forked from extern/shorewall_code
72f67478b2
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@207 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
284 lines
9.3 KiB
HTML
284 lines
9.3 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
|
||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||
<title>Shorewall IPSec Tunneling</title>
|
||
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
|
||
|
||
</head>
|
||
<body>
|
||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||
<tr>
|
||
<td width="100%">
|
||
<h1 align="center"><font color="#FFFFFF">IPSEC Tunnels</font></h1>
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
|
||
There is an excellent guide to configuring IPSEC tunnels at<a href="http://jixen.tripod.com">
|
||
http://jixen.tripod.com</a>
|
||
. I highly recommend that you consult that site for information about confuring
|
||
FreeS/Wan. <p><font color="#FF6633"><b>Warning: </b></font>Do not use Proxy ARP
|
||
and FreeS/Wan on the same system unless you are prepared to suffer the
|
||
consequences. If you start or restart Shorewall with an IPSEC tunnel active,
|
||
the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device
|
||
(ipsecX) rather than to the interface that you specify in the INTERFACE column
|
||
of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
|
||
can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
|
||
<p>You <b>might</b> be able to work around this problem using the following (I
|
||
haven't tried it):</p>
|
||
<p>In /etc/shorewall/init, include:</p>
|
||
<p> qt service ipsec stop</p>
|
||
<p>In /etc/shorewall/start, include:</p>
|
||
<p> qt service ipsec start</p>
|
||
<h2>
|
||
|
||
<font color="#660066">IPSec Gateway
|
||
on the Firewall System
|
||
</font></h2>
|
||
|
||
<p>Suppose that we have the following sutuation:</p>
|
||
|
||
<font color="#660066">
|
||
|
||
<p align="Center"><font face="Century Gothic, Arial, Helvetica">
|
||
<img src="images/TwoNets1.png" width="745" height="427">
|
||
</font></p>
|
||
|
||
</font>
|
||
|
||
<p align="Left">We want systems
|
||
in the 192.168.1.0/24 sub-network to be able to communicate with systems
|
||
in the 10.0.0.0/8 network.</p>
|
||
|
||
<p align="Left">To make this work, we need to do two things:</p>
|
||
|
||
<p align="Left">a) Open the firewall so that the IPSEC tunnel can be established
|
||
(allow the ESP and AH protocols and UDP Port 500). </p>
|
||
|
||
<p align="Left">b) Allow traffic through the tunnel.</p>
|
||
|
||
<p align="Left">Opening the firewall for the IPSEC tunnel is accomplished by
|
||
adding an entry to the /etc/shorewall/tunnels file.</p>
|
||
|
||
<p align="Left">In /etc/shorewall/tunnels
|
||
on system A, we need the following </p>
|
||
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||
<tbody>
|
||
<tr>
|
||
<td><strong>
|
||
TYPE</strong></td>
|
||
<td><strong>
|
||
ZONE</strong></td>
|
||
<td><strong>
|
||
GATEWAY</strong></td>
|
||
<td><strong>
|
||
GATEWAY ZONE</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ipsec</td>
|
||
<td>net</td>
|
||
<td>134.28.54.2</td>
|
||
<td> </td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table></blockquote>
|
||
|
||
<p align="Left">In /etc/shorewall/tunnels
|
||
on system B, we would have:</p>
|
||
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||
<tbody>
|
||
<tr>
|
||
<td><strong>
|
||
TYPE</strong></td>
|
||
<td><strong>
|
||
ZONE</strong></td>
|
||
<td><strong>
|
||
GATEWAY</strong></td>
|
||
<td><strong>
|
||
GATEWAY ZONE</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ipsec</td>
|
||
<td>net</td>
|
||
<td>206.161.148.9</td>
|
||
<td> </td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table></blockquote>
|
||
|
||
<p align="Left">You need to define a zone for the remote subnet or include
|
||
it in your local zone. In this example, we'll assume that you have created a
|
||
zone called "vpn" to represent the remote subnet.</p>
|
||
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||
<tr>
|
||
<td><strong>ZONE</strong></td>
|
||
<td><strong>DISPLAY</strong></td>
|
||
<td><strong>COMMENTS</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>vpn</td>
|
||
<td>VPN</td>
|
||
<td>Remote Subnet</td>
|
||
</tr>
|
||
|
||
</table>
|
||
</blockquote>
|
||
|
||
<p align="Left">At both
|
||
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn"
|
||
interface:</p>
|
||
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||
<tbody>
|
||
<tr>
|
||
<td><strong>
|
||
ZONE</strong></td>
|
||
<td><strong>
|
||
INTERFACE</strong></td>
|
||
<td><strong>
|
||
BROADCAST</strong></td>
|
||
<td><strong>
|
||
OPTIONS</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>vpn</td>
|
||
<td>ipsec0</td>
|
||
<td> </td>
|
||
<td> </td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table></blockquote>
|
||
|
||
<p align="Left"> You will need to allow traffic between the "vpn" zone and
|
||
the "loc" zone -- if you simply want to admit all traffic in both
|
||
directions, you can use the policy file:</p>
|
||
|
||
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||
<tr>
|
||
<td><strong>SOURCE</strong></td>
|
||
<td><strong>DEST</strong></td>
|
||
<td><strong>POLICY</strong></td>
|
||
<td><strong>LOG LEVEL</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>loc</td>
|
||
<td>vpn</td>
|
||
<td>ACCEPT</td>
|
||
<td> </td>
|
||
</tr>
|
||
|
||
<tr>
|
||
<td>vpn</td>
|
||
<td>loc</td>
|
||
<td>ACCEPT</td>
|
||
<td> </td>
|
||
</tr>
|
||
|
||
</table>
|
||
</blockquote>
|
||
|
||
<p align="Left"> Once
|
||
you have these entries in place, restart Shorewall (type shorewall restart);
|
||
you are now ready to configure the tunnel in <a href="http://www.xs4all.nl/%7Efreeswan/">
|
||
FreeS/WAN</a>
|
||
.</p>
|
||
|
||
|
||
<h2><font color="#660066"><a name="RoadWarrior"></a>
|
||
Mobile System (Road Warrior)</font></h2>
|
||
|
||
<p>Suppose that you have
|
||
a laptop system (B) that you take with you when you travel and you want to
|
||
be able to establish a secure connection back to your local network.</p>
|
||
|
||
<p align="Center"><strong><font face="Century Gothic, Arial, Helvetica">
|
||
<img src="images/Mobile.png" width="677" height="426">
|
||
</font></strong></p>
|
||
|
||
<p align="Left">You need to define a zone for the laptop or include it in
|
||
your local zone. In this example, we'll assume that you have created a zone
|
||
called "vpn" to represent the remote host.</p>
|
||
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||
<tr>
|
||
<td><strong>ZONE</strong></td>
|
||
<td><strong>DISPLAY</strong></td>
|
||
<td><strong>COMMENTS</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>vpn</td>
|
||
<td>VPN</td>
|
||
<td>Remote Subnet</td>
|
||
</tr>
|
||
|
||
</table>
|
||
</blockquote>
|
||
|
||
<p align="Left"> In this
|
||
instance, the mobile system (B) has IP address 134.28.54.2 but that cannot
|
||
be determined in advance. In the /etc/shorewall/tunnels file on system A,
|
||
the following entry should be made:</p>
|
||
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||
<tbody>
|
||
<tr>
|
||
<td><strong>
|
||
TYPE</strong></td>
|
||
<td><strong>
|
||
ZONE</strong></td>
|
||
<td><strong>
|
||
GATEWAY</strong></td>
|
||
<td><strong>
|
||
GATEWAY ZONE</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ipsec</td>
|
||
<td>net</td>
|
||
<td>0.0.0.0/0</td>
|
||
<td>vpn</td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table></blockquote>
|
||
|
||
<p>Note that the GATEWAY
|
||
ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the
|
||
gateway system itself comprises the peer subnetwork; in other words, the
|
||
remote gateway is a standalone system.</p>
|
||
|
||
|
||
<p>You will need to configure /etc/shorewall/interfaces and establish
|
||
your "through the tunnel" policy as shown under the first example above.</p>
|
||
|
||
|
||
<p><font size="2"> Last
|
||
updated 8/20/2002 - </font><font size="2">
|
||
<a href="support.htm">Tom Eastep</a></font>
|
||
</p>
|
||
|
||
|
||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
|
||
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||
|
||
</body>
|
||
</html> |