet sites which are not visible from the
+ public Internet.
+
+ Finally, you need to decide if you want the road warriors to be able
+ to access the public Internet. You probably want to do this, unless you
+ are trying to create a situation where when the road warrior connects to
+ the VPN, it is no longer possible to send traffic from the road warrior's
+ machine to the public Internet. Please note that this not really a strong
+ security measure. The road warrior could trivially modify the routing
+ table on the remote machine to have only traffic destined for systems on
+ the VPN local network go through the secure channel. The rest of the
+ traffic would simply travel over an Ethernet or wireless interface directly
+ to the public Internet. In fact, this latter situation is dangerous, as a
+ simple mistake could easily create a situation where the road warrior's
+ machine is acting as a router between your local network and the public
+ Internet, which you certainly do not want to happen. In short, it is best
+ to allow the road warrior to connect to the public Internet by
+ default.
+
+
+ /etc/shorewall/policy:
+
+ #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
+$FW all ACCEPT
+loc net ACCEPT
+loc l2tp ACCEPT # Allows local machines to connect to road warriors
+l2tp loc ACCEPT # Allows road warriors to connect to local machines
+l2tp net ACCEPT # Allows road warriors to connect to the Internet
+net all DROP info
+# The FOLLOWING POLICY MUST BE LAST
+all all REJECT info
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+ The final step is to modify your rules file. There are two important
+ components. First, you must allow the l2tp traffic to reach the xl2tpd
+ process running on the firewall machine. Second, you must add rules to
+ open up ports on the firewall to the road warrior for services which are
+ running on the firewall. For example, if you are running a webserver on
+ the firewall that must be accessible to road warriors. The reason for the
+ second step is that the policy does not by default allow unrestricted
+ access to the firewall itself.
+
+
+ /etc/shorewall/rules:
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE
+# PORT(S) PORT(S)
+# l2tp over the IPsec VPN
+ACCEPT vpn $FW udp 1701
+# webserver that can only be accessed internally
+HTTP/ACCEPT loc $FW
+HTTP/ACCEPT l2tp $FW
+HTTPS/ACCEPT loc $FW
+HTTPS/ACCEPT l2tp $FW
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
Transport Mode
@@ -833,4 +989,4 @@ all all REJECT info
ipsec-tools source tree. It has a wide variety of sample racoon
configuration files.
-
\ No newline at end of file
+