shorewall_code/Shorewall-docs2/VPN.xml
2004-10-23 17:27:42 +00:00

140 lines
4.4 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="VPN">
<!--$Id$-->
<articleinfo>
<title>VPN</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-10-21</pubdate>
<copyright>
<year>2002</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Virtual Private Networking (VPN)</title>
<para>It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking (VPN).
The two most common means for doing this are IPSEC and PPTP. The basic
setup is shown in the following diagram:</para>
<graphic fileref="images/VPN.png" />
<para>A system with an RFC 1918 address needs to access a remote network
through a remote gateway. For this example, we will assume that the local
system has IP address 192.168.1.12 and that the remote gateway has IP
address 192.0.2.224.</para>
<para>If PPTP is being used, there are no firewall requirements beyond the
default loc-&gt;net ACCEPT policy. There is one restriction however: Only
one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
available at <ulink
url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
<para>If IPSEC is being used then only one system may connect to the
remote gateway and there are firewall configuration requirements as
follows:</para>
<table>
<title>/etc/shorewall/rules</title>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">CLIENT PORT</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net:192.0.2.224</entry>
<entry>loc:192.168.1.12</entry>
<entry>50</entry>
<entry></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>DNAT</entry>
<entry>net:192.0.2.224</entry>
<entry>loc:192.168.1.12</entry>
<entry>udp</entry>
<entry>500</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>If you want to be able to give access to all of your local systems
to the remote network, you should consider running a VPN client on your
firewall. As starting points, see <ulink
url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
<para>Alternatively, you should configure IPSEC to use <firstterm>NAT
Traversal</firstterm> -- Under NAT traversal the IPSEC packets (protocol
50 or 51) are encapsulated in UDP packets with destination port 4500.
Additionally, <firstterm>keep-alive messages</firstterm> are sent
frequently so that NATing gateways between the end-points will retain
their connection-tracking entries. This is the way that I connect to the
HP Intranet and it works flawlessly without anything in Shorewall other
than my ACCEPT loc-&gt;net policy. NAT traversal is available as a patch
for Windows 2K and is a standard feature of Windows XP -- simply select
"</para>
</section>
</article>