diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index 9f028f889..3e7ccc889 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -681,4 +681,65 @@ ipip vpn 0.0.0.0/0 + +
+ Using SNAT to Force Traffic over an IPSEC Tunnel + + Cases can arise where you need to use an IPSEC tunnel to access a + remote network, but you have no control over the associated security + polices. In such cases, the resulting tunnel is accessible from your + firewall but not from your local networks. + + Let's take an example: + + + + Remote gateway 192.0.2.26 + + + + Remote subnet 172.22.4.0/24 + + + + Your public IP address is 192.0.2.199 + + + + Your Internet-facing interface is eth0 + + + + Your local network is 192.168.219.0/24 + + + + You want to access 172.22.4.0/24 from 192.168.219.0/24 + + + + You need to configure as follows. + + /etc/shorewall/zones: + + #ZONE TYPE OPTIONS +... +vpn ip # Note that the zone cannot be declared as type ipsec +... + + /etc/shorewall/hosts: + + #ZONE HOSTS OPTIONS +vpn eth0:172.22.4.0/24 mss=1380,destonly +vpn eth0:0.0.0.0/0 mss=1380,ipsec + + /etc/shorewall/snat: + + SNAT(192.0.2.199) 192.168.219.0/24 eth0:172.22.4.0/24 + + /etc/shorewall/tunnels: + + #TYPE ZONE GATEWAY GATEWAY_ZONE +ipsec net 192.0.2.26 vpn +