<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
    
  <meta http-equiv="Content-Language" content="en-us">
    
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
    
  <meta name="ProgId" content="FrontPage.Editor.Document">
    
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>VPN</title>
</head>
  <body>
  
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
    <tbody>
     <tr>
      <td width="100%">       
      <h1 align="center"><font color="#ffffff">VPN</font></h1>
      </td>
    </tr>
    
  </tbody> 
</table>
  
<p>It is often the case that a system behind the firewall needs to be able 
to  access a remote network through Virtual Private Networking (VPN). The 
two most  common means for doing this are IPSEC and PPTP. The basic setup 
is shown in the  following diagram:</p>
  
<p align="center"><img border="0" src="images/VPN.png" width="568"
 height="796">
 </p>
  
<p align="left">A system with an RFC 1918 address needs to access a remote 
 network through a remote gateway. For this example, we will assume that the
 local system has IP address 192.168.1.12 and that the remote gateway has
IP  address 192.0.2.224.</p>
  
<p align="left">If PPTP is being used, there are no firewall requirements 
beyond  the default loc-&gt;net ACCEPT policy. There is one restriction however: 
Only one  local system at a time can be connected to a single remote gateway 
unless you  patch your kernel from the 'Patch-o-matic' patches available at
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
  
<p align="left">If IPSEC is being used then only one system may connect to 
the remote gateway and there are firewall configuration  requirements as follows:</p>
  
<blockquote>   
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 bordercolor="#111111" id="AutoNumber2" height="98">
      <tbody>
       <tr>
        <td height="38"><u><b>ACTION</b></u></td>
        <td height="38"><u><b>SOURCE</b></u></td>
        <td height="38"><u><b>DESTINATION</b></u></td>
        <td height="38"><u><b>PROTOCOL</b></u></td>
        <td height="38"><u><b>PORT</b></u></td>
        <td height="38"><u><b>CLIENT<br>
        PORT</b></u></td>
        <td height="38"><u><b>ORIGINAL<br>
        DEST</b></u></td>
      </tr>
      <tr>
        <td height="19">DNAT</td>
        <td height="19">net:192.0.2.224</td>
        <td height="19">loc:192.168.1.12</td>
        <td height="19">50</td>
        <td height="19">�</td>
        <td height="19">�</td>
        <td height="19">�</td>
      </tr>
      <tr>
        <td height="19">DNAT</td>
        <td height="19">net:192.0.2.224</td>
        <td height="19">loc:192.168.1.12</td>
        <td height="19">udp</td>
        <td height="19">500</td>
        <td height="19">�</td>
        <td height="19">�</td>
      </tr>
      
    </tbody>   
  </table>
  </blockquote>
  
<p>If you want to be able to give access to all of your local systems to the
 remote network, you should consider running a VPN client on your firewall. 
As  starting points, see <a
 href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a> 
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
  
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
 
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> 
� <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
 
<p>�</p>
   <br>
 <br>
</body>
</html>