shorewall_code/Shorewall-docs/VPN.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>VPN</title>
</head>
<body>
<h1 style="text-align: center;">VPN<br>
</h1>
<p>It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking
(VPN). The two most common means for doing this are IPSEC and PPTP. The
basic setup is shown in the following diagram:</p>
<p align="center"><img border="0" src="images/VPN.png" width="568"
 height="796"> </p>
<p align="left">A system with an RFC 1918 address needs to access a
remote network through a remote gateway. For this example, we will
assume that the local system has IP address 192.168.1.12 and that the
remote gateway has
IP address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall
requirements beyond the default loc-&gt;net ACCEPT policy. There is one
restriction however: Only one local system at a time can be connected
to a single remote gateway unless you patch your kernel from the
'Patch-o-matic' patches available at
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then only one system may connect
to the remote gateway and there are firewall configuration requirements
as follows:</p>
<blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 bordercolor="#111111" id="AutoNumber2" height="98">
    <tbody>
      <tr>
        <td height="38"><u><b>ACTION</b></u></td>
        <td height="38"><u><b>SOURCE</b></u></td>
        <td height="38"><u><b>DESTINATION</b></u></td>
        <td height="38"><u><b>PROTOCOL</b></u></td>
        <td height="38"><u><b>PORT</b></u></td>
        <td height="38"><u><b>CLIENT<br>
PORT</b></u></td>
        <td height="38"><u><b>ORIGINAL<br>
DEST</b></u></td>
      </tr>
      <tr>
        <td height="19">DNAT</td>
        <td height="19">net:192.0.2.224</td>
        <td height="19">loc:192.168.1.12</td>
        <td height="19">50</td>
        <td height="19">&nbsp;</td>
        <td height="19">&nbsp;</td>
        <td height="19">&nbsp;</td>
      </tr>
      <tr>
        <td height="19">DNAT</td>
        <td height="19">net:192.0.2.224</td>
        <td height="19">loc:192.168.1.12</td>
        <td height="19">udp</td>
        <td height="19">500</td>
        <td height="19">&nbsp;</td>
        <td height="19">&nbsp;</td>
      </tr>
    </tbody>
  </table>
</blockquote>
<p>If you want to be able to give access to all of your local systems
to the remote network, you should consider running a VPN client on your
firewall. As starting points, see <a
 href="Documentation.htm#Tunnels">
http://www.shorewall.net/Documentation.htm#Tunnels</a> or <a
 href="PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
<EFBFBD> <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<p>&nbsp;</p>
<br>
<br>
</body>
</html>