2004-02-14 19:06:39 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-07-07 22:42:54 +02:00
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2004-02-14 19:06:39 +01:00
|
|
|
<article id="VPN">
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
2007-10-15 19:13:50 +02:00
|
|
|
<title>VPN Passthrough</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
2006-07-07 03:04:16 +02:00
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<copyright>
|
|
|
|
<year>2002</year>
|
|
|
|
|
2004-10-23 19:27:42 +02:00
|
|
|
<year>2004</year>
|
|
|
|
|
2005-03-08 20:31:05 +01:00
|
|
|
<year>2005</year>
|
|
|
|
|
2004-02-14 19:06:39 +01:00
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
2004-10-23 19:27:42 +02:00
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<section id="vpn">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>Virtual Private Networking (VPN)</title>
|
|
|
|
|
|
|
|
<para>It is often the case that a system behind the firewall needs to be
|
|
|
|
able to access a remote network through Virtual Private Networking (VPN).
|
|
|
|
The two most common means for doing this are IPSEC and PPTP. The basic
|
|
|
|
setup is shown in the following diagram:</para>
|
|
|
|
|
|
|
|
<graphic fileref="images/VPN.png" />
|
|
|
|
|
|
|
|
<para>A system with an RFC 1918 address needs to access a remote network
|
|
|
|
through a remote gateway. For this example, we will assume that the local
|
|
|
|
system has IP address 192.168.1.12 and that the remote gateway has IP
|
|
|
|
address 192.0.2.224.</para>
|
|
|
|
|
2007-10-15 19:13:50 +02:00
|
|
|
<para>If PPTP is being used and you need to have two or more local systems
|
|
|
|
connected to the same remote server at the same time, then you should be
|
|
|
|
sure that the PPTP helpers modules are loaded (ip_conntrack_pptp and
|
|
|
|
ip_nat_pptp or nf_conntrack_pptp and nf_nat_pptp). Using the default
|
|
|
|
modules file, Shorewall (Lite) will attempt to load these modules when
|
|
|
|
Shorewall (Lite) is started.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-03-08 20:31:05 +01:00
|
|
|
<para>If IPSEC is being used, you should configure IPSEC to use
|
|
|
|
<firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPSEC
|
2007-10-15 19:13:50 +02:00
|
|
|
packets (protocol 50 or 51) are encapsulated in UDP packets (normally with
|
|
|
|
destination port 4500). Additionally, <firstterm>keep-alive
|
2005-03-08 20:31:05 +01:00
|
|
|
messages</firstterm> are sent frequently so that NATing gateways between
|
|
|
|
the end-points will retain their connection-tracking entries. This is the
|
|
|
|
way that I connect to the HP Intranet and it works flawlessly without
|
|
|
|
anything in Shorewall other than my ACCEPT loc->net policy. NAT
|
|
|
|
traversal is available as a patch for Windows 2K and is a standard feature
|
|
|
|
of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN"
|
|
|
|
pulldown.</para>
|
|
|
|
|
2007-10-15 19:13:50 +02:00
|
|
|
<para>Alternatively, if you have an IPSEC gateway behind your firewall
|
|
|
|
then you can try the following: only one system may connect to the remote
|
|
|
|
gateway and there are firewall configuration requirements as
|
|
|
|
follows:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<table id="Table1">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>/etc/shorewall/rules</title>
|
|
|
|
|
|
|
|
<tgroup cols="7">
|
|
|
|
<thead>
|
|
|
|
<row>
|
|
|
|
<entry align="center">ACTION</entry>
|
|
|
|
|
|
|
|
<entry align="center">SOURCE</entry>
|
|
|
|
|
|
|
|
<entry align="center">DESTINATION</entry>
|
|
|
|
|
|
|
|
<entry align="center">PROTOCOL</entry>
|
|
|
|
|
|
|
|
<entry align="center">PORT</entry>
|
|
|
|
|
|
|
|
<entry align="center">CLIENT PORT</entry>
|
|
|
|
|
|
|
|
<entry align="center">ORIGINAL DEST</entry>
|
|
|
|
</row>
|
|
|
|
</thead>
|
|
|
|
|
|
|
|
<tbody>
|
|
|
|
<row>
|
|
|
|
<entry>DNAT</entry>
|
|
|
|
|
|
|
|
<entry>net:192.0.2.224</entry>
|
|
|
|
|
|
|
|
<entry>loc:192.168.1.12</entry>
|
|
|
|
|
|
|
|
<entry>50</entry>
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
</row>
|
|
|
|
|
|
|
|
<row>
|
|
|
|
<entry>DNAT</entry>
|
|
|
|
|
|
|
|
<entry>net:192.0.2.224</entry>
|
|
|
|
|
|
|
|
<entry>loc:192.168.1.12</entry>
|
|
|
|
|
|
|
|
<entry>udp</entry>
|
|
|
|
|
|
|
|
<entry>500</entry>
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
</row>
|
|
|
|
</tbody>
|
|
|
|
</tgroup>
|
|
|
|
</table>
|
|
|
|
|
2008-08-15 07:03:24 +02:00
|
|
|
<para>The above may or may not work — your mileage may vary. NAT Traversal
|
2007-07-03 16:41:22 +02:00
|
|
|
is definitely a better solution. To use NAT traversal:<table id="Table2">
|
|
|
|
<title>/etc/shorewall/rules with NAT Traversal</title>
|
|
|
|
|
|
|
|
<tgroup cols="7">
|
|
|
|
<thead>
|
|
|
|
<row>
|
|
|
|
<entry align="center">ACTION</entry>
|
|
|
|
|
|
|
|
<entry align="center">SOURCE</entry>
|
|
|
|
|
|
|
|
<entry align="center">DESTINATION</entry>
|
|
|
|
|
|
|
|
<entry align="center">PROTOCOL</entry>
|
|
|
|
|
|
|
|
<entry align="center">PORT</entry>
|
|
|
|
|
|
|
|
<entry align="center">CLIENT PORT</entry>
|
|
|
|
|
|
|
|
<entry align="center">ORIGINAL DEST</entry>
|
|
|
|
</row>
|
|
|
|
</thead>
|
|
|
|
|
|
|
|
<tbody>
|
|
|
|
<row>
|
|
|
|
<entry>DNAT</entry>
|
|
|
|
|
|
|
|
<entry>net:192.0.2.224</entry>
|
|
|
|
|
|
|
|
<entry>loc:192.168.1.12</entry>
|
|
|
|
|
|
|
|
<entry>udp</entry>
|
|
|
|
|
|
|
|
<entry>4500</entry>
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
</row>
|
|
|
|
|
|
|
|
<row>
|
|
|
|
<entry>DNAT</entry>
|
|
|
|
|
|
|
|
<entry>net:192.0.2.224</entry>
|
|
|
|
|
|
|
|
<entry>loc:192.168.1.12</entry>
|
|
|
|
|
|
|
|
<entry>udp</entry>
|
|
|
|
|
|
|
|
<entry>500</entry>
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
</row>
|
|
|
|
</tbody>
|
|
|
|
</tgroup>
|
|
|
|
</table></para>
|
2005-03-08 20:31:05 +01:00
|
|
|
|
2004-02-14 19:06:39 +01:00
|
|
|
<para>If you want to be able to give access to all of your local systems
|
|
|
|
to the remote network, you should consider running a VPN client on your
|
2004-10-23 19:27:42 +02:00
|
|
|
firewall. As starting points, see <ulink
|
2007-10-15 19:13:50 +02:00
|
|
|
url="manpages/shorewall-tunnels.html">The /etc/shorewall/tunnels
|
|
|
|
manpage</ulink>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
2008-07-07 22:42:54 +02:00
|
|
|
</article>
|