<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <article id="GenericTunnels"> <!--$Id$--> <articleinfo> <title>Generic Tunnels</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <copyright> <year>2001</year> <year>2002</year> <year>2003</year> <year>2005</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <para>Shorewall includes built-in support for a wide range of VPN solutions. If you have need for a tunnel type that does not have explicit support, you can generally describe the tunneling software using <quote>generic tunnels</quote>.</para> <section id="Bridged"> <title>Bridging two Masqueraded Networks</title> <para>Suppose that we have the following situation:</para> <graphic fileref="images/TwoNets1.png" /> <para>We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall.</para> <para>Suppose that you have tunneling software that uses two different protocols:</para> <orderedlist numeration="loweralpha"> <listitem> <para>TCP port 1071</para> </listitem> <listitem> <para>GRE (Protocol 47)</para> </listitem> <listitem> <para>The tunnel interface on system A is <quote>tun0</quote> and the tunnel interface on system B is also <quote>tun0</quote>.</para> </listitem> </orderedlist> <para>On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called <quote>vpn</quote> and declare it in /etc/shorewall/zones on both systems as follows.</para> <programlisting>#ZONE TYPE OPTIONS vpn ipv4</programlisting> <para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS vpn tun0 10.255.255.255</programlisting> <para>In /etc/shorewall/tunnels on system A, we need the following:</para> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE generic:tcp:1071 net 134.28.54.2 generic:47 net 134.28.54.2</programlisting> <para>These entries in /etc/shorewall/tunnels, opens the firewall so that TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will be accepted to/from the remote gateway.</para> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS vpn tun0 192.168.1.255</programlisting> <para>In /etc/shorewall/tunnels on system B, we have:</para> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE generic:tcp:1071 net 206.191.148.9 generic:47 net 206.191.148.9</programlisting> <para>You will need to allow traffic between the <quote>vpn</quote> zone and the <quote>loc</quote> zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file:</para> <programlisting>#SOURCE DEST POLICY LOG LEVEL loc vpn ACCEPT vpn loc ACCEPT</programlisting> <para>On both systems, restart Shorewall and start your VPN software on each system. The systems in the two masqueraded subnetworks can now talk to each other</para> </section> </article>