Generic Tunnels Tom Eastep 2001 2002 2003 Thomas M. Eastep 2003-08-09 Shorewall includes built-in support for a wide range of VPN solutions. If you have need for a tunnel type that does not have explicit support, you can generally describe the tunneling software using "generic tunnels"
Bridging two Masqueraded Networks Suppose that we have the following situation: We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall. Suppose that you have tunneling software that uses two different protocols: TCP port 1071 GRE (Protocol 47) The tunnel interface on system A is "tun0" and the tunnel interface on system B is also "tun0". On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called 'vpn' and declare it in /etc/shorewall/zones on both systems as follows. ZONE DISPLAY COMMENTS vpn VPN Remote Subnet On system A, the 10.0.0.0/8 will comprise the vpn zone. In /etc/shorewall/interfaces: ZONE INTERFACE BROADCAST OPTIONS vpn tun0 10.255.255.255 In /etc/shorewall/tunnels on system A, we need the following: TYPE ZONE GATEWAY GATEWAY ZONE generic:tcp:1071 net 134.28.54.2 generic:47 net 134.28.54.2 These entries in /etc/shorewall/tunnels, opens the firewall so that TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will be accepted to/from the remote gateway. ZONE INTERFACE BROADCAST OPTIONS vpn tun0 192.168.1.255 In /etc/shorewall/tunnels on system B, we have: TYPE ZONE GATEWAY GATEWAY ZONE generic:tcp:1071 net 206.191.148.9 generic:47 net 134.28.54.2 You will need to allow traffic between the "vpn" zone and the "loc" zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file: SOURCE DEST POLICY LOG LEVEL loc vpn ACCEPT vpn loc ACCEPT On both systems, restart Shorewall and start your VPN software on each system. The systems in the two masqueraded subnetworks can now talk to each other