mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-27 16:49:05 +01:00
3ebaa3daa5
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1987 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
146 lines
4.6 KiB
XML
146 lines
4.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article id="VPN">
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>VPN</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2005-03-08</pubdate>
|
|
|
|
<copyright>
|
|
<year>2002</year>
|
|
|
|
<year>2004</year>
|
|
|
|
<year>2005</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Virtual Private Networking (VPN)</title>
|
|
|
|
<para>It is often the case that a system behind the firewall needs to be
|
|
able to access a remote network through Virtual Private Networking (VPN).
|
|
The two most common means for doing this are IPSEC and PPTP. The basic
|
|
setup is shown in the following diagram:</para>
|
|
|
|
<graphic fileref="images/VPN.png" />
|
|
|
|
<para>A system with an RFC 1918 address needs to access a remote network
|
|
through a remote gateway. For this example, we will assume that the local
|
|
system has IP address 192.168.1.12 and that the remote gateway has IP
|
|
address 192.0.2.224.</para>
|
|
|
|
<para>If PPTP is being used, there are no firewall requirements beyond the
|
|
default loc->net ACCEPT policy. There is one restriction however: Only
|
|
one local system at a time can be connected to a single remote gateway
|
|
unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
|
|
available at <ulink
|
|
url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
|
|
|
|
<para>If IPSEC is being used, you should configure IPSEC to use
|
|
<firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPSEC
|
|
packets (protocol 50 or 51) are encapsulated in UDP packets with
|
|
destination port 4500. Additionally, <firstterm>keep-alive
|
|
messages</firstterm> are sent frequently so that NATing gateways between
|
|
the end-points will retain their connection-tracking entries. This is the
|
|
way that I connect to the HP Intranet and it works flawlessly without
|
|
anything in Shorewall other than my ACCEPT loc->net policy. NAT
|
|
traversal is available as a patch for Windows 2K and is a standard feature
|
|
of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN"
|
|
pulldown.</para>
|
|
|
|
<para>Alternatively, if IPSEC is being used then you can try the
|
|
following: only one system may connect to the remote gateway and there are
|
|
firewall configuration requirements as follows:</para>
|
|
|
|
<table>
|
|
<title>/etc/shorewall/rules</title>
|
|
|
|
<tgroup cols="7">
|
|
<thead>
|
|
<row>
|
|
<entry align="center">ACTION</entry>
|
|
|
|
<entry align="center">SOURCE</entry>
|
|
|
|
<entry align="center">DESTINATION</entry>
|
|
|
|
<entry align="center">PROTOCOL</entry>
|
|
|
|
<entry align="center">PORT</entry>
|
|
|
|
<entry align="center">CLIENT PORT</entry>
|
|
|
|
<entry align="center">ORIGINAL DEST</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry>DNAT</entry>
|
|
|
|
<entry>net:192.0.2.224</entry>
|
|
|
|
<entry>loc:192.168.1.12</entry>
|
|
|
|
<entry>50</entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>DNAT</entry>
|
|
|
|
<entry>net:192.0.2.224</entry>
|
|
|
|
<entry>loc:192.168.1.12</entry>
|
|
|
|
<entry>udp</entry>
|
|
|
|
<entry>500</entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>The above may or may not work — your milage may vary. NAT Traversal
|
|
is definitely a better solution.</para>
|
|
|
|
<para>If you want to be able to give access to all of your local systems
|
|
to the remote network, you should consider running a VPN client on your
|
|
firewall. As starting points, see <ulink
|
|
url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
|
|
or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
|
|
</section>
|
|
</article> |