From 49dc1c30e5e69979fde87557c1e70b748185f913 Mon Sep 17 00:00:00 2001 From: mhnoyes Date: Tue, 16 Dec 2003 18:22:34 +0000 Subject: [PATCH] Content moved to IPIP.xml git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@865 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/IPIP.htm | 204 ---------------------------------------- 1 file changed, 204 deletions(-) delete mode 100644 Shorewall-docs/IPIP.htm diff --git a/Shorewall-docs/IPIP.htm b/Shorewall-docs/IPIP.htm deleted file mode 100644 index 74069fa5d..000000000 --- a/Shorewall-docs/IPIP.htm +++ /dev/null @@ -1,204 +0,0 @@ - - - - - GRE/IPIP Tunnels - - - - -

GRE and IPIP Tunnels
-

-

Warning: GRE and IPIP Tunnels are -insecure when used over the internet; use them at your own risk

-

GRE and IPIP tunneling with Shorewall can be used to bridge two -masqueraded networks.

-

The simple scripts described in the Linux -Advanced Routing and Shaping HOWTO work fine with Shorewall. -Shorewall also includes a tunnel script for automating tunnel -configuration. If you have installed the RPM, the tunnel script may be -found in the Shorewall documentation directory (usually -/usr/share/doc/shorewall-<version>/).

-

Bridging two Masqueraded Networks

-

Suppose that we have the following situation:

-

-

We want systems in the 192.168.1.0/24 subnetwork to be -able to communicate with the systems in the 10.0.0.0/8 network. This is -accomplished through use of the /etc/shorewall/tunnels file, the -/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is -included with Shorewall.

-

The 'tunnel' script is not installed in /etc/shorewall -by default -- If you install using the tarball, the script is included -in the tarball; if you install using the RPM, the file is in your -Shorewall documentation directory (normally -/usr/share/doc/shorewall-<version>).

-

In the /etc/shorewall/tunnel script, set the -'tunnel_type' parameter to the type of tunnel that you want to create.

-

Example:

-
-

tunnel_type=gre

-
-

On each firewall, you will need to declare a zone to -represent the remote subnet. We'll assume that this zone is called -'vpn' and declare it in /etc/shorewall/zones on both systems as follows.

-
- - - - - - - - - - - - - -
ZONEDISPLAYCOMMENTS
vpnVPNRemote Subnet
-
-

On system A, the 10.0.0.0/8 will comprise the vpn -zone. -In /etc/shorewall/interfaces:

-
- - - - - - - - - - - - - - - -
ZONEINTERFACEBROADCASTOPTIONS
vpntosysb10.255.255.255 
-
-

In /etc/shorewall/tunnels on system A, we need the -following:

-
- - - - - - - - - - - - - - - -
TYPEZONEGATEWAYGATEWAY ZONE
ipipnet134.28.54.2 
-
-

This entry in /etc/shorewall/tunnels, opens the firewall so that the -IP encapsulation protocol (4) will be accepted to/from the remote -gateway.

-

In the tunnel script on system A:

-
-

tunnel=tosysb
-myrealip=206.161.148.9 (for GRE tunnel only)
-myip=192.168.1.1
-hisip=10.0.0.1
-gateway=134.28.54.2
-subnet=10.0.0.0/8

-
-

Similarly, On system B the 192.168.1.0/24 subnet will comprise the vpn -zone. In /etc/shorewall/interfaces:

-
- - - - - - - - - - - - - - - -
ZONEINTERFACEBROADCASTOPTIONS
vpntosysa192.168.1.255 
-
-

In /etc/shorewall/tunnels on system B, we have:

-
- - - - - - - - - - - - - - - -
TYPEZONEGATEWAYGATEWAY ZONE
ipipnet206.191.148.9 
-
-

And in the tunnel script on system B:

-
-

tunnel=tosysa
-myrealip=134.28.54.2 (for GRE tunnel only)
-myip=10.0.0.1
-hisip=192.168.1.1
-gateway=206.191.148.9
-subnet=192.168.1.0/24

-
-

You can rename the modified tunnel scripts if you like; be sure that -they are secured so that root can execute them.

-

You will need to allow traffic between the "vpn" zone -and the "loc" zone on both systems -- if you simply want to admit all -traffic in both directions, you can use the policy file:

-
- - - - - - - - - - - - - - - - - - - - - -
SOURCEDESTPOLICYLOG LEVEL
locvpnACCEPT 
vpnlocACCEPT 
-
-

On both systems, restart Shorewall and run the modified tunnel -script with -the "start" argument on each system. The systems in the two masqueraded -subnetworks -can now talk to each other

-

Updated 2/22/2003 - Tom Eastep -

-

Copyright © 2001, 2002, 2003Thomas M. Eastep.

-
-
- -