<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article id="VPN"> <!--$Id$--> <articleinfo> <title>VPN</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate>2004-10-27</pubdate> <copyright> <year>2002</year> <year>2004</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <section> <title>Virtual Private Networking (VPN)</title> <para>It is often the case that a system behind the firewall needs to be able to access a remote network through Virtual Private Networking (VPN). The two most common means for doing this are IPSEC and PPTP. The basic setup is shown in the following diagram:</para> <graphic fileref="images/VPN.png" /> <para>A system with an RFC 1918 address needs to access a remote network through a remote gateway. For this example, we will assume that the local system has IP address 192.168.1.12 and that the remote gateway has IP address 192.0.2.224.</para> <para>If PPTP is being used, there are no firewall requirements beyond the default loc->net ACCEPT policy. There is one restriction however: Only one local system at a time can be connected to a single remote gateway unless you patch your kernel from the <quote>Patch-o-matic</quote> patches available at <ulink url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para> <para>If IPSEC is being used then only one system may connect to the remote gateway and there are firewall configuration requirements as follows:</para> <table> <title>/etc/shorewall/rules</title> <tgroup cols="7"> <thead> <row> <entry align="center">ACTION</entry> <entry align="center">SOURCE</entry> <entry align="center">DESTINATION</entry> <entry align="center">PROTOCOL</entry> <entry align="center">PORT</entry> <entry align="center">CLIENT PORT</entry> <entry align="center">ORIGINAL DEST</entry> </row> </thead> <tbody> <row> <entry>DNAT</entry> <entry>net:192.0.2.224</entry> <entry>loc:192.168.1.12</entry> <entry>50</entry> <entry></entry> <entry></entry> <entry></entry> </row> <row> <entry>DNAT</entry> <entry>net:192.0.2.224</entry> <entry>loc:192.168.1.12</entry> <entry>udp</entry> <entry>500</entry> <entry></entry> <entry></entry> </row> </tbody> </tgroup> </table> <para>If you want to be able to give access to all of your local systems to the remote network, you should consider running a VPN client on your firewall. As starting points, see <ulink url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink> or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para> <para>Alternatively, you should configure IPSEC to use <firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPSEC packets (protocol 50 or 51) are encapsulated in UDP packets with destination port 4500. Additionally, <firstterm>keep-alive messages</firstterm> are sent frequently so that NATing gateways between the end-points will retain their connection-tracking entries. This is the way that I connect to the HP Intranet and it works flawlessly without anything in Shorewall other than my ACCEPT loc->net policy. NAT traversal is available as a patch for Windows 2K and is a standard feature of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN" pulldown.</para> </section> </article>