From 3cbe0e7a1c84f553cff6dad1a68fb53addc68a2c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 8 Feb 2018 14:33:54 -0800 Subject: [PATCH] Describe IPSEC via SNAT Signed-off-by: Tom Eastep --- docs/IPSEC-2.6.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index 9f028f889..3e7ccc889 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -681,4 +681,65 @@ ipip vpn 0.0.0.0/0 + +
+ Using SNAT to Force Traffic over an IPSEC Tunnel + + Cases can arise where you need to use an IPSEC tunnel to access a + remote network, but you have no control over the associated security + polices. In such cases, the resulting tunnel is accessible from your + firewall but not from your local networks. + + Let's take an example: + + + + Remote gateway 192.0.2.26 + + + + Remote subnet 172.22.4.0/24 + + + + Your public IP address is 192.0.2.199 + + + + Your Internet-facing interface is eth0 + + + + Your local network is 192.168.219.0/24 + + + + You want to access 172.22.4.0/24 from 192.168.219.0/24 + + + + You need to configure as follows. + + /etc/shorewall/zones: + + #ZONE TYPE OPTIONS +... +vpn ip # Note that the zone cannot be declared as type ipsec +... + + /etc/shorewall/hosts: + + #ZONE HOSTS OPTIONS +vpn eth0:172.22.4.0/24 mss=1380,destonly +vpn eth0:0.0.0.0/0 mss=1380,ipsec + + /etc/shorewall/snat: + + SNAT(192.0.2.199) 192.168.219.0/24 eth0:172.22.4.0/24 + + /etc/shorewall/tunnels: + + #TYPE ZONE GATEWAY GATEWAY_ZONE +ipsec net 192.0.2.26 vpn +