From cd771b971e22e11bdaa07aff81f67e53e2eb23c4 Mon Sep 17 00:00:00 2001 From: el_cubano Date: Sat, 4 Aug 2007 22:02:40 +0000 Subject: [PATCH] Add a section on L2TP over IPSEC. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7054 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/IPSEC-2.6.xml | 158 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 157 insertions(+), 1 deletion(-) diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index 00463b71f..a1991fd77 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -13,6 +13,12 @@ Eastep + + + Roberto + + Sanchez + @@ -27,6 +33,12 @@ Thomas M. Eastep + + 2007 + + Roberto C. Sanchez + + Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version @@ -648,6 +660,150 @@ RACOON=/usr/sbin/racoon +
+ Mobile System (Road Warrior) with Layer 2 Tunneling Protocol (L2TP) + + This section is based on the previous section. Please make sure that + you read it thoroughly and understand it. The setup described in this + section is more complex because you are including an additional layer of + tunneling. Again, make sure that you have read the previous section and + it is highly recommended to have the IPSEC-only configuration working + first. + + Additionally, this section assumes that you are running IPSEC, xl2tpd + and pppd on the same system that is running shorewall. However, + configuration of these additional services is beyond the scope of this + document. + + Getting layer 2 tunneling to work is an endeavour unto itself. + However, if you succeed it can be very convenient. Reasons why you might + want configure layer 2 tunneling protocol (L2TP): + + + + You want to give your road warrior an address that is in the same + segment as the other hosts on your network. + + + + Your road warriors are using a legacy operating system (such as MS + Windows or Mac OS X) and you do not want them to have to install third + party software in order to connect to the VPN (both MS Windows and Mac OS + X include VPN clients which natively support L2TP over IPSEC, but not + plain IPSEC). + + + + You like a challenge. + + + + Since the target for a VPN including L2TP will (almost) never be a + road warrior running Linux, I will not include the client side of the + configuration. + + The first thing that needs to be done is to create a new zone called + l2tp to represent the tunneled layer 2 traffic. +
+ /etc/shorewall/zones — System A + + #ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +vpn ipsec +l2tp ipv4 +net ipv4 +loc ipv4 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
+ + Since the L2TP will require the use of pppd, you will end up with one + or more ppp interfaces (each representing an individual road warrior + connection) for which you will need to account. This can be done by + modifying the inerfaces file. (Modify with additional options as needed.) + + +
+ /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect routefilter +loc eth1 192.168.1.255 +l2tp ppp+ - +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +
+ + The next thing that must be done is to adjust the policy so that the + traffic can go where it needs to go. + + First, you need to decide if you want for hosts in your local zone to + be able to connect to your road warriors. You may or may not want to allow + this. For example, one reason you might want to allow this is so that your + support personnel can use ssh, VNC or remote desktop to fix a problem on + the road warrior's laptop. + + Second, you need to decide if you want the road warrior to have + access to hosts on the local network. You generally want to allow this. + For example, if you have DNS servers on your local network that you want + the road warrior to use. Or perhaps the road warrior needs to mount NFS + shares or needs to access intranet sites which are not visible from the + public Internet. + + Finally, you need to decide if you want the road warriors to be able + to access the public Internet. You probably want to do this, unless you + are trying to create a situation where when the road warrior connects to + the VPN, it is no longer possible to send traffic from the road warrior's + machine to the public Internet. Please note that this not really a strong + security measure. The road warrior could trivially modify the routing + table on the remote machine to have only traffic destined for systems on + the VPN local network go through the secure channel. The rest of the + traffic would simply travel over an Ethernet or wireless interface directly + to the public Internet. In fact, this latter situation is dangerous, as a + simple mistake could easily create a situation where the road warrior's + machine is acting as a router between your local network and the public + Internet, which you certainly do not want to happen. In short, it is best + to allow the road warrior to connect to the public Internet by + default. + +
+ /etc/shorewall/policy: + + #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +$FW all ACCEPT +loc net ACCEPT +loc l2tp ACCEPT # Allows local machines to connect to road warriors +l2tp loc ACCEPT # Allows road warriors to connect to local machines +l2tp net ACCEPT # Allows road warriors to connect to the Internet +net all DROP info +# The FOLLOWING POLICY MUST BE LAST +all all REJECT info +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
+ + The final step is to modify your rules file. There are two important + components. First, you must allow the l2tp traffic to reach the xl2tpd + process running on the firewall machine. Second, you must add rules to + open up ports on the firewall to the road warrior for services which are + running on the firewall. For example, if you are running a webserver on + the firewall that must be accessible to road warriors. The reason for the + second step is that the policy does not by default allow unrestricted + access to the firewall itself. + +
+ /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST SOURCE +# PORT(S) PORT(S) +# l2tp over the IPsec VPN +ACCEPT vpn $FW udp 1701 +# webserver that can only be accessed internally +HTTP/ACCEPT loc $FW +HTTP/ACCEPT l2tp $FW +HTTPS/ACCEPT loc $FW +HTTPS/ACCEPT l2tp $FW +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
+
+
Transport Mode @@ -833,4 +989,4 @@ all all REJECT info ipsec-tools source tree. It has a wide variety of sample racoon configuration files.
- \ No newline at end of file +