<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Language" content="en-us"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>VPN</title> </head> <body> <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse;" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#3366ff" height="90"> <tbody> <tr> <td width="100%"> <h1 align="center"><font color="#ffffff">VPN</font></h1> </td> </tr> </tbody> </table> <p>It is often the case that a system behind the firewall needs to be able to access a remote network through Virtual Private Networking (VPN). The two most common means for doing this are IPSEC and PPTP. The basic setup is shown in the following diagram:</p> <p align="center"><img border="0" src="images/VPN.png" width="568" height="796"> </p> <p align="left">A system with an RFC 1918 address needs to access a remote network through a remote gateway. For this example, we will assume that the local system has IP address 192.168.1.12 and that the remote gateway has IP address 192.0.2.224.</p> <p align="left">If PPTP is being used, there are no firewall requirements beyond the default loc->net ACCEPT policy. There is one restriction however: Only one local system at a time can be connected to a single remote gateway unless you patch your kernel from the 'Patch-o-matic' patches available at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p> <p align="left">If IPSEC is being used then only one system may connect to the remote gateway and there are firewall configuration requirements as follows:</p> <blockquote> <table border="1" cellpadding="2" style="border-collapse: collapse;" bordercolor="#111111" id="AutoNumber2" height="98"> <tbody> <tr> <td height="38"><u><b>ACTION</b></u></td> <td height="38"><u><b>SOURCE</b></u></td> <td height="38"><u><b>DESTINATION</b></u></td> <td height="38"><u><b>PROTOCOL</b></u></td> <td height="38"><u><b>PORT</b></u></td> <td height="38"><u><b>CLIENT<br> PORT</b></u></td> <td height="38"><u><b>ORIGINAL<br> DEST</b></u></td> </tr> <tr> <td height="19">DNAT</td> <td height="19">net:192.0.2.224</td> <td height="19">loc:192.168.1.12</td> <td height="19">50</td> <td height="19">�</td> <td height="19">�</td> <td height="19">�</td> </tr> <tr> <td height="19">DNAT</td> <td height="19">net:192.0.2.224</td> <td height="19">loc:192.168.1.12</td> <td height="19">udp</td> <td height="19">500</td> <td height="19">�</td> <td height="19">�</td> </tr> </tbody> </table> </blockquote> <p>If you want to be able to give access to all of your local systems to the remote network, you should consider running a VPN client on your firewall. As starting points, see <a href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a> or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p> <p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> � <font size="2">2002 Thomas M. Eastep.</font></a></font></p> <p>�</p> <br> <br> </body> </html>