mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 23:53:30 +01:00
Update Jixen link in IPSEC.xml
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1535 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
44e61634d2
commit
f12381f393
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-01</pubdate>
|
||||
<pubdate>2004-08-13</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -29,13 +29,14 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<warning>
|
||||
<para>This documentation is incomplete regarding using IPSEC and the 2.6
|
||||
Kernel. Netfilter currently lacks full support for the 2.6 kernel's
|
||||
Kernel. Netfilter currently lacks full support for the 2.6 kernel's
|
||||
implementation of IPSEC. Until that implementation is complete, only a
|
||||
simple network-network tunnel is described for 2.6.</para>
|
||||
</warning>
|
||||
@ -44,14 +45,15 @@
|
||||
<title>Configuring FreeS/Wan</title>
|
||||
|
||||
<para>There is an excellent guide to configuring IPSEC tunnels at <ulink
|
||||
url="http://www.geocities.com/jixen66/">http://www.geocities.com/jixen66/</ulink>.
|
||||
I highly recommend that you consult that site for information about
|
||||
configuring FreeS/Wan.</para>
|
||||
url="http://jixen.tripod.com/">http://jixen.tripod.com/</ulink>. I highly
|
||||
recommend that you consult that site for information about configuring
|
||||
FreeS/Wan.</para>
|
||||
|
||||
<warning>
|
||||
<para>IPSEC and Proxy ARP do not work unless you are running Shorewall
|
||||
2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall
|
||||
2.0.0 available from the <ulink url="errata.htm">Errata Page</ulink>.</para>
|
||||
2.0.0 available from the <ulink url="errata.htm">Errata
|
||||
Page</ulink>.</para>
|
||||
</warning>
|
||||
|
||||
<important>
|
||||
@ -182,34 +184,92 @@ conn packetdefault
|
||||
</note>
|
||||
|
||||
<para>You need to define a zone for the remote subnet or include it in
|
||||
your local zone. In this example, we'll assume that you have created a
|
||||
your local zone. In this example, we'll assume that you have created a
|
||||
zone called <quote>vpn</quote> to represent the remote subnet. Note that
|
||||
you should define the vpn zone before the net zone.</para>
|
||||
|
||||
<para><table><title>/etc/shorewall/zones - Systems A and B</title><tgroup
|
||||
cols="3"><thead><row><entry align="center">ZONE</entry><entry
|
||||
align="center">DISPLAY</entry><entry align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
|
||||
Subnet</entry></row><row><entry>net</entry><entry>Internet</entry><entry>The
|
||||
big bad internet</entry></row></tbody></tgroup></table></para>
|
||||
<para><table>
|
||||
<title>/etc/shorewall/zones - Systems A and B</title>
|
||||
|
||||
<para><emphasis role="bold">If you are running kernel 2.4:</emphasis><blockquote><para>At
|
||||
both systems, ipsec0 would be included in /etc/shorewall/interfaces as a
|
||||
<quote>vpn</quote> interface:</para><para><table><title>/etc/shorewall/interfaces
|
||||
- Systems A and B</title><tgroup cols="4"><thead><row><entry
|
||||
align="center">ZONE</entry><entry align="center">INTERFACE</entry><entry
|
||||
align="center">BROADCAST</entry><entry align="center">OPTIONS</entry></row></thead><tbody><row><entry>vpn</entry><entry>ipsec0</entry><entry></entry></row></tbody></tgroup></table></para></blockquote></para>
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<para><emphasis role="bold">If you are running kernel 2.6:</emphasis></para>
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>Internet</entry>
|
||||
|
||||
<entry>The big bad internet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
|
||||
<para><emphasis role="bold">If you are running kernel
|
||||
2.4:</emphasis><blockquote>
|
||||
<para>At both systems, ipsec0 would be included in
|
||||
/etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/interfaces - Systems A and B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ipsec0</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
</blockquote></para>
|
||||
|
||||
<para><emphasis role="bold">If you are running kernel
|
||||
2.6:</emphasis></para>
|
||||
|
||||
<blockquote>
|
||||
<para><emphasis role="bold">It is essential that the
|
||||
<emphasis>vpn</emphasis> zone be declared before the
|
||||
<emphasis>net</emphasis> zone in <filename>/etc/shorewall/zones</filename>.</emphasis></para>
|
||||
<emphasis>net</emphasis> zone in
|
||||
<filename>/etc/shorewall/zones</filename>.</emphasis></para>
|
||||
|
||||
<para>Remember the assumption that both systems A and B have eth0 as
|
||||
their internet interface.</para>
|
||||
|
||||
<para>You must define the vpn zone using the /etc/shorewall/hosts file.</para>
|
||||
<para>You must define the vpn zone using the /etc/shorewall/hosts
|
||||
file.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts - System A</title>
|
||||
@ -265,8 +325,9 @@ conn packetdefault
|
||||
|
||||
<para>In addition, <emphasis role="bold">if you are using Masquerading
|
||||
or SNAT</emphasis> on your firewalls, you need to elmiinate the remote
|
||||
network from Masquerade/SNAT. These entries <emphasis role="bold">replace</emphasis>
|
||||
your current masquerade/SNAT entries for the local networks.</para>
|
||||
network from Masquerade/SNAT. These entries <emphasis
|
||||
role="bold">replace</emphasis> your current masquerade/SNAT entries for
|
||||
the local networks.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/masq - System A</title>
|
||||
@ -325,10 +386,45 @@ conn packetdefault
|
||||
and the <quote>loc</quote> zone -- if you simply want to admit all traffic
|
||||
in both directions, you can use the policy file:</para>
|
||||
|
||||
<para><table><title>/etc/shorewall/policy - Systems A and B</title><tgroup
|
||||
cols="4"><thead><row><entry align="center">SOURCE</entry><entry
|
||||
align="center">DEST</entry><entry align="center">POLICY</entry><entry
|
||||
align="center">LOG LEVEL</entry></row></thead><tbody><row><entry>loc</entry><entry>vpn</entry><entry>ACCEPT</entry><entry></entry></row><row><entry>vpn</entry><entry>loc</entry><entry>ACCEPT</entry><entry></entry></row></tbody></tgroup></table></para>
|
||||
<para><table>
|
||||
<title>/etc/shorewall/policy - Systems A and B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
|
||||
<para>Once you have these entries in place, restart Shorewall (type
|
||||
shorewall restart); you are now ready to configure the tunnel in <ulink
|
||||
@ -416,7 +512,7 @@ conn packetdefault
|
||||
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system B & C</title>
|
||||
<title>/etc/shorewall/tunnels system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
@ -493,7 +589,7 @@ conn packetdefault
|
||||
<para>On systems B and C:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones system B & C</title>
|
||||
<title>/etc/shorewall/zones system B & C</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
@ -551,7 +647,8 @@ conn packetdefault
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>The /etc/shorewall/hosts file on system A defines the two VPN zones:</para>
|
||||
<para>The /etc/shorewall/hosts file on system A defines the two VPN
|
||||
zones:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts system A</title>
|
||||
@ -591,7 +688,7 @@ conn packetdefault
|
||||
following in /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system B & C</title>
|
||||
<title>/etc/shorewall/interfaces system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
@ -692,7 +789,7 @@ conn packetdefault
|
||||
policy file entries on all three gateways:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system B & C</title>
|
||||
<title>/etc/shorewall/policy system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
@ -733,7 +830,8 @@ conn packetdefault
|
||||
|
||||
<para>Once you have the Shorewall entries added, restart Shorewall on each
|
||||
gateway (type shorewall restart); you are now ready to configure the
|
||||
tunnels in <ulink url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
|
||||
tunnels in <ulink
|
||||
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
|
||||
|
||||
<note>
|
||||
<para>to allow traffic between the networks attached to systems B and C,
|
||||
@ -801,27 +899,75 @@ conn packetdefault
|
||||
<title>Road Warrior VPN</title>
|
||||
|
||||
<para>You need to define a zone for the laptop or include it in your
|
||||
local zone. In this example, we'll assume that you have created a
|
||||
zone called <quote>vpn</quote> to represent the remote host.</para>
|
||||
local zone. In this example, we'll assume that you have created a zone
|
||||
called <quote>vpn</quote> to represent the remote host.</para>
|
||||
|
||||
<para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
|
||||
align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
|
||||
align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
|
||||
Subnet</entry></row></tbody></tgroup></table></para>
|
||||
<para><table>
|
||||
<title>/etc/shorewall/zones local</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
|
||||
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
|
||||
but that cannot be determined in advance. In the /etc/shorewall/tunnels
|
||||
file on system A, the following entry should be made:</para>
|
||||
|
||||
<para><table><title>/etc/shorewall/tunnels system A</title><tgroup
|
||||
cols="4"><thead><row><entry align="center">TYPE</entry><entry
|
||||
align="center">ZONE</entry><entry align="center">GATEWAY</entry><entry
|
||||
align="center">GATEWAY ZONE</entry></row></thead><tbody><row><entry>ipsec</entry><entry>net</entry><entry>0.0.0.0/0</entry><entry>vpn</entry></row></tbody></tgroup></table></para>
|
||||
<para><table>
|
||||
<title>/etc/shorewall/tunnels system A</title>
|
||||
|
||||
<para><note><para>the GATEWAY ZONE column contains the name of the zone
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>0.0.0.0/0</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
|
||||
<para><note>
|
||||
<para>the GATEWAY ZONE column contains the name of the zone
|
||||
corresponding to peer subnetworks. This indicates that the gateway
|
||||
system itself comprises the peer subnetwork; in other words, the remote
|
||||
gateway is a standalone system.</para></note></para>
|
||||
system itself comprises the peer subnetwork; in other words, the
|
||||
remote gateway is a standalone system.</para>
|
||||
</note></para>
|
||||
|
||||
<para>You will need to configure /etc/shorewall/interfaces and establish
|
||||
your <quote>through the tunnel</quote> policy as shown under the first
|
||||
@ -922,7 +1068,8 @@ conn packetdefault
|
||||
a different updown script that adds the remote station to the appropriate
|
||||
zone when the connection comes up and that deletes the remote station when
|
||||
the connection comes down. For example, when 134.28.54.2 connects for the
|
||||
vpn2 zone the <quote>up</quote> part of the script will issue the command:</para>
|
||||
vpn2 zone the <quote>up</quote> part of the script will issue the
|
||||
command:</para>
|
||||
|
||||
<programlisting>/sbin/shorewall add ipsec0:134.28.54.2 vpn2</programlisting>
|
||||
|
||||
@ -939,11 +1086,45 @@ conn packetdefault
|
||||
<example>
|
||||
<title>dyn=dynamic zone</title>
|
||||
|
||||
<para><informaltable><tgroup cols="7"><thead><row><entry
|
||||
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
|
||||
align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
|
||||
align="center">PORT(S)</entry><entry align="center">CLIENT PORT(S)</entry><entry
|
||||
align="center">ORIGINAL DESTINATION</entry></row></thead><tbody><row><entry>DNAT</entry><entry>z!dyn</entry><entry>loc:192.168.1.3</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para>
|
||||
<para><informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT(S)</entry>
|
||||
|
||||
<entry align="center">CLIENT PORT(S)</entry>
|
||||
|
||||
<entry align="center">ORIGINAL DESTINATION</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>z!dyn</entry>
|
||||
|
||||
<entry>loc:192.168.1.3</entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
<entry>80</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable></para>
|
||||
|
||||
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
|
||||
will have no effect on the above rule.</para>
|
||||
|
Loading…
Reference in New Issue
Block a user