DocBook XML conversion

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@949 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs/VPN.xml

@@ -0,0 +1,122 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<article id="VPN">
+  <articleinfo>
+    <title>VPN</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate>2002-12-21</pubdate>
+
+    <copyright>
+      <year>2002</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Virtual Private Networking (VPN)</title>
+
+    <para>It is often the case that a system behind the firewall needs to be
+    able to access a remote network through Virtual Private Networking (VPN).
+    The two most common means for doing this are IPSEC and PPTP. The basic
+    setup is shown in the following diagram:</para>
+
+    <graphic fileref="images/VPN.png" />
+
+    <para>A system with an RFC 1918 address needs to access a remote network
+    through a remote gateway. For this example, we will assume that the local
+    system has IP address 192.168.1.12 and that the remote gateway has IP
+    address 192.0.2.224.</para>
+
+    <para>If PPTP is being used, there are no firewall requirements beyond the
+    default loc-&#62;net ACCEPT policy. There is one restriction however: Only
+    one local system at a time can be connected to a single remote gateway
+    unless you patch your kernel from the &#39;Patch-o-matic&#39; patches
+    available at <ulink url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
+
+    <para>If IPSEC is being used then only one system may connect to the
+    remote gateway and there are firewall configuration requirements as
+    follows:</para>
+
+    <table>
+      <title>/etc/shorewall/rules</title>
+
+      <tgroup cols="7">
+        <thead>
+          <row>
+            <entry align="center">ACTION</entry>
+
+            <entry align="center">SOURCE</entry>
+
+            <entry align="center">DESTINATION</entry>
+
+            <entry align="center">PROTOCOL</entry>
+
+            <entry align="center">PORT</entry>
+
+            <entry align="center">CLIENT PORT</entry>
+
+            <entry align="center">ORIGINAL DEST</entry>
+          </row>
+        </thead>
+
+        <tbody>
+          <row>
+            <entry>DNAT</entry>
+
+            <entry>net:192.0.2.224</entry>
+
+            <entry>loc:192.168.1.12</entry>
+
+            <entry>50</entry>
+
+            <entry></entry>
+
+            <entry></entry>
+
+            <entry></entry>
+          </row>
+
+          <row>
+            <entry>DNAT</entry>
+
+            <entry>net:192.0.2.224</entry>
+
+            <entry>loc:192.168.1.12</entry>
+
+            <entry>udp</entry>
+
+            <entry>500</entry>
+
+            <entry></entry>
+
+            <entry></entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </table>
+
+    <para>If you want to be able to give access to all of your local systems
+    to the remote network, you should consider running a VPN client on your
+    firewall. As starting points, see <ulink url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
+    or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
+  </section>
+</article>