forked from extern/shorewall_code
584f57cfb0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1710 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
140 lines
4.4 KiB
XML
140 lines
4.4 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article id="VPN">
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>VPN</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2004-10-21</pubdate>
|
|
|
|
<copyright>
|
|
<year>2002</year>
|
|
|
|
<year>2004</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Virtual Private Networking (VPN)</title>
|
|
|
|
<para>It is often the case that a system behind the firewall needs to be
|
|
able to access a remote network through Virtual Private Networking (VPN).
|
|
The two most common means for doing this are IPSEC and PPTP. The basic
|
|
setup is shown in the following diagram:</para>
|
|
|
|
<graphic fileref="images/VPN.png" />
|
|
|
|
<para>A system with an RFC 1918 address needs to access a remote network
|
|
through a remote gateway. For this example, we will assume that the local
|
|
system has IP address 192.168.1.12 and that the remote gateway has IP
|
|
address 192.0.2.224.</para>
|
|
|
|
<para>If PPTP is being used, there are no firewall requirements beyond the
|
|
default loc->net ACCEPT policy. There is one restriction however: Only
|
|
one local system at a time can be connected to a single remote gateway
|
|
unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
|
|
available at <ulink
|
|
url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
|
|
|
|
<para>If IPSEC is being used then only one system may connect to the
|
|
remote gateway and there are firewall configuration requirements as
|
|
follows:</para>
|
|
|
|
<table>
|
|
<title>/etc/shorewall/rules</title>
|
|
|
|
<tgroup cols="7">
|
|
<thead>
|
|
<row>
|
|
<entry align="center">ACTION</entry>
|
|
|
|
<entry align="center">SOURCE</entry>
|
|
|
|
<entry align="center">DESTINATION</entry>
|
|
|
|
<entry align="center">PROTOCOL</entry>
|
|
|
|
<entry align="center">PORT</entry>
|
|
|
|
<entry align="center">CLIENT PORT</entry>
|
|
|
|
<entry align="center">ORIGINAL DEST</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry>DNAT</entry>
|
|
|
|
<entry>net:192.0.2.224</entry>
|
|
|
|
<entry>loc:192.168.1.12</entry>
|
|
|
|
<entry>50</entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>DNAT</entry>
|
|
|
|
<entry>net:192.0.2.224</entry>
|
|
|
|
<entry>loc:192.168.1.12</entry>
|
|
|
|
<entry>udp</entry>
|
|
|
|
<entry>500</entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>If you want to be able to give access to all of your local systems
|
|
to the remote network, you should consider running a VPN client on your
|
|
firewall. As starting points, see <ulink
|
|
url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
|
|
or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
|
|
|
|
<para>Alternatively, you should configure IPSEC to use <firstterm>NAT
|
|
Traversal</firstterm> -- Under NAT traversal the IPSEC packets (protocol
|
|
50 or 51) are encapsulated in UDP packets with destination port 4500.
|
|
Additionally, <firstterm>keep-alive messages</firstterm> are sent
|
|
frequently so that NATing gateways between the end-points will retain
|
|
their connection-tracking entries. This is the way that I connect to the
|
|
HP Intranet and it works flawlessly without anything in Shorewall other
|
|
than my ACCEPT loc->net policy. NAT traversal is available as a patch
|
|
for Windows 2K and is a standard feature of Windows XP -- simply select
|
|
"</para>
|
|
</section>
|
|
</article> |