<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="VPN">
  <!--$Id$-->

  <articleinfo>
    <title>VPN</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2004-10-27</pubdate>

    <copyright>
      <year>2002</year>

      <year>2004</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <section>
    <title>Virtual Private Networking (VPN)</title>

    <para>It is often the case that a system behind the firewall needs to be
    able to access a remote network through Virtual Private Networking (VPN).
    The two most common means for doing this are IPSEC and PPTP. The basic
    setup is shown in the following diagram:</para>

    <graphic fileref="images/VPN.png" />

    <para>A system with an RFC 1918 address needs to access a remote network
    through a remote gateway. For this example, we will assume that the local
    system has IP address 192.168.1.12 and that the remote gateway has IP
    address 192.0.2.224.</para>

    <para>If PPTP is being used, there are no firewall requirements beyond the
    default loc-&gt;net ACCEPT policy. There is one restriction however: Only
    one local system at a time can be connected to a single remote gateway
    unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
    available at <ulink
    url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>

    <para>If IPSEC is being used then only one system may connect to the
    remote gateway and there are firewall configuration requirements as
    follows:</para>

    <table>
      <title>/etc/shorewall/rules</title>

      <tgroup cols="7">
        <thead>
          <row>
            <entry align="center">ACTION</entry>

            <entry align="center">SOURCE</entry>

            <entry align="center">DESTINATION</entry>

            <entry align="center">PROTOCOL</entry>

            <entry align="center">PORT</entry>

            <entry align="center">CLIENT PORT</entry>

            <entry align="center">ORIGINAL DEST</entry>
          </row>
        </thead>

        <tbody>
          <row>
            <entry>DNAT</entry>

            <entry>net:192.0.2.224</entry>

            <entry>loc:192.168.1.12</entry>

            <entry>50</entry>

            <entry></entry>

            <entry></entry>

            <entry></entry>
          </row>

          <row>
            <entry>DNAT</entry>

            <entry>net:192.0.2.224</entry>

            <entry>loc:192.168.1.12</entry>

            <entry>udp</entry>

            <entry>500</entry>

            <entry></entry>

            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </table>

    <para>If you want to be able to give access to all of your local systems
    to the remote network, you should consider running a VPN client on your
    firewall. As starting points, see <ulink
    url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
    or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>

    <para>Alternatively, you should configure IPSEC to use <firstterm>NAT
    Traversal</firstterm> -- Under NAT traversal the IPSEC packets (protocol
    50 or 51) are encapsulated in UDP packets with destination port 4500.
    Additionally, <firstterm>keep-alive messages</firstterm> are sent
    frequently so that NATing gateways between the end-points will retain
    their connection-tracking entries. This is the way that I connect to the
    HP Intranet and it works flawlessly without anything in Shorewall other
    than my ACCEPT loc-&gt;net policy. NAT traversal is available as a patch
    for Windows 2K and is a standard feature of Windows XP -- simply select
    "L2TP IPSec VPN" from the "Type of VPN" pulldown.</para>
  </section>
</article>