[Shorewall-users] IPSEC VPN & Shorewall

Tom Eastep teastep@shorewall.net
Tue, 22 Jan 2002 10:36:25 -0800


On Tuesday 22 January 2002 10:25 am, Emmett Hogan wrote:
> Hi Folks,
> I am trying to set up an IPSEC VPN with Gauntlet on one end and a IPTAB=
> based firewall on the other.  Needless to say, I went the smart route a=
> am using SHOREWALL on the my Linux box.
> I put the following entry into my /etc/shorewall/tunnels files (The ip
> addresses have been changed to protect the innocent):
> # TYPE          ZONE    GATEWAY         GATEWAY ZONE
> ipsec           net
> Where is the GAUNTLET box.
> Now, there are several RFC1918 address blocks behind that route=
> should I create a zone which contains all those blocks and put that in =
> "GATEWAY ZONE" parameter?

You can place those address blocks in a zone of their own or you can plac=
them in your local zone. It all depends on what kind of firewalling (if a=
you want between the remote subnets and your local one. If you make them =
of your local zone, be sure you have the following in /etc/shorewall/poli=


You usually don't have to put anything in the GATEWAY ZONE unless you sta=
seeing UDP port 500 packets from the GUANTLET coming thru the tunnel (tha=
usually doesn't happen with IPSEC in tunnel mode).

> Also, I read in the IPSEC docs that the "tunnelled" packets should NOT =
> masq'ed.  Is that correct?

That's correct -- this means that the RFC1918 addresses at the other end=20
can't overlap your local ones.=20

> The SHOREWALL firewall is protecting another 192.168 address block (tha=
t is
> NOT being used on the other side of

Good -- See above.

> Also, how does one handle DNS so that addresses on the other side of th=
> tunnel can be resolved?

Add a "forward only" zone at your end for the domain at the other end of =
tunnel and forward DNS lookups for that zone through the tunnel to the na=
servers at the other end.

I do that here for compaq -- in /etc/named.conf, I have:

        zone "compaq.com" {
                type forward;
                forward only;

Where and are Compaq-internal name servers.

I use PPTP between my firewall and Compaq but the idea is the same.

Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net