[Shorewall-users] IPSEC VPN & Shorewall

Tom Eastep teastep@shorewall.net
Tue, 22 Jan 2002 10:36:25 -0800


Emmett,

On Tuesday 22 January 2002 10:25 am, Emmett Hogan wrote:
> Hi Folks,
>
> I am trying to set up an IPSEC VPN with Gauntlet on one end and a IPTAB=
LES
> based firewall on the other.  Needless to say, I went the smart route a=
nd
> am using SHOREWALL on the my Linux box.
>
> I put the following entry into my /etc/shorewall/tunnels files (The ip
> addresses have been changed to protect the innocent):
>
> # TYPE          ZONE    GATEWAY         GATEWAY ZONE
> ipsec           net     1.2.3.4
>
> Where 1.2.3.4 is the GAUNTLET box.
>
> Now, there are several RFC1918 address blocks behind that 1.2.3.4 route=
r,
> should I create a zone which contains all those blocks and put that in =
the
> "GATEWAY ZONE" parameter?

You can place those address blocks in a zone of their own or you can plac=
e=20
them in your local zone. It all depends on what kind of firewalling (if a=
ny)=20
you want between the remote subnets and your local one. If you make them =
part=20
of your local zone, be sure you have the following in /etc/shorewall/poli=
cy:

local=09local=09ACCEPT

You usually don't have to put anything in the GATEWAY ZONE unless you sta=
rt=20
seeing UDP port 500 packets from the GUANTLET coming thru the tunnel (tha=
t=20
usually doesn't happen with IPSEC in tunnel mode).

>
> Also, I read in the IPSEC docs that the "tunnelled" packets should NOT =
be
> masq'ed.  Is that correct?

That's correct -- this means that the RFC1918 addresses at the other end=20
can't overlap your local ones.=20

>
> The SHOREWALL firewall is protecting another 192.168 address block (tha=
t is
> NOT being used on the other side of 1.2.3.4).

Good -- See above.

>
> Also, how does one handle DNS so that addresses on the other side of th=
e
> tunnel can be resolved?

Add a "forward only" zone at your end for the domain at the other end of =
the=20
tunnel and forward DNS lookups for that zone through the tunnel to the na=
me=20
servers at the other end.

I do that here for compaq -- in /etc/named.conf, I have:

        zone "compaq.com" {
                type forward;
                forward only;
                forwarders{
                        1.2.3.4;
                        1.2.8.4;
                };
        };

Where 1.2.3.4 and 1.2.8.4 are Compaq-internal name servers.

I use PPTP between my firewall and Compaq but the idea is the same.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net