forked from extern/shorewall_code
478b108bc0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@243 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
82 lines
3.3 KiB
HTML
Executable File
82 lines
3.3 KiB
HTML
Executable File
<html>
|
||
|
||
<head>
|
||
<meta http-equiv="Content-Language" content="en-us">
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||
<title>VPN</title>
|
||
</head>
|
||
|
||
<body>
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||
<tr>
|
||
<td width="100%">
|
||
<h1 align="center"><font color="#FFFFFF">VPN</font></h1>
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
<p>It is often the case that a system behind the firewall needs to be able to
|
||
access a remote network through Virtual Private Networking (VPN). The two most
|
||
common means for doing this are IPSEC and PPTP. The basic setup is shown in the
|
||
following diagram:</p>
|
||
<p align="center"><img border="0" src="images/VPN.png" width="568" height="796"></p>
|
||
<p align="left">A system with an RFC 1918 address needs to access a remote
|
||
network through a remote gateway. For this example, we will assume that the
|
||
local system has IP address 192.168.1.12 and that the remote gateway has IP
|
||
address 192.0.2.224.</p>
|
||
<p align="left">If PPTP is being used, there are no firewall requirements beyond
|
||
the default loc->net ACCEPT policy. There is one restriction however: Only one
|
||
local system at a time can be connected to a single remote gateway unless you
|
||
patch your kernel from the 'Patch-o-matic' patches available at
|
||
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
|
||
<p align="left">If IPSEC is being used then there are firewall configuration
|
||
requirements as follows:</p>
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" height="98">
|
||
<tr>
|
||
<td height="38"><u><b>ACTION</b></u></td>
|
||
<td height="38"><u><b>SOURCE</b></u></td>
|
||
<td height="38"><u><b>DESTINATION</b></u></td>
|
||
<td height="38"><u><b>PROTOCOL</b></u></td>
|
||
<td height="38"><u><b>PORT</b></u></td>
|
||
<td height="38"><u><b>CLIENT<br>
|
||
PORT</b></u></td>
|
||
<td height="38"><u><b>ORIGINAL<br>
|
||
DEST</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td height="19">DNAT</td>
|
||
<td height="19">net:192.0.2.224</td>
|
||
<td height="19">loc:192.168.1.12</td>
|
||
<td height="19">50</td>
|
||
<td height="19"> </td>
|
||
<td height="19"> </td>
|
||
<td height="19"> </td>
|
||
</tr>
|
||
<tr>
|
||
<td height="19">DNAT</td>
|
||
<td height="19">net:192.0.2.224</td>
|
||
<td height="19">loc:192.168.1.12</td>
|
||
<td height="19">udp</td>
|
||
<td height="19">500</td>
|
||
<td height="19"> </td>
|
||
<td height="19"> </td>
|
||
</tr>
|
||
</table>
|
||
</blockquote>
|
||
<p>If you want to be able to give access to all of your local systems to the
|
||
remote network, you should consider running a VPN client on your firewall. As
|
||
starting points, see
|
||
<a href="http://www.shorewall.net/Documentation.htm#Tunnels">
|
||
http://www.shorewall.net/Documentation.htm#Tunnels</a> or
|
||
<a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
|
||
<p><font size="2">Last modified 8/27/2002 - <a href="support.htm">Tom
|
||
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
|
||
<font size="2">Copyright</font> <20> <font size="2">2002 Thomas M. Eastep.</font></a></font><p> </p>
|
||
|
||
</body>
|
||
|
||
</html>
|