Add a section on L2TP over IPSEC.

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7054 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

docs/IPSEC-2.6.xml

@@ -13,6 +13,12 @@
 
         <surname>Eastep</surname>
       </author>
+
+      <author>
+        <firstname>Roberto</firstname>
+
+        <surname>Sanchez</surname>
+      </author>
     </authorgroup>
 
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
@@ -27,6 +33,12 @@
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
+    <copyright>
+      <year>2007</year>
+
+      <holder>Roberto C. Sanchez</holder>
+    </copyright>
+
     <legalnotice>
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
@@ -648,6 +660,150 @@ RACOON=/usr/sbin/racoon</programlisting>
     </warning>
   </section>
 
+  <section id="RW-L2TP">
+    <title>Mobile System (Road Warrior) with Layer 2 Tunneling Protocol (L2TP)</title>
+
+    <para>This section is based on the previous section.  Please make sure that
+    you read it thoroughly and understand it.  The setup described in this
+    section is more complex because you are including an additional layer of
+    tunneling.  Again, make sure that you have read the previous section and
+    it is highly recommended to have the IPSEC-only configuration working
+    first.</para>
+  
+    <para>Additionally, this section assumes that you are running IPSEC, xl2tpd
+    and pppd on the same system that is running shorewall.  However,
+    configuration of these additional services is beyond the scope of this
+    document.</para>
+
+    <para>Getting layer 2 tunneling to work is an endeavour unto itself.
+    However, if you succeed it can be very convenient.  Reasons why you might
+    want configure layer 2 tunneling protocol (L2TP): </para>
+
+    <orderedlist>
+      <listitem>
+        <para>You want to give your road warrior an address that is in the same
+        segment as the other hosts on your network.</para>
+      </listitem>
+  
+      <listitem>
+        <para>Your road warriors are using a legacy operating system (such as MS
+        Windows or Mac OS X) and you do not want them to have to install third
+        party software in order to connect to the VPN (both MS Windows and Mac OS
+        X include VPN clients which natively support L2TP over IPSEC, but not
+        plain IPSEC).</para>
+      </listitem>
+  
+      <listitem>
+        <para>You like a challenge.</para>
+      </listitem>
+    </orderedlist>
+  
+    <para>Since the target for a VPN including L2TP will (almost) never be a
+    road warrior running Linux, I will not include the client side of the
+    configuration.</para>
+
+    <para>The first thing that needs to be done is to create a new zone called
+    <quote>l2tp</quote> to represent the tunneled layer 2 traffic.</para>
+    <blockquote>
+      <para><filename>/etc/shorewall/zones</filename> — System A</para>
+
+      <programlisting>#ZONE          TYPE             OPTIONS             IN           OUT
+#                                                   OPTIONS      OPTIONS
+vpn            ipsec
+l2tp           ipv4
+net            ipv4
+loc            ipv4
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+    </blockquote>
+
+    <para>Since the L2TP will require the use of pppd, you will end up with one
+    or more ppp interfaces (each representing an individual road warrior
+    connection) for which you will need to account.  This can be done by
+    modifying the inerfaces file.  (Modify with additional options as needed.)
+    </para>
+
+    <blockquote>
+      <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+net     eth0            detect          routefilter
+loc     eth1            192.168.1.255
+l2tp    ppp+            -
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+    </blockquote>
+
+    <para>The next thing that must be done is to adjust the policy so that the
+    traffic can go where it needs to go.</para>
+
+    <para>First, you need to decide if you want for hosts in your local zone to
+    be able to connect to your road warriors.  You may or may not want to allow
+    this.  For example, one reason you might want to allow this is so that your
+    support personnel can use ssh, VNC or remote desktop to fix a problem on
+    the road warrior's laptop.</para>
+
+    <para>Second, you need to decide if you want the road warrior to have
+    access to hosts on the local network.  You generally want to allow this.
+    For example, if you have DNS servers on your local network that you want
+    the road warrior to use.  Or perhaps the road warrior needs to mount NFS
+    shares or needs to access intranet sites which are not visible from the
+    public Internet.</para>
+
+    <para>Finally, you need to decide if you want the road warriors to be able
+    to access the public Internet.  You probably want to do this, unless you
+    are trying to create a situation where when the road warrior connects to
+    the VPN, it is no longer possible to send traffic from the road warrior's
+    machine to the public Internet.  Please note that this not really a strong
+    security measure.  The road warrior could trivially modify the routing
+    table on the remote machine to have only traffic destined for systems on
+    the VPN local network go through the secure channel.  The rest of the
+    traffic would simply travel over an Ethernet or wireless interface directly
+    to the public Internet.  In fact, this latter situation is dangerous, as a
+    simple mistake could easily create a situation where the road warrior's
+    machine is acting as a router between your local network and the public
+    Internet, which you certainly do not want to happen.  In short, it is best
+    to allow the road warrior to connect to the public Internet by
+    default.</para>
+
+    <blockquote>
+      <para><filename>/etc/shorewall/policy</filename>:</para>
+
+      <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+$FW             all             ACCEPT
+loc             net             ACCEPT
+loc             l2tp            ACCEPT # Allows local machines to connect to road warriors
+l2tp            loc             ACCEPT # Allows road warriors to connect to local machines
+l2tp            net             ACCEPT # Allows road warriors to connect to the Internet
+net             all             DROP            info
+# The FOLLOWING POLICY MUST BE LAST
+all             all             REJECT          info
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+    </blockquote>
+
+    <para>The final step is to modify your rules file.  There are two important
+    components.  First, you must allow the l2tp traffic to reach the xl2tpd
+    process running on the firewall machine.  Second, you must add rules to
+    open up ports on the firewall to the road warrior for services which are
+    running on the firewall.  For example, if you are running a webserver on
+    the firewall that must be accessible to road warriors.  The reason for the
+    second step is that the policy does not by default allow unrestricted
+    access to the firewall itself.</para>
+
+    <blockquote>
+      <para><filename>/etc/shorewall/rules</filename>:</para>
+
+      <programlisting>#ACTION         SOURCE  DEST    PROTO   DEST    SOURCE
+#                                       PORT(S) PORT(S)
+# l2tp over the IPsec VPN
+ACCEPT          vpn     $FW     udp     1701
+# webserver that can only be accessed internally
+HTTP/ACCEPT     loc     $FW
+HTTP/ACCEPT     l2tp    $FW
+HTTPS/ACCEPT    loc     $FW
+HTTPS/ACCEPT    l2tp    $FW
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
+    </blockquote>
+  </section>
+
   <section id="Transport">
     <title>Transport Mode</title>