mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Add a section on L2TP over IPSEC.
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7054 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5eec31cd75
commit
cd771b971e
@ -13,6 +13,12 @@
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<author>
|
||||
<firstname>Roberto</firstname>
|
||||
|
||||
<surname>Sanchez</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
@ -27,6 +33,12 @@
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<copyright>
|
||||
<year>2007</year>
|
||||
|
||||
<holder>Roberto C. Sanchez</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
@ -648,6 +660,150 @@ RACOON=/usr/sbin/racoon</programlisting>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section id="RW-L2TP">
|
||||
<title>Mobile System (Road Warrior) with Layer 2 Tunneling Protocol (L2TP)</title>
|
||||
|
||||
<para>This section is based on the previous section. Please make sure that
|
||||
you read it thoroughly and understand it. The setup described in this
|
||||
section is more complex because you are including an additional layer of
|
||||
tunneling. Again, make sure that you have read the previous section and
|
||||
it is highly recommended to have the IPSEC-only configuration working
|
||||
first.</para>
|
||||
|
||||
<para>Additionally, this section assumes that you are running IPSEC, xl2tpd
|
||||
and pppd on the same system that is running shorewall. However,
|
||||
configuration of these additional services is beyond the scope of this
|
||||
document.</para>
|
||||
|
||||
<para>Getting layer 2 tunneling to work is an endeavour unto itself.
|
||||
However, if you succeed it can be very convenient. Reasons why you might
|
||||
want configure layer 2 tunneling protocol (L2TP): </para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>You want to give your road warrior an address that is in the same
|
||||
segment as the other hosts on your network.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Your road warriors are using a legacy operating system (such as MS
|
||||
Windows or Mac OS X) and you do not want them to have to install third
|
||||
party software in order to connect to the VPN (both MS Windows and Mac OS
|
||||
X include VPN clients which natively support L2TP over IPSEC, but not
|
||||
plain IPSEC).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You like a challenge.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Since the target for a VPN including L2TP will (almost) never be a
|
||||
road warrior running Linux, I will not include the client side of the
|
||||
configuration.</para>
|
||||
|
||||
<para>The first thing that needs to be done is to create a new zone called
|
||||
<quote>l2tp</quote> to represent the tunneled layer 2 traffic.</para>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> — System A</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
vpn ipsec
|
||||
l2tp ipv4
|
||||
net ipv4
|
||||
loc ipv4
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Since the L2TP will require the use of pppd, you will end up with one
|
||||
or more ppp interfaces (each representing an individual road warrior
|
||||
connection) for which you will need to account. This can be done by
|
||||
modifying the inerfaces file. (Modify with additional options as needed.)
|
||||
</para>
|
||||
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter
|
||||
loc eth1 192.168.1.255
|
||||
l2tp ppp+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>The next thing that must be done is to adjust the policy so that the
|
||||
traffic can go where it needs to go.</para>
|
||||
|
||||
<para>First, you need to decide if you want for hosts in your local zone to
|
||||
be able to connect to your road warriors. You may or may not want to allow
|
||||
this. For example, one reason you might want to allow this is so that your
|
||||
support personnel can use ssh, VNC or remote desktop to fix a problem on
|
||||
the road warrior's laptop.</para>
|
||||
|
||||
<para>Second, you need to decide if you want the road warrior to have
|
||||
access to hosts on the local network. You generally want to allow this.
|
||||
For example, if you have DNS servers on your local network that you want
|
||||
the road warrior to use. Or perhaps the road warrior needs to mount NFS
|
||||
shares or needs to access intranet sites which are not visible from the
|
||||
public Internet.</para>
|
||||
|
||||
<para>Finally, you need to decide if you want the road warriors to be able
|
||||
to access the public Internet. You probably want to do this, unless you
|
||||
are trying to create a situation where when the road warrior connects to
|
||||
the VPN, it is no longer possible to send traffic from the road warrior's
|
||||
machine to the public Internet. Please note that this not really a strong
|
||||
security measure. The road warrior could trivially modify the routing
|
||||
table on the remote machine to have only traffic destined for systems on
|
||||
the VPN local network go through the secure channel. The rest of the
|
||||
traffic would simply travel over an Ethernet or wireless interface directly
|
||||
to the public Internet. In fact, this latter situation is dangerous, as a
|
||||
simple mistake could easily create a situation where the road warrior's
|
||||
machine is acting as a router between your local network and the public
|
||||
Internet, which you certainly do not want to happen. In short, it is best
|
||||
to allow the road warrior to connect to the public Internet by
|
||||
default.</para>
|
||||
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW all ACCEPT
|
||||
loc net ACCEPT
|
||||
loc l2tp ACCEPT # Allows local machines to connect to road warriors
|
||||
l2tp loc ACCEPT # Allows road warriors to connect to local machines
|
||||
l2tp net ACCEPT # Allows road warriors to connect to the Internet
|
||||
net all DROP info
|
||||
# The FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>The final step is to modify your rules file. There are two important
|
||||
components. First, you must allow the l2tp traffic to reach the xl2tpd
|
||||
process running on the firewall machine. Second, you must add rules to
|
||||
open up ports on the firewall to the road warrior for services which are
|
||||
running on the firewall. For example, if you are running a webserver on
|
||||
the firewall that must be accessible to road warriors. The reason for the
|
||||
second step is that the policy does not by default allow unrestricted
|
||||
access to the firewall itself.</para>
|
||||
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
# l2tp over the IPsec VPN
|
||||
ACCEPT vpn $FW udp 1701
|
||||
# webserver that can only be accessed internally
|
||||
HTTP/ACCEPT loc $FW
|
||||
HTTP/ACCEPT l2tp $FW
|
||||
HTTPS/ACCEPT loc $FW
|
||||
HTTPS/ACCEPT l2tp $FW
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section id="Transport">
|
||||
<title>Transport Mode</title>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user