<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="GenericTunnels">
  <!--$Id$-->

  <articleinfo>
    <title>Generic Tunnels</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2003-08-09</pubdate>

    <copyright>
      <year>2001</year>

      <year>2002</year>

      <year>2003</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <para>Shorewall includes built-in support for a wide range of VPN solutions.
  If you have need for a tunnel type that does not have explicit support, you
  can generally describe the tunneling software using <quote>generic tunnels</quote>.</para>

  <section>
    <title>Bridging two Masqueraded Networks</title>

    <para>Suppose that we have the following situation:</para>

    <graphic fileref="images/TwoNets1.png" />

    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
    accomplished through use of the /etc/shorewall/tunnels file, the
    /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
    included with Shorewall.</para>

    <para>Suppose that you have tunneling software that uses two different
    protocols:</para>

    <orderedlist numeration="loweralpha">
      <listitem>
        <para>TCP port 1071</para>
      </listitem>

      <listitem>
        <para>GRE (Protocol 47)</para>
      </listitem>

      <listitem>
        <para>The tunnel interface on system A is <quote>tun0</quote> and the
        tunnel interface on system B is also <quote>tun0</quote>.</para>
      </listitem>
    </orderedlist>

    <para>On each firewall, you will need to declare a zone to represent the
    remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote>
    and declare it in /etc/shorewall/zones on both systems as follows.</para>

    <informaltable>
      <tgroup cols="3">
        <thead>
          <row>
            <entry align="center">ZONE</entry>

            <entry align="center">DISPLAY</entry>

            <entry align="center">COMMENTS</entry>
          </row>
        </thead>

        <tbody>
          <row>
            <entry>vpn</entry>

            <entry>VPN</entry>

            <entry>Remote Subnet</entry>
          </row>
        </tbody>
      </tgroup>
    </informaltable>

    <para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
    zone. In /etc/shorewall/interfaces:</para>

    <informaltable>
      <tgroup cols="4">
        <thead>
          <row>
            <entry align="center">ZONE</entry>

            <entry align="center">INTERFACE</entry>

            <entry align="center">BROADCAST</entry>

            <entry align="center">OPTIONS</entry>
          </row>
        </thead>

        <tbody>
          <row>
            <entry>vpn</entry>

            <entry>tun0</entry>

            <entry>10.255.255.255</entry>

            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </informaltable>

    <para>In /etc/shorewall/tunnels on system A, we need the following:</para>

    <informaltable>
      <tgroup cols="4">
        <thead>
          <row>
            <entry align="center">TYPE</entry>

            <entry align="center">ZONE</entry>

            <entry align="center">GATEWAY</entry>

            <entry align="center">GATEWAY ZONE</entry>
          </row>
        </thead>

        <tbody>
          <row>
            <entry>generic:tcp:1071</entry>

            <entry>net</entry>

            <entry>134.28.54.2</entry>

            <entry></entry>
          </row>

          <row>
            <entry>generic:47</entry>

            <entry>net</entry>

            <entry>134.28.54.2</entry>

            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </informaltable>

    <para>These entries in /etc/shorewall/tunnels, opens the firewall so that
    TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
    be accepted to/from the remote gateway.</para>

    <informaltable>
      <tgroup cols="4">
        <thead>
          <row>
            <entry align="center">ZONE</entry>

            <entry align="center">INTERFACE</entry>

            <entry align="center">BROADCAST</entry>

            <entry align="center">OPTIONS</entry>
          </row>
        </thead>

        <tbody>
          <row>
            <entry>vpn</entry>

            <entry>tun0</entry>

            <entry>192.168.1.255</entry>

            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </informaltable>

    <para>In /etc/shorewall/tunnels on system B, we have:</para>

    <informaltable>
      <tgroup cols="4">
        <thead>
          <row>
            <entry align="center">TYPE</entry>

            <entry align="center">ZONE</entry>

            <entry align="center">GATEWAY</entry>

            <entry align="center">GATEWAY ZONE</entry>
          </row>
        </thead>

        <tbody>
          <row>
            <entry>generic:tcp:1071</entry>

            <entry>net</entry>

            <entry>206.191.148.9</entry>

            <entry></entry>
          </row>

          <row>
            <entry>generic:47</entry>

            <entry>net</entry>

            <entry>134.28.54.2</entry>

            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </informaltable>

    <para>You will need to allow traffic between the <quote>vpn</quote> zone
    and the <quote>loc</quote> zone on both systems -- if you simply want to
    admit all traffic in both directions, you can use the policy file:</para>

    <informaltable>
      <tgroup cols="4">
        <thead>
          <row>
            <entry align="center">SOURCE</entry>

            <entry align="center">DEST</entry>

            <entry align="center">POLICY</entry>

            <entry align="center">LOG LEVEL</entry>
          </row>
        </thead>

        <tbody>
          <row>
            <entry>loc</entry>

            <entry>vpn</entry>

            <entry>ACCEPT</entry>

            <entry></entry>
          </row>

          <row>
            <entry>vpn</entry>

            <entry>loc</entry>

            <entry>ACCEPT</entry>

            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </informaltable>

    <para>On both systems, restart Shorewall and start your VPN software on
    each system. The systems in the two masqueraded subnetworks can now talk
    to each other</para>
  </section>
</article>