From 273b02c6da5949070271d48ee968e8ec926a6aba Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 17 Dec 2016 12:31:17 -0800 Subject: [PATCH] Add IPCOMP information to the IPSEC article Signed-off-by: Tom Eastep --- docs/IPSEC-2.6.xml | 54 ++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 6 deletions(-) diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index 9e1371bb7..87ce669dc 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -30,7 +30,11 @@ 2006 - 2009 Thomas M. Eastep + 2009 + + 2016 + + Thomas M. Eastep @@ -71,8 +75,8 @@ While this article shows configuration of IPsec using ipsec-tools, Shorewall - configuration is exactly the same when using OpenSwan or - FreeSwan. + configuration is exactly the same when using OpenSwan or any of the other Swan derivatives. @@ -158,7 +162,7 @@ from MASQUERADE/SNAT using existing entries. If you want to MASQUERADE/SNAT outgoing traffic that will later be encrypted, you must include the appropriate indication in the IPSEC column in that - file. + file. @@ -321,6 +325,14 @@ vpn eth0:10.0.0.0/8,134.28.54.2 ips vpn eth0:192.168.1.0/24,206.162.148.9 ipsec + If you want to keep things simple, you can simply not restrict the + set of addresses in the ipsec zones: + +
+ #ZONE HOSTS OPTIONS +vpn eth0:0.0.0.0/o ipsec +
+ Assuming that you want to give each local network free access to the remote network and vice versa, you would need the following /etc/shorewall/policy entries on each system: @@ -450,12 +462,12 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any tunnel, then it is a good idea to set the MSS value for traffic from those hosts explicitly in the /etc/shorewall/zones file. For example, if hosts - in the sec zone access the Internet + in the vpn zone access the Internet through an ESP tunnel then the following entry would be appropriate: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS -sec ipsec mode=tunnel mss=1400 +vpn ipsec mode=tunnel mss=1400 You should also set FASTACCEPT=No in shorewall.conf to ensure that both the SYN and SYN,ACK packets have their MSS field @@ -469,6 +481,36 @@ sec ipsec mode=tunnel mss=1400 +
+ IPCOMP and IPSEC + + IPSEC can be configured to perform data compression. This is + accomplished by compressing the original IP packet, then encapsulating it + in an ipcomp (protocol 108) packet. That packet is then encrypted and + encapsulated within an ESP packet. Because of the extra protocol header + required for compression, short IP packets (such as default ping packets) + are not compressed. The Linux IP stack handles these uncompressed packets + by creating an IPIP (protocol 4) SA. As a consequence, IPIP packets from + the remote gateway must be handled in Shorewall. The easiest way to + accomplish this is to add an ACCEPT rule for protocol 4 from the IPSEC vpn + zone to the $FW zone: + +
+ #ACTION SOURCE DEST PROTO DPORT ... +ACCEPT vpn $FW 4 +
+ + Note that the source IP address is these IPIP packets is that of the + remote peer, so the definition of the ipsec zone in shorewall-hosts(5) must + include the peer. + + Finally, when IPCOMP is used, it is recommended that the OPTIONS + column of the ipsec zone's entry in shorewall-zones(5) be left + empty. +
+
Mobile System (Road Warrior)