Update for Shorewall 2.2.1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1959 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/IPSEC-2.6.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-02-08</pubdate>
+    <pubdate>2005-02-13</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -728,4 +728,63 @@ all             all             REJECT          info
       occur, NONE policies are used.</para>
     </blockquote>
   </section>
+
+  <section>
+    <title>IPSEC and <trademark>Windows</trademark> XP</title>
+
+    <para>I have successfully configured my work laptop to use IPSEC for
+    wireless IP communication when it is undocked at home. I looked at dozens
+    of sites and the one I found most helpful was <ulink
+    url="http://ipsec.math.ucla.edu/services/ipsec-windows.html">http://ipsec.math.ucla.edu/services/ipsec-windows.html</ulink>.
+    The instructions on that site are directed to students at UCLA but they
+    worked fine for me (once I followed them very carefully).</para>
+
+    <warning>
+      <para>The instructions found on the UCLA site are complex and do not
+      include any information on the generation of X.509 certificates. There
+      are lots of sites however that can tell you how to generate
+      certificates, including <ulink
+      url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
+
+      <para>One piece of information that may not be so easy to find is "How
+      to I generate a PKCS#12 certificate to import into Windows?". Here's the
+      openssl command I used:</para>
+
+      <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless"</command> </programlisting>
+
+      <para>I was prompted for a password to associate with the certificate.
+      This password is entered on the Windows system during import.</para>
+
+      <para>In the above command:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>eastepnc6000.pem was the laptop's certificate in PEM
+          format.</para>
+        </listitem>
+
+        <listitem>
+          <para>eastepnc6000_key.pem was the laptop's private key (actually,
+          it's the original signing request which includes the private
+          key).</para>
+        </listitem>
+
+        <listitem>
+          <para>eastepnc6000.pfx is the PKCS#12 output file.</para>
+        </listitem>
+
+        <listitem>
+          <para>"IPSEC Cert for Home Wireless" is the friendly name for the
+          certificate.I</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>I started to write an article about how to do this, complete with
+      graphics captured from my laptop. I gave up. I had captured 12 images
+      and hadn't really started yet. The Windows interface for configuring
+      IPSEC is the worst GUI that I have ever used. What can be displayed on
+      one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
+      different dialog boxes on Windows XP!!!</para>
+    </warning>
+  </section>
 </article>

Shorewall-docs2/myfiles.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-02-08</pubdate>
+    <pubdate>2005-02-15</pubdate>
 
     <copyright>
       <year>2001-2005</year>
@@ -122,19 +122,19 @@
     through Proxy ARP.</para>
 
     <para>The firewall system itself runs a DHCP server that serves the local
-    network.</para>
+    and wireless networks.</para>
 
     <para>I have one system (Remote, 206.124.146.179) outside the firewall.
     This system, which runs Debian Sarge (testing) is used for roadwarrior VPN
     testing and for checking my firewall "from the outside".</para>
 
     <para>All administration and publishing is done using ssh/scp. I have a
-    desktop environment installed on the firewall but I am not usually logged
-    in to it. X applications tunnel through SSH to Ursa. The server also has a
-    desktop environment installed and that desktop environment is available
-    via XDMCP from the local zone. For the most part though, X tunneled
-    through SSH is used for server administration and the server runs at run
-    level 3 (multi-user console mode on Fedora).</para>
+    desktop environment installed on the firewall but I usually don't start
+    it. X applications tunnel through SSH to Ursa or one of the laptops. The
+    server also has a desktop environment installed but it is seldom started
+    either. For the most part, X tunneled through SSH is used for server
+    administration and the server runs at run level 3 (multi-user console mode
+    on Fedora).</para>
 
     <para>I run an SNMP server on my firewall to serve <ulink
     url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
@@ -150,7 +150,10 @@
     <para>The firewall is configured with OpenVPN for VPN access from our
     second home in <ulink url="http://www.omakchamber.com/">Omak,
     Washington</ulink> or when we are otherwise out of town. Secure remote
-    access via IPSEC is also available.</para>
+    access via IPSEC is also available. We typically use IPSEC for wireless
+    security around the house and OpenVPN for roadwarrior access but the
+    Firewall is set up to access either tunnel type from either
+    location.</para>
 
     <para><graphic align="center" fileref="images/network.png" /></para>
   </section>
@@ -733,41 +736,90 @@ syslogsync 1</programlisting>
       <title>/etc/racoon/racoon.conf</title>
 
       <blockquote>
-        <programlisting>        path certificate "/etc/certs" ;
-
-        listen
-        {
-                isakmp 206.124.146.176;
-                isakmp 192.168.3.254;
+        <programlisting> 
+listen
+{
+        isakmp 206.124.146.176 ;
+        isakmp 192.168.3.254 ;
+        adminsock "/usr/local/var/racoon/racoon.sock" "root" "operator" 0660 ;
+}
+#
+# Tipper at Home
+#
+remote 192.168.3.8
+{
+        exchange_mode main ;
+        dpd_delay 20 ;
+        certificate_type x509 "gateway.pem" "gateway_key.pem" ;
+        verify_cert on ;
+        my_identifier asn1dn ;
+        peers_identifier asn1dn ;
+        verify_identifier on ;
+        lifetime time 1 hour ;
+        proposal {
+                encryption_algorithm blowfish ;
+                hash_algorithm sha1 ;
+                authentication_method rsasig ;
+                dh_group 2 ;
         }
+}
 
-        remote anonymous
-        {
-                exchange_mode main ;
-                generate_policy on ;
-                passive on ;
-                certificate_type x509 "gateway.pem" "gateway_key.pem";
-                verify_cert on;
-                my_identifier asn1dn ;
-                peers_identifier asn1dn ;
-                verify_identifier on ;
-                lifetime time 24 hour ;
-                proposal {
-                        encryption_algorithm blowfish;
-                        hash_algorithm sha1;
-                        authentication_method rsasig ;
-                        dh_group 2 ;
-                }
+sainfo address 0.0.0.0/0 any address 192.168.3.8 any
+{
+        pfs_group 2 ;
+        lifetime time 1 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}
+#
+# Work Laptop at Home -- it doesn't like getting proposals from us
+#                        so we let it initiate the tunnel.
+#
+#                        Windows XP doesn't support blowfish or rijndal
+#                        so we're stuck with 3des :-(
+#
+remote 192.168.3.6 inherit 192.168.3.8
+{
+        proposal_check obey ;
+        passive on ;
+        generate_policy on ;
+        proposal {
+                encryption_algorithm 3des ;
+                hash_algorithm sha1 ;
+                authentication_method rsasig ;
+                dh_group 2 ;
         }
+}
 
-        sainfo anonymous
-        {
-                pfs_group 2;
-                lifetime time 12 hour ;
-                encryption_algorithm blowfish, 3des;
-                authentication_algorithm hmac_sha1, hmac_md5 ;
-                compression_algorithm deflate ;
-        }</programlisting>
+sainfo address 0.0.0.0/0 any address 192.168.3.6 any
+{
+        pfs_group 2 ;
+        lifetime time 1 hour ;
+        encryption_algorithm 3des ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}
+#
+# Both systems on the road -- We use 3des for phase I to accomodate XP.
+#                             Since we don't know the IP address of the
+#                             remote host ahead of time, we must use
+#                             "anonymous".
+#
+remote anonymous inherit 192.168.3.6
+{
+        nat_traversal on ;
+        ike_frag on;
+}
+
+sainfo anonymous
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish, 3des;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}</programlisting>
       </blockquote>
     </section>
 
@@ -780,7 +832,8 @@ syslogsync 1</programlisting>
 flush;
 spdflush;
 
-# Add some SPD rules
+# We only define policies for 'tipper'. The XP box seems to work better when it initiates the
+# negotiation so we essentially run it like a roadwarrior even around the house.
 
 spdadd 0.0.0.0/0          192.168.3.8/32     any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
 spdadd 192.168.3.8/32     0.0.0.0/0          any -P in  ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;</programlisting>

Shorewall2/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=2.2.0
+VERSION=2.2.1
 
 usage() # $1 = exit status
 {

Shorewall2/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=2.2.0
+VERSION=2.2.1
 
 usage() # $1 = exit status
 {

Shorewall2/releasenotes.txt

@@ -27,6 +27,9 @@ Problems corrected in version 2.2.1
 
 3) The comments regarding built-in actions in
    /usr/share/shorewall/actions.std have been corrected.
+
+4) The /etc/shorewall/policy file in the LRP package was missing the
+   'all->all' policy.
  
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0 to Shorewall 2.2:

Shorewall2/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.2.0
+%define version 2.2.1
 %define release 1
 %define prefix /usr
 
@@ -138,6 +138,8 @@ fi
 
 %changelog
 * Mon Jan 24 2005 Tom Eastep tom@shorewall.net
+- Updated to 2.2.1-1
+* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.2.0-1
 * Mon Jan 17 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.2.0-0RC5

Shorewall2/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=2.2.0
+VERSION=2.2.1
 
 usage() # $1 = exit status
 {