#
# Shorewall 2.0 - /etc/shorewall/tunnels
#
#	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
#	IPIP, GRE and OPENVPN tunnels must be configured on the
#	firewall/gateway itself. IPSEC endpoints may be defined
#	on the firewall/gateway or on an internal system.
#
#	The columns are:
#
#	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat","ipip"
#			"gre", "6to4", "pptpclient", "pptpserver", "openvpn" or 
#			"generic"
#
#			If the type is "ipsec" or "ipsecnat", it may be followed
#			by ":noah" to indicate that the Authentication Header
#			protocol (51) is not used by the tunnel.
#
#			If type is "openvpn", it may optionally be followed
#			by ":" and the port number used by the tunnel. if no
#			":" and port number are included, then the default port
#			of 5000 will be used
#
#			If type is "generic", it must be followed by ":" and
#			a protocol name (from /etc/protocols) or a protocol
#			number. If the protocol is "tcp" or "udp" (6 or 17),
#			then it may optionally be followed by ":" and a
#			port number.
#
#	ZONE	    --	The zone of the physical interface through which
#			tunnel traffic passes. This is normally your internet
#			zone.
#
#	GATEWAY	    --	The IP address of the remote tunnel gateway. If the
#			remote getway has no fixed address (Road Warrior)
#			then specify the gateway as 0.0.0.0/0.
#
#	GATEWAY
#	ZONES --	Optional. If the gateway system specified in the third
#			column is a standalone host then this column should
#			contain a comma-separated list of the names of the
#			zones that the host might be in. This column only
#			applies to IPSEC and generic tunnels.
#
#		Example 1:
#
#			IPSec tunnel. The remote gateway is 4.33.99.124 and
#			the remote subnet is 192.168.9.0/24. The tunnel does
#			not use the AH protocol
#
#			ipsec:noah	net	4.33.99.124
#
#		Example 2:
#
#			Road Warrior (LapTop that may connect from anywhere)
#			where the "gw" zone is used to represent the remote
#			LapTop.
#
#			ipsec	net	0.0.0.0/0	gw
#
#		Example 3:
#
#			Host 4.33.99.124 is a standalone system connected
#			via an ipsec tunnel to the firewall system. The host
#			is in zone gw.
#
#			ipsec	net	4.33.99.124	gw
#
#		Example 4:
#
#			Road Warriors that may belong to zones vpn1, vpn2 or
#			vpn3. The FreeS/Wan _updown script will add the
#			host to the appropriate zone using the "shorewall add"
#			command on connect and will remove the host from the
#			zone at disconnect time.
#
#			ipsec	net	0.0.0.0/0	vpn1,vpn2,vpn3
#
#		Example 5:
#
#			You run the Linux PPTP client on your firewall and
#			connect to server 192.0.2.221.
#
#			pptpclient	net	192.0.2.221
#
#		Example 6:
#
#			You run a PPTP server on your firewall.
#
#			pptpserver	net
#
#		Example 7:
#
#			OPENVPN tunnel. The remote gateway is 4.33.99.124 and
#			openvpn uses port 7777.
#
#			openvpn:7777	net	4.33.99.124
#
#		Example 8:
#
#			You have a tunnel that is not one of the supported types.
#			Your tunnel uses UDP port 4444. The other end of the
#			tunnel is 4.3.99.124.
#
#			generic:udp:4444	net	4.3.99.124
#
# TYPE			ZONE	GATEWAY		GATEWAY
#						ZONE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE