<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article id="GenericTunnels">
  <!--$Id$-->

  <articleinfo>
    <title>Generic Tunnels</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2001</year>

      <year>2002</year>

      <year>2003</year>

      <year>2005</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <para>Shorewall includes built-in support for a wide range of VPN solutions.
  If you have need for a tunnel type that does not have explicit support, you
  can generally describe the tunneling software using <quote>generic
  tunnels</quote>.</para>

  <section id="Bridged">
    <title>Bridging two Masqueraded Networks</title>

    <para>Suppose that we have the following situation:</para>

    <graphic fileref="images/TwoNets1.png" />

    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
    accomplished through use of the /etc/shorewall/tunnels file, the
    /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
    included with Shorewall.</para>

    <para>Suppose that you have tunneling software that uses two different
    protocols:</para>

    <orderedlist numeration="loweralpha">
      <listitem>
        <para>TCP port 1071</para>
      </listitem>

      <listitem>
        <para>GRE (Protocol 47)</para>
      </listitem>

      <listitem>
        <para>The tunnel interface on system A is <quote>tun0</quote> and the
        tunnel interface on system B is also <quote>tun0</quote>.</para>
      </listitem>
    </orderedlist>

    <para>On each firewall, you will need to declare a zone to represent the
    remote subnet. We'll assume that this zone is called <quote>vpn</quote>
    and declare it in /etc/shorewall/zones on both systems as follows.</para>

    <programlisting>#ZONE        TYPE          OPTIONS
vpn          ipv4</programlisting>

    <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
    role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>

    <programlisting>#ZONE      INTERFACE       BROADCAST        OPTIONS
vpn        tun0            10.255.255.255</programlisting>

    <para>In /etc/shorewall/tunnels on system A, we need the following:</para>

    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY ZONE
generic:tcp:1071 net            134.28.54.2
generic:47       net            134.28.54.2</programlisting>

    <para>These entries in /etc/shorewall/tunnels, opens the firewall so that
    TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
    be accepted to/from the remote gateway.</para>

    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
vpn          tun0             192.168.1.255</programlisting>

    <para>In /etc/shorewall/tunnels on system B, we have:</para>

    <programlisting>#TYPE            ZONE           GATEWAY         GATEWAY ZONE
generic:tcp:1071 net            206.191.148.9
generic:47       net            206.191.148.9</programlisting>

    <para>You will need to allow traffic between the <quote>vpn</quote> zone
    and the <quote>loc</quote> zone on both systems -- if you simply want to
    admit all traffic in both directions, you can use the policy file:</para>

    <programlisting>#SOURCE      DEST        POLICY        LOG LEVEL
loc          vpn         ACCEPT
vpn          loc         ACCEPT</programlisting>

    <para>On both systems, restart Shorewall and start your VPN software on
    each system. The systems in the two masqueraded subnetworks can now talk
    to each other</para>
  </section>
</article>