diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml
index 3e7ccc889..178e250bb 100644
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -107,7 +107,7 @@
requires an appropriate SA to exist. SAs may be created manually using
setkey(8) but most often, they are created by a
cooperative process involving the ISAKMP protocol and a daemon included in
- your IPSEC package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
+ your IPsec package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
Incoming traffic is verified against the SPD to ensure that no unencrypted
traffic is accepted in violation of the administrator's policies.
@@ -227,7 +227,7 @@
This article provides guidance regarding configuring Shorewall to
- use with IPSEC. For configuring IPSEC itself, consult your IPSEC
+ use with IPsec. For configuring IPsec itself, consult your IPsec
product's documentation.
@@ -683,9 +683,9 @@ ipip vpn 0.0.0.0/0
- Using SNAT to Force Traffic over an IPSEC Tunnel
+ Using SNAT to Force Traffic over an IPsec Tunnel
- Cases can arise where you need to use an IPSEC tunnel to access a
+ Cases can arise where you need to use an IPsec tunnel to access a
remote network, but you have no control over the associated security
polices. In such cases, the resulting tunnel is accessible from your
firewall but not from your local networks.
@@ -716,6 +716,11 @@ ipip vpn 0.0.0.0/0
You want to access 172.22.4.0/24 from 192.168.219.0/24
+
+
+ The IPsec tunnel is configured between 172.22.4.0/24 and
+ 192.0.2.199
+ You need to configure as follows.
@@ -727,6 +732,11 @@ ipip vpn 0.0.0.0/0cannot be declared as type ipsec
...
+ /etc/shorewall/interfaces:
+
+ #ZONE INTERFACE OPTIONS
+net eth0 nets=(!172.22.4.0/24),... # You must exclude the remote network from the net zone
+
/etc/shorewall/hosts:#ZONE HOSTS OPTIONS
diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml
index 4ea33dd56..49155a766 100644
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -1233,7 +1233,7 @@ gateway:~ #
those clients. See Example 2
below.
- If you have an IPSEC gateway on your firewall, be sure to
+ If you have an IPsec gateway on your firewall, be sure to
arrange for ESP packets to be routed out of the same interface that
you have configured your keying daemon to use.
diff --git a/docs/SharedConfig.xml b/docs/SharedConfig.xml
index 2637188b2..597322687 100644
--- a/docs/SharedConfig.xml
+++ b/docs/SharedConfig.xml
@@ -1021,7 +1021,7 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
tunnels
- Both address families define IPSEC tunnels:
+ Both address families define IPsec tunnels:#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsecnat {ZONE=net, GATEWAY=$ALL, GATEWAY_ZONE=vpn }
diff --git a/docs/VPN.xml b/docs/VPN.xml
index 5c87c9088..68f690e40 100644
--- a/docs/VPN.xml
+++ b/docs/VPN.xml
@@ -43,7 +43,7 @@
It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking (VPN).
- The two most common means for doing this are IPSEC and PPTP. The basic
+ The two most common means for doing this are IPsec and PPTP. The basic
setup is shown in the following diagram:
@@ -60,8 +60,8 @@
modules file, Shorewall (Lite) will attempt to load these modules when
Shorewall (Lite) is started.
- If IPSEC is being used, you should configure IPSEC to use
- NAT Traversal -- Under NAT traversal the IPSEC
+ If IPsec is being used, you should configure IPsec to use
+ NAT Traversal -- Under NAT traversal the IPsec
packets (protocol 50 or 51) are encapsulated in UDP packets (normally with
destination port 4500). Additionally, keep-alive
messages are sent frequently so that NATing gateways between
@@ -69,10 +69,10 @@
way that I connect to the HP Intranet and it works flawlessly without
anything in Shorewall other than my ACCEPT loc->net policy. NAT
traversal is available as a patch for Windows 2K and is a standard feature
- of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN"
+ of Windows XP -- simply select "L2TP IPsec VPN" from the "Type of VPN"
pulldown.
- Alternatively, if you have an IPSEC gateway behind your firewall
+ Alternatively, if you have an IPsec gateway behind your firewall
then you can try the following: only one system may connect to the remote
gateway and there are firewall configuration requirements as
follows:
diff --git a/docs/bridge-Shorewall-perl.xml b/docs/bridge-Shorewall-perl.xml
index ab465783d..69ab7aa66 100644
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -508,7 +508,7 @@ rc-update add bridge boot
packet arrived on and/or the bridge port that a packet will be sent over.
The latter has proved to be problematic because it requires that the
evaluation of rules be deferred until the destination bridge port is
- known. This deferral has the unfortunate side effect that it makes IPSEC
+ known. This deferral has the unfortunate side effect that it makes IPsec
Netfilter filtration incompatible with bridges. To work around this
problem, in kernel version 2.6.20 the Netfilter developers decided to
remove the deferred processing in two cases:
diff --git a/docs/ports.xml b/docs/ports.xml
index 03890e9d7..0bf817eb7 100644
--- a/docs/ports.xml
+++ b/docs/ports.xml
@@ -242,7 +242,7 @@ IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.
- IPSEC
+ IPsec#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <source> <destination> 50
@@ -252,8 +252,8 @@ ACCEPT <destination><source><destination><source> 51
ACCEPT <destination><source> udp 500
- Lots more information here and here.
+ Lots more information here and
+ here.
diff --git a/docs/shorewall_features.xml b/docs/shorewall_features.xml
index fa038b632..98c110721 100644
--- a/docs/shorewall_features.xml
+++ b/docs/shorewall_features.xml
@@ -176,7 +176,7 @@
- IPSEC, GRE,
+ IPsec, GRE,
IPIP and OpenVPN Tunnels.
diff --git a/docs/support.xml b/docs/support.xml
index 4192c4379..4bacb3dba 100644
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -277,7 +277,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)
- If your problem has anything to do with IPSEC, be sure that
+ If your problem has anything to do with IPsec, be sure that
the ipsec-tools package is installed.