Update Jixen link in IPSEC.xml

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1535 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-13 19:06:55 +00:00
parent 44e61634d2
commit f12381f393

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-07-01</pubdate>
<pubdate>2004-08-13</pubdate>
<copyright>
<year>2001-2004</year>
@ -29,13 +29,14 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<warning>
<para>This documentation is incomplete regarding using IPSEC and the 2.6
Kernel. Netfilter currently lacks full support for the 2.6 kernel&#39;s
Kernel. Netfilter currently lacks full support for the 2.6 kernel's
implementation of IPSEC. Until that implementation is complete, only a
simple network-network tunnel is described for 2.6.</para>
</warning>
@ -44,14 +45,15 @@
<title>Configuring FreeS/Wan</title>
<para>There is an excellent guide to configuring IPSEC tunnels at <ulink
url="http://www.geocities.com/jixen66/">http://www.geocities.com/jixen66/</ulink>.
I highly recommend that you consult that site for information about
configuring FreeS/Wan.</para>
url="http://jixen.tripod.com/">http://jixen.tripod.com/</ulink>. I highly
recommend that you consult that site for information about configuring
FreeS/Wan.</para>
<warning>
<para>IPSEC and Proxy ARP do not work unless you are running Shorewall
2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall
2.0.0 available from the <ulink url="errata.htm">Errata Page</ulink>.</para>
2.0.0 available from the <ulink url="errata.htm">Errata
Page</ulink>.</para>
</warning>
<important>
@ -182,34 +184,92 @@ conn packetdefault
</note>
<para>You need to define a zone for the remote subnet or include it in
your local zone. In this example, we&#39;ll assume that you have created a
your local zone. In this example, we'll assume that you have created a
zone called <quote>vpn</quote> to represent the remote subnet. Note that
you should define the vpn zone before the net zone.</para>
<para><table><title>/etc/shorewall/zones - Systems A and B</title><tgroup
cols="3"><thead><row><entry align="center">ZONE</entry><entry
align="center">DISPLAY</entry><entry align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
Subnet</entry></row><row><entry>net</entry><entry>Internet</entry><entry>The
big bad internet</entry></row></tbody></tgroup></table></para>
<para><table>
<title>/etc/shorewall/zones - Systems A and B</title>
<para><emphasis role="bold">If you are running kernel 2.4:</emphasis><blockquote><para>At
both systems, ipsec0 would be included in /etc/shorewall/interfaces as a
<quote>vpn</quote> interface:</para><para><table><title>/etc/shorewall/interfaces
- Systems A and B</title><tgroup cols="4"><thead><row><entry
align="center">ZONE</entry><entry align="center">INTERFACE</entry><entry
align="center">BROADCAST</entry><entry align="center">OPTIONS</entry></row></thead><tbody><row><entry>vpn</entry><entry>ipsec0</entry><entry></entry></row></tbody></tgroup></table></para></blockquote></para>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<para><emphasis role="bold">If you are running kernel 2.6:</emphasis></para>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
<row>
<entry>net</entry>
<entry>Internet</entry>
<entry>The big bad internet</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para><emphasis role="bold">If you are running kernel
2.4:</emphasis><blockquote>
<para>At both systems, ipsec0 would be included in
/etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para>
<para><table>
<title>/etc/shorewall/interfaces - Systems A and B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>ipsec0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table></para>
</blockquote></para>
<para><emphasis role="bold">If you are running kernel
2.6:</emphasis></para>
<blockquote>
<para><emphasis role="bold">It is essential that the
<emphasis>vpn</emphasis> zone be declared before the
<emphasis>net</emphasis> zone in <filename>/etc/shorewall/zones</filename>.</emphasis></para>
<emphasis>net</emphasis> zone in
<filename>/etc/shorewall/zones</filename>.</emphasis></para>
<para>Remember the assumption that both systems A and B have eth0 as
their internet interface.</para>
<para>You must define the vpn zone using the /etc/shorewall/hosts file.</para>
<para>You must define the vpn zone using the /etc/shorewall/hosts
file.</para>
<table>
<title>/etc/shorewall/hosts - System A</title>
@ -265,8 +325,9 @@ conn packetdefault
<para>In addition, <emphasis role="bold">if you are using Masquerading
or SNAT</emphasis> on your firewalls, you need to elmiinate the remote
network from Masquerade/SNAT. These entries <emphasis role="bold">replace</emphasis>
your current masquerade/SNAT entries for the local networks.</para>
network from Masquerade/SNAT. These entries <emphasis
role="bold">replace</emphasis> your current masquerade/SNAT entries for
the local networks.</para>
<table>
<title>/etc/shorewall/masq - System A</title>
@ -325,10 +386,45 @@ conn packetdefault
and the <quote>loc</quote> zone -- if you simply want to admit all traffic
in both directions, you can use the policy file:</para>
<para><table><title>/etc/shorewall/policy - Systems A and B</title><tgroup
cols="4"><thead><row><entry align="center">SOURCE</entry><entry
align="center">DEST</entry><entry align="center">POLICY</entry><entry
align="center">LOG LEVEL</entry></row></thead><tbody><row><entry>loc</entry><entry>vpn</entry><entry>ACCEPT</entry><entry></entry></row><row><entry>vpn</entry><entry>loc</entry><entry>ACCEPT</entry><entry></entry></row></tbody></tgroup></table></para>
<para><table>
<title>/etc/shorewall/policy - Systems A and B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <ulink
@ -416,7 +512,7 @@ conn packetdefault
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
<table>
<title>/etc/shorewall/tunnels system B &#38; C</title>
<title>/etc/shorewall/tunnels system B &amp; C</title>
<tgroup cols="4">
<thead>
@ -493,7 +589,7 @@ conn packetdefault
<para>On systems B and C:</para>
<table>
<title>/etc/shorewall/zones system B &#38; C</title>
<title>/etc/shorewall/zones system B &amp; C</title>
<tgroup cols="3">
<thead>
@ -551,7 +647,8 @@ conn packetdefault
</tgroup>
</table>
<para>The /etc/shorewall/hosts file on system A defines the two VPN zones:</para>
<para>The /etc/shorewall/hosts file on system A defines the two VPN
zones:</para>
<table>
<title>/etc/shorewall/hosts system A</title>
@ -591,7 +688,7 @@ conn packetdefault
following in /etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system B &#38; C</title>
<title>/etc/shorewall/interfaces system B &amp; C</title>
<tgroup cols="4">
<thead>
@ -692,7 +789,7 @@ conn packetdefault
policy file entries on all three gateways:</para>
<table>
<title>/etc/shorewall/policy system B &#38; C</title>
<title>/etc/shorewall/policy system B &amp; C</title>
<tgroup cols="4">
<thead>
@ -733,7 +830,8 @@ conn packetdefault
<para>Once you have the Shorewall entries added, restart Shorewall on each
gateway (type shorewall restart); you are now ready to configure the
tunnels in <ulink url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
tunnels in <ulink
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
<note>
<para>to allow traffic between the networks attached to systems B and C,
@ -801,27 +899,75 @@ conn packetdefault
<title>Road Warrior VPN</title>
<para>You need to define a zone for the laptop or include it in your
local zone. In this example, we&#39;ll assume that you have created a
zone called <quote>vpn</quote> to represent the remote host.</para>
local zone. In this example, we'll assume that you have created a zone
called <quote>vpn</quote> to represent the remote host.</para>
<para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
Subnet</entry></row></tbody></tgroup></table></para>
<para><table>
<title>/etc/shorewall/zones local</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels
file on system A, the following entry should be made:</para>
<para><table><title>/etc/shorewall/tunnels system A</title><tgroup
cols="4"><thead><row><entry align="center">TYPE</entry><entry
align="center">ZONE</entry><entry align="center">GATEWAY</entry><entry
align="center">GATEWAY ZONE</entry></row></thead><tbody><row><entry>ipsec</entry><entry>net</entry><entry>0.0.0.0/0</entry><entry>vpn</entry></row></tbody></tgroup></table></para>
<para><table>
<title>/etc/shorewall/tunnels system A</title>
<para><note><para>the GATEWAY ZONE column contains the name of the zone
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry>vpn</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para><note>
<para>the GATEWAY ZONE column contains the name of the zone
corresponding to peer subnetworks. This indicates that the gateway
system itself comprises the peer subnetwork; in other words, the remote
gateway is a standalone system.</para></note></para>
system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</para>
</note></para>
<para>You will need to configure /etc/shorewall/interfaces and establish
your <quote>through the tunnel</quote> policy as shown under the first
@ -922,7 +1068,8 @@ conn packetdefault
a different updown script that adds the remote station to the appropriate
zone when the connection comes up and that deletes the remote station when
the connection comes down. For example, when 134.28.54.2 connects for the
vpn2 zone the <quote>up</quote> part of the script will issue the command:</para>
vpn2 zone the <quote>up</quote> part of the script will issue the
command:</para>
<programlisting>/sbin/shorewall add ipsec0:134.28.54.2 vpn2</programlisting>
@ -939,11 +1086,45 @@ conn packetdefault
<example>
<title>dyn=dynamic zone</title>
<para><informaltable><tgroup cols="7"><thead><row><entry
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
align="center">PORT(S)</entry><entry align="center">CLIENT PORT(S)</entry><entry
align="center">ORIGINAL DESTINATION</entry></row></thead><tbody><row><entry>DNAT</entry><entry>z!dyn</entry><entry>loc:192.168.1.3</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para>
<para><informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">CLIENT PORT(S)</entry>
<entry align="center">ORIGINAL DESTINATION</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>z!dyn</entry>
<entry>loc:192.168.1.3</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable></para>
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
will have no effect on the above rule.</para>