Correct 'show macros'

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Config.pm

@@ -904,7 +904,6 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
-	  BALANCE_PROVIDERS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -5280,7 +5279,6 @@ sub update_config_file( $ ) {
     }
 
     update_default( 'USE_DEFAULT_RT', 'No' );
-    update_default( 'BALANCE_PROVIDERS', 'Yes' );
     update_default( 'EXPORTMODULES',  'No' );
     update_default( 'RESTART',        'reload' );
     update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
@@ -6288,9 +6286,6 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
-    default_yes_no 'BALANCE_PROVIDERS'          , 'Yes';
-
-    $config{BALANCE_PROVIDERS} = '' unless $config{USE_DEFAULT_RT};
 
     unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );

Shorewall/Perl/Shorewall/Providers.pm

@@ -519,11 +519,11 @@ sub process_a_provider( $ ) {
     my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
 
     if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
     } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
     }
 
     unless ( $options eq '-' ) {
@@ -616,26 +616,8 @@ sub process_a_provider( $ ) {
 	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
 	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
 	$mark = $globals{TPROXY_MARK};
-    } elsif ( ! $pseudo && ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) ) {
-	if ( $config{USE_DEFAULT_RT} ) {
-	    if ( $rf ) {
-		fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
-	    } else {
-		fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
-	    }
-	} else {
-	    unless ( $balance ) {
-		if ( $rf ) {
-		    fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
-		} else {
-		    fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
-		}
-	    }
-	}
     }
 
-
-
     my $val = 0;
     my $pref;
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -1275,7 +1275,6 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
-		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {

Shorewall/Perl/lib.runtime

@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=

Shorewall/Samples/Universal/shorewall.conf

@@ -140,8 +140,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/one-interface/shorewall.conf

@@ -151,8 +151,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -148,8 +148,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -151,8 +151,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/configfiles/shorewall.conf

@@ -140,8 +140,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall/manpages/shorewall-interfaces.xml

@@ -762,13 +762,6 @@ loc     eth2            -</programlisting>
                     </listitem>
                   </itemizedlist>
                 </note>
-
-                <para>Beginning with Shorewall 5.1.1, when
-                <option>routefilter</option> is set to a non-zero value, the
-                <option>logmartians</option> option is also implicitly set. If
-                you actually want route filtering without logging, then you
-                must also specify <option>logmartians=0</option> after
-                <option>routefilter</option>.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -443,23 +443,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
-          determines whether the <option>balance</option> provider option (see
-          <ulink
-          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
-          the default. When BALANCE_PROVIDERS=Yes (the default), then the
-          <option>balance</option> option is assumed unless the
-          <option>fallback</option>, <option>loose</option>,
-          <option>load</option> or <option>tproxy</option> option is
-          specified.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2848,12 +2831,8 @@ INLINE          -       -       -       ;; -j REJECT
             </listitem>
 
             <listitem>
-              <para>If running Shorewall 5.1.0 or earlier or if
-              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
-              <emphasis role="bold">balance</emphasis> provider option is
-              assumed unless the <option>fallback</option>,
-              <option>loose</option>, <option>load</option> or
-              <option>tproxy</option> option is specified.</para>
+              <para><emphasis role="bold">balance</emphasis> is assumed unless
+              <emphasis role="bold">loose</emphasis> is specified.</para>
             </listitem>
 
             <listitem>

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -133,8 +133,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -134,8 +134,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -133,8 +133,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -133,8 +133,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/configfiles/shorewall6.conf

@@ -133,8 +133,6 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
-BALANCE_PROVIDERS=No
-
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/manpages/shorewall6.conf.xml

@@ -374,23 +374,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
-          determines whether the <option>balance</option> provider option (see
-          <ulink
-          url="shorewall6-providers.html">shorewall6-providers(5)</ulink>) is
-          the default. When BALANCE_PROVIDERS=Yes (the default), then the
-          <option>balance</option> option is assumed unless the
-          <option>fallback</option>, <option>loose</option>,
-          <option>load</option> or <option>tproxy</option> option is
-          specified.</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2492,12 +2475,8 @@ INLINE          -       -       -       ;; -j REJECT
             </listitem>
 
             <listitem>
-              <para>If running Shorewall 5.1.0 or earlier or if
-              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
-              <emphasis role="bold">balance</emphasis> provider option is
-              assumed unless the <option>fallback</option>,
-              <option>loose</option>, <option>load</option> or
-              <option>tproxy</option> option is specified.</para>
+              <para><emphasis role="bold">balance</emphasis> is assumed unless
+              <emphasis role="bold">loose</emphasis> is specified.</para>
             </listitem>
 
             <listitem>

docs/IPSEC-2.6.xml

@@ -106,10 +106,10 @@
     traffic that is to be encrypted according to the contents of the SPD
     requires an appropriate SA to exist. SAs may be created manually using
     <command>setkey</command>(8) but most often, they are created by a
-    cooperative process involving the ISAKMP protocol and a daemon included in
-    your IPSEC package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
-    Incoming traffic is verified against the SPD to ensure that no unencrypted
-    traffic is accepted in violation of the administrator's policies.</para>
+    cooperative process involving the ISAKMP protocol and daemons such
+    as<command> racoon</command> or <command>isakmpd</command>. Incoming
+    traffic is verified against the SPD to ensure that no unencrypted traffic
+    is accepted in violation of the administrator's policies.</para>
 
     <para>There are three ways in which IPsec traffic can interact with
     Shorewall policies and rules:</para>
@@ -225,11 +225,18 @@
     of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
     security policies that select which traffic to encrypt/decrypt.</para>
 
-    <important>
-      <para>This article provides guidance regarding configuring Shorewall to
-      use with IPSEC. For configuring IPSEC itself, consult your IPSEC
-      product's documentation.</para>
-    </important>
+    <para>This article assumes the use of ipsec-tools (<ulink
+    url="http://ipsec-tools.sourceforge.net">http://ipsec-tools.sourceforge.net</ulink>).
+    As of this writing, I recommend that you run at least version 0.5.2.
+    Debian users, please note that there are separate Debian packages for
+    ipsec-tools and racoon although the ipsec-tools project releases them as a
+    single package.</para>
+
+    <para>For more information on IPsec, Kernel 2.6 and Shorewall see <ulink
+    url="LinuxFest.pdf">my presentation on the subject given at LinuxFest NW
+    2005</ulink>. Be warned though that the presentation is based on Shorewall
+    2.2 and there are some differences in the details of how IPsec is
+    configured.</para>
   </section>
 
   <section id="GwFw">
@@ -353,25 +360,155 @@ $FW              vpn             ACCEPT</programlisting>
 ACCEPT     vpn:134.28.54.2  $FW</programlisting>
     </blockquote>
 
-    <warning>
-      <para>If you have hosts that access the Internet through an IPsec
-      tunnel, then it is a good idea to set the MSS value for traffic from
-      those hosts explicitly in the <filename>/etc/shorewall/zones</filename>
-      file. For example, if hosts in the <emphasis role="bold">vpn</emphasis>
-      zone access the Internet through an ESP tunnel then the following entry
-      would be appropriate:</para>
+    <para>Note that your Security Policies must also be set up to send traffic
+    between 134.28.54.2 and 206.162.148.9 through the tunnel (see
+    below).</para>
 
-      <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
+    <para>Once you have these entries in place, restart Shorewall (type
+    shorewall restart); you are now ready to configure IPsec.</para>
+
+    <para>For full encrypted connectivity in this configuration (between the
+    subnets, between each subnet and the opposite gateway, and between the
+    gateways), you will need eight policies in
+    <filename>/etc/racoon/setkey.conf</filename>. For example, on gateway
+    A:</para>
+
+    <blockquote>
+      <programlisting># First of all flush the SPD and SAD databases
+spdflush;
+flush;
+
+# Add some SPD rules
+
+spdadd 192.168.1.0/24   10.0.0.0/8       any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
+spdadd 192.168.1.0/24   134.28.54.2/32   any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
+spdadd 206.162.148.9/32 134.28.54.2/32   any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
+spdadd 206.162.148.9/32 10.0.0.0/8       any -P out ipsec esp/tunnel/206.162.148.9-134.28.54.2/require;
+spdadd 10.0.0.0/8       192.168.1.0/24   any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
+spdadd 10.0.0.0/8       206.162.148.9/32 any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
+spdadd 134.28.54.2/32   192.168.1.0/24   any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;
+spdadd 134.28.54.2/32   206.162.148.9/32 any -P in  ipsec esp/tunnel/134.28.54.2-206.162.148.9/require;</programlisting>
+    </blockquote>
+
+    <para>The <filename>setkey.conf</filename> file on gateway B would be
+    similar.</para>
+
+    <para>A sample <filename>/etc/racoon/racoon.conf</filename> file using
+    X.509 certificates might look like:</para>
+
+    <blockquote>
+      <programlisting>path certificates "/etc/certs" ;
+
+listen 
+{
+        isakmp 206.162.148.9;
+}
+
+remote 134.28.54.2
+{
+        exchange_mode main ;
+        certificate_type x509 "GatewayA.pem" "GatewayA_key.pem" ;
+        verify_cert on;
+        my_identifier asn1dn ;
+        peers_identifier asn1dn ;
+        verify_identifier on ;
+        lifetime time 24 hour ;
+        proposal {
+                encryption_algorithm blowfish;
+                hash_algorithm sha1;
+                authentication_method rsasig ;
+                dh_group 2 ;
+        }
+}
+
+sainfo address 192.168.1.0/24 any address 10.0.0.0/8 any
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}
+
+sainfo address 206.162.148.9/32 any address 10.0.0.0/8 any
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}
+
+sainfo address 206.162.148.9/32 any address 134.28.54.2/32 any
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}
+
+sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}</programlisting>
+
+      <warning>
+        <para>If you have hosts that access the Internet through an IPsec
+        tunnel, then it is a good idea to set the MSS value for traffic from
+        those hosts explicitly in the
+        <filename>/etc/shorewall/zones</filename> file. For example, if hosts
+        in the <emphasis role="bold">vpn</emphasis> zone access the Internet
+        through an ESP tunnel then the following entry would be
+        appropriate:</para>
+
+        <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 vpn     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
 
-      <para>You should also set FASTACCEPT=No in shorewall.conf to ensure that
-      both the SYN and SYN,ACK packets have their MSS field adjusted.</para>
+        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
+        that both the SYN and SYN,ACK packets have their MSS field
+        adjusted.</para>
 
-      <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
-      isn't effective with the 2.6 native IPsec implementation because there
-      is no separate IPsec device with a lower mtu as there was under the 2.4
-      and earlier kernels.</para>
-    </warning>
+        <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
+        isn't effective with the 2.6 native IPsec implementation because there
+        is no separate IPsec device with a lower mtu as there was under the
+        2.4 and earlier kernels.</para>
+      </warning>
+    </blockquote>
+  </section>
+
+  <section>
+    <title>IPCOMP and IPSEC</title>
+
+    <para>IPSEC can be configured to perform data compression. This is
+    accomplished by compressing the original IP packet, then encapsulating it
+    in an ipcomp (protocol 108) packet. That packet is then encrypted and
+    encapsulated within an ESP packet. Because of the extra protocol header
+    required for compression, short IP packets (such as default ping packets)
+    are not compressed. The Linux IP stack handles these uncompressed packets
+    by creating an IPIP (protocol 4) SA. As a consequence, IPIP packets from
+    the remote gateway must be handled in Shorewall. The easiest way to
+    accomplish this is to add an ACCEPT rule for protocol 4 from the IPSEC vpn
+    zone to the $FW zone:</para>
+
+    <blockquote>
+      <programlisting>#ACTION         SOURCE         DEST       PROTO       DPORT ...
+ACCEPT          vpn            $FW        4</programlisting>
+    </blockquote>
+
+    <para>Note that the source IP address is these IPIP packets is that of the
+    remote peer, so the definition of the ipsec zone in <ulink
+    url="manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5) must
+    include the peer.</para>
+
+    <para>Finally, when IPCOMP is used, it is recommended that the OPTIONS
+    column of the ipsec zone's entry in <ulink
+    url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) be left
+    empty.</para>
   </section>
 
   <section id="RoadWarrior">
@@ -449,7 +586,116 @@ ipsec         net         206.162.148.9       vpn</programlisting>
         <programlisting>#ZONE             HOSTS                  OPTIONS
 vpn               eth0:0.0.0.0/0</programlisting>
       </blockquote>
+
+      <para>On system A, here are the IPsec files:</para>
+
+      <blockquote>
+        <para><filename>/etc/racoon/racoon.conf</filename> - System A:</para>
+
+        <programlisting>path certificate "/etc/certs" ;
+ 
+listen
+{
+        isakmp 206.162.148.9;
+}
+ 
+remote <emphasis role="bold">anonymous</emphasis>
+{
+        exchange_mode main ;
+        <emphasis role="bold">generate_policy on</emphasis> ;
+        <emphasis role="bold">passive on</emphasis> ;
+        certificate_type x509 "GatewayA.pem" "GatewayA_key.pem" ;
+        verify_cert on;
+        my_identifier asn1dn ;
+        peers_identifier asn1dn ;
+        verify_identifier on ;
+        lifetime time 24 hour ;
+        proposal {
+                encryption_algorithm blowfish ;
+                hash_algorithm sha1;
+                authentication_method rsasig ;
+                dh_group 2 ;
+        }
+}
+ 
+sainfo <emphasis role="bold">anonymous</emphasis>
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}</programlisting>
+
+        <para><filename>/etc/racoon/setkey.conf</filename> - System A:</para>
+
+        <programlisting>flush;
+spdflush;</programlisting>
+      </blockquote>
+
+      <para>If system A is running kernel 2.6.10 or later then it must also be
+      running ipsec-tools (racoon) 0.5rc1 or later.</para>
+
+      <para>On the mobile system (system B), it is not possible to create a
+      static IPsec configuration because the IP address of the laptop's
+      Internet connection isn't static. I have created an 'ipsecvpn' script
+      and included in the tarball and in the RPM's documentation directory;
+      this script can be used to start and stop the connection.</para>
+
+      <para>The ipsecvpn script has some variable assignments at the top -- in
+      the above case, these would be as follows:</para>
+
+      <blockquote>
+        <programlisting>#
+# External Interface
+#
+INTERFACE=eth0
+#
+# Remote IPsec Gateway
+#
+GATEWAY=206.162.148.9
+#
+# Networks behind the remote gateway
+#
+NETWORKS="192.168.1.0/24"
+#
+# Directory where X.509 certificates are stored.
+#
+CERTS=/etc/certs
+#
+# Certificate to be used for this connection. The cert
+# directory must contain:
+#
+#     ${CERT}.pem     - the certificate
+#     ${CERT}_key.pem - the certificates's key
+#
+CERT=roadwarrior
+#
+#     The setkey binary
+#
+SETKEY=/usr/sbin/setkey
+#
+#     The racoon binary
+#
+RACOON=/usr/sbin/racoon</programlisting>
+      </blockquote>
+
+      <para>The ipsecvpn script can be installed in /etc/init.d/ but it is
+      probably best installed in /usr/local/sbin and run manually:</para>
+
+      <blockquote>
+        <para><command>ipsecvpn start </command># Starts the tunnel</para>
+
+        <para><command>ipsecvpn stop</command> # Stops the tunnel</para>
+      </blockquote>
     </example>
+
+    <warning>
+      <para>Although the ipsecvpn script allows you to specify multiple remote
+      NETWORKS as a space-separated list, SAs are created on the gateway only
+      during ISAKMP negotiation. So in practice, only the first remote network
+      accessed will be accessible from the roadwarrior.</para>
+    </warning>
   </section>
 
   <section id="RW-L2TP">
@@ -607,7 +853,62 @@ HTTPS(ACCEPT)   l2tp    $FW</programlisting>
     hosts in that network. In that case, IPsec transport mode is an
     appropriate solution.</para>
 
-    <para><graphic fileref="images/TransportMode.png"/></para>
+    <para><graphic fileref="images/TransportMode.png"/>Here's an example using
+    the ipsec-tools package. The files shown are from host 192.168.20.10; the
+    configuration of the other nodes is similar.</para>
+
+    <blockquote>
+      <para><filename>/etc/racoon/racoon.conf</filename>:</para>
+
+      <programlisting>path pre_shared_key "/etc/racoon/psk.txt" ;
+
+remote anonymous
+{
+        exchange_mode main ;
+        my_identifier address ;
+        lifetime time 24 hour ;
+        proposal {
+                encryption_algorithm blowfish ;
+                hash_algorithm sha1;
+                authentication_method pre_shared_key ;
+                dh_group 2 ;
+        }
+}
+
+sainfo anonymous
+{
+        pfs_group 2;
+        lifetime time 12 hour ;
+        encryption_algorithm blowfish ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
+        compression_algorithm deflate ;
+}
+</programlisting>
+
+      <para><filename>/etc/racoon/setkey.conf</filename>:</para>
+
+      <programlisting># First of all flush the SPD database
+spdflush;
+
+# Add some SPD rules
+
+spdadd 192.168.20.10/32 192.168.20.20/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.20/require;
+spdadd 192.168.20.20/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.20-192.168.20.10/require;
+spdadd 192.168.20.10/32 192.168.20.30/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.30/require;
+spdadd 192.168.20.30/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.30-192.168.20.10/require;
+spdadd 192.168.20.10/32 192.168.20.40/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.40/require;
+spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.20.40-192.168.20.10/require;
+</programlisting>
+
+      <para><filename>/etc/racoon/psk.txt</filename>:</para>
+
+      <programlisting>192.168.20.20             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.20&gt;
+192.168.20.30             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.30&gt;
+192.168.20.40             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.40&gt;</programlisting>
+
+      <para>Note that the <emphasis role="bold">same key</emphasis>must be
+      used in both directions.</para>
+    </blockquote>
 
     <para>Shorewall configuration goes as follows:</para>
 
@@ -672,13 +973,75 @@ all             all             REJECT          info</programlisting>
 ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</programlisting>The
     above assumes that the name of your IPsec vpn zone is
     <emphasis>vpn</emphasis>.</para>
+  </section>
 
-    <important>
-      <para>Note that this protocol 4 (IPIP) traffic appears to originate in
-      the vpn zone, but it's source IP address is that of the remote gateway.
-      As a consequence, that address must be included in the definition of the
-      remote zone. If you haven't done that, the traffic will be dropped in
-      the INPUT chain.</para>
-    </important>
+  <section id="XP">
+    <title>IPsec and <trademark>Windows</trademark> XP</title>
+
+    <para>I have successfully configured my work laptop to use IPsec with
+    X.509 certificates for wireless IP communication when it is undocked at
+    home. I looked at dozens of sites and the one I found most helpful was
+    <ulink
+    url="http://ipsec.math.ucla.edu/services/ipsec-windows.html">http://ipsec.math.ucla.edu/services/ipsec-windows.html</ulink>.
+    The instructions on that site are directed to students at UCLA but they
+    worked fine for me (once I followed them very carefully).</para>
+
+    <warning>
+      <para>The instructions found on the UCLA site are complex and do not
+      include any information on the generation of X.509 certificates. There
+      are lots of sites however that can tell you how to generate
+      certificates, including <ulink
+      url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
+
+      <para>One piece of information that may not be so easy to find is "How
+      do I generate a PKCS#12 certificate to import into Windows?". Here's the
+      openssl command that I used:</para>
+
+      <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPsec Cert for Home Wireless"</command> </programlisting>
+
+      <para>I was prompted for a password to associate with the certificate.
+      This password is entered on the Windows system during import.</para>
+
+      <para>In the above command:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para><filename>eastepnc6000.pem</filename> was the laptop's
+          certificate in PEM format.</para>
+        </listitem>
+
+        <listitem>
+          <para><filename>eastepnc6000_key.pem</filename> was the laptop's
+          private key (actually, it's the original signing request which
+          includes the private key).</para>
+        </listitem>
+
+        <listitem>
+          <para><filename>eastepnc6000.pfx</filename> is the PKCS#12 output
+          file.</para>
+        </listitem>
+
+        <listitem>
+          <para>"IPsec Cert for Home Wireless" is the friendly name for the
+          certificate.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>I started to write an article about how to do this, complete with
+      graphics captured from my laptop. I gave up. I had captured 12 images
+      and hadn't really started yet. The Windows interface for configuring
+      IPsec is the worst GUI that I have ever used. What can be displayed on
+      one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
+      different dialog boxes on Windows XP!!!</para>
+    </warning>
+  </section>
+
+  <section id="More">
+    <title>Source of Additional Samples</title>
+
+    <para>Be sure to check out the <filename
+    class="directory">src/racoon/samples</filename> subdirectory in the
+    ipsec-tools source tree. It has a wide variety of sample racoon
+    configuration files.</para>
   </section>
 </article>

docs/MultiISP.xml

@@ -484,18 +484,6 @@ fi</programlisting>
                         url="FAQ.htm#faq58">FAQ 58</ulink>.</para>
                       </note></para>
                   </important>
-
-                  <para>Prior to Shorewall 5.1.1, <emphasis
-                  role="bold">balance=1</emphasis> is the default when
-                  USE_DEFAULT_RT=Yes and neither the
-                  <option>fallback</option>, <option>loose</option>,
-                  <option>load</option> or <option>tproxy</option> option is
-                  specified. Beginning with Shorewall 5.1.1, <emphasis
-                  role="bold">balance=1</emphasis> is the default when both
-                  USE_DEFAULT_RT=Yes and BALANCE_PROVIDERS=Yes and neither the
-                  <option>fallback</option>, <option>loose</option>,
-                  <option>load</option> nor <option>tproxy</option> option is
-                  specified.</para>
                 </listitem>
               </varlistentry>