1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article id="IPSEC">
<!--$Id$-->
<articleinfo>
<title>IPSEC Tunnels</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001-2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<important>
<para>The information in this article is only applicable if you plan to
have IPSEC end-points on the same system where Shorewall is used.</para>
</important>
<warning>
<para>This documentation is incomplete regarding using IPSEC and the 2.6
Kernel. Netfilter currently lacks full support for the 2.6 kernel's
implementation of IPSEC. Until that implementation is complete, only a
simple network-network tunnel is described for 2.6.</para>
<para>UPDATE: Some distributions such as <trademark>SUSE</trademark> are
now shipping Kernels and iptables with the IPSEC-Netfilter patches and
policy match support. Check <ulink url="IPSEC-2.6.html">this
article</ulink> for information concerning this support and
Shorewall.</para>
</warning>
<section id="Prelim">
<title>Preliminary Reading</title>
<para>I recommend reading the <ulink url="VPNBasics.html">VPN
Basics</ulink> article if you plan to implement any type of VPN.</para>
</section>
<section id="Swans">
<title>Configuring FreeS/Wan and Derivatives Such as OpenS/Wan</title>
<para>There is an excellent guide to configuring IPSEC tunnels at <ulink
url="http://jixen.tripod.com/">http://jixen.tripod.com/</ulink>. I highly
recommend that you consult that site for information about configuring
FreeS/Wan.</para>
<important>
<para>The documentation below assumes that you have disabled
opportunistic encryption feature in FreeS/Wan 2.0 using the following
additional entries in ipsec.conf:</para>
<programlisting>conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore</programlisting>
<para>For further information see <ulink
url="http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html</ulink>.</para>
</important>
</section>
<section id="GwFw">
<title>IPSec Gateway on the Firewall System</title>
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" />
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
communicate with systems in the 10.0.0.0/8 network. We assume that on both
systems A and B, eth0 is the Internet interface.</para>
<para>To make this work, we need to do two things:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>Open the firewall so that the IPSEC tunnel can be established
(allow the ESP and AH protocols and UDP Port 500).</para>
</listitem>
<listitem>
<para>Allow traffic through the tunnel.</para>
</listitem>
</orderedlist>
<para>Opening the firewall for the IPSEC tunnel is accomplished by adding
an entry to the /etc/shorewall/tunnels file.</para>
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 134.28.54.2</programlisting>
<para>In /etc/shorewall/tunnels on system B, we would have:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 206.161.148.9</programlisting>
<note>
<para>If either of the endpoints is behind a NAT gateway then the
tunnels file entry on the <emphasis role="bold">other</emphasis>
endpoint should specify a tunnel type of ipsecnat rather than ipsec and
the GATEWAY address should specify the external address of the NAT
gateway.</para>
</note>
<para>You need to define a zone for the remote subnet or include it in
your local zone. In this example, we'll assume that you have created a
zone called <quote>vpn</quote> to represent the remote subnet. Note that
you should define the vpn zone before the net zone.</para>
<para>/etc/shorewall/zones (both systems):</para>
<programlisting>#ZONE TYPE OPTIONS
vpn ipv4
net ipv4</programlisting>
<para><emphasis role="bold">If you are running kernel
2.4:</emphasis><blockquote>
<para>At both systems, ipsec0 would be included in
/etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn ipsec0</programlisting>
</blockquote></para>
<para><emphasis role="bold">If you are running kernel
2.6:</emphasis></para>
<blockquote>
<para><emphasis role="bold">It is essential that the
<emphasis>vpn</emphasis> zone be declared before the
<emphasis>net</emphasis> zone in
<filename>/etc/shorewall/zones</filename>.</emphasis></para>
<para>Remember the assumption that both systems A and B have eth0 as
their Internet interface.</para>
<para>You must define the vpn zone using the /etc/shorewall/hosts
file.</para>
<para>/etc/shorewall/hosts - System A</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:10.0.0.0/8</programlisting>
<para>/etc/shorewall/hots - System B</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:192.168.1.0/24</programlisting>
<para>In addition, <emphasis role="bold">if you are using Masquerading
or SNAT</emphasis> on your firewalls, you need to eliminate the remote
network from Masquerade/SNAT. These entries <emphasis
role="bold">replace</emphasis> your current masquerade/SNAT entries for
the local networks.</para>
<para>/etc/shorewall/masq - System A</para>
<programlisting>#INTERFACE SOURCE ADDRESS
eth0:!10.0.0.0/8 192.168.1.0/24</programlisting>
<para>/etc/shorewall/masq - System B</para>
<programlisting>#INTERFACE SOURCE ADDRESS
eth0:!192.168.1.0/24 10.0.0.0/8</programlisting>
</blockquote>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone -- if you simply want to admit all traffic
in both directions, you can use the policy file:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
<para></para>
<para>Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <ulink
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
</section>
<section id="Hub">
<title>VPN Hub using Kernel 2.4</title>
<para>Shorewall can be used in a VPN Hub environment where multiple remote
networks are connected to a gateway running Shorewall. This environment is
shown in this diagram.</para>
<graphic fileref="images/ThreeNets.png" />
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
communicate with systems in the 10.0.0.0/16 and 10.1.0.0/16 networks and
we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be able to
communicate.</para>
<para>To make this work, we need to do several things:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>Open the firewall so that two IPSEC tunnels can be established
(allow the ESP and AH protocols and UDP Port 500).</para>
</listitem>
<listitem>
<para>Allow traffic through the tunnels two/from the local zone
(192.168.1.0/24).</para>
</listitem>
<listitem>
<para>Deny traffic through the tunnels between the two remote
networks.</para>
</listitem>
</orderedlist>
<para>Opening the firewall for the IPSEC tunnels is accomplished by adding
two entries to the /etc/shorewall/tunnels file.</para>
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 134.28.54.2
ipsec net 130.252.100.14</programlisting>
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 206.161.148.9</programlisting>
<note>
<para>If either of the endpoints is behind a NAT gateway then the
tunnels file entry on the <emphasis role="bold">other</emphasis>
endpoint should specify a tunnel type of <emphasis>ipsecnat</emphasis>
rather than ipsec and the GATEWAY address should specify the external
address of the NAT gateway.</para>
</note>
<para>On each system, we will create a zone to represent the remote
networks. On System A:</para>
<programlisting>#ZONE TYPE OPTIONS
vpn1 ipv4
vp2 ipv4</programlisting>
<para>On systems B and C:</para>
<programlisting>#ZONE TYPE OPTIONS
vpn ipv4</programlisting>
<para>At system A, ipsec0 represents two zones so we have the following in
/etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- ipsec0</programlisting>
<para>The /etc/shorewall/hosts file on system A defines the two VPN
zones:</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn1 ipsec0:10.0.0.0/16
vpn2 ipsec0:10.1.0.0/16</programlisting>
<para>At systems B and C, ipsec0 represents a single zone so we have the
following in /etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn ipsec0</programlisting>
<para>On systems A, you will need to allow traffic between the
<quote>vpn1</quote> zone and the <quote>loc</quote> zone as well as
between <quote>vpn2</quote> and the <quote>loc</quote> zone -- if you
simply want to admit all traffic in both directions, you can use the
following policy file entries on all three gateways:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
loc vpn1 ACCEPT
vpn1 loc ACCEPT
loc vpn2 ACCEPT
vpn2 loc ACCEPT</programlisting>
<para>On systems B and C, you will need to allow traffic between the
<quote>vpn</quote> zone and the <quote>loc</quote> zone -- if you simply
want to admit all traffic in both directions, you can use the following
policy file entries on all three gateways:</para>
<para>/etc/shorewall/policy -- Systems B & C</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
<para>Once you have the Shorewall entries added, restart Shorewall on each
gateway (type shorewall restart); you are now ready to configure the
tunnels in <ulink
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
<note>
<para>to allow traffic between the networks attached to systems B and C,
it is necessary to simply add two additional entries to the
/etc/shorewall/policy file on system A.</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
vpn1 vpn2 ACCEPT
vpn2 vpn1 ACCEPT</programlisting>
</note>
<note>
<para>If you find traffic being rejected/dropped in the OUTPUT chain,
place the names of the remote VPN zones as a comma-separated list in the
GATEWAY ZONE column of the /etc/shorewall/tunnels file entry.</para>
</note>
</section>
<section id="RoadWarrior">
<title>Mobile System (Road Warrior) Using Kernel 2.4</title>
<para>Suppose that you have a laptop system (B) that you take with you
when you travel and you want to be able to establish a secure connection
back to your local network.</para>
<graphic fileref="images/Mobile.png" />
<example id="roadWarrior">
<title>Road Warrior VPN</title>
<para>You need to define a zone for the laptop or include it in your
local zone. In this example, we'll assume that you have created a zone
called <quote>vpn</quote> to represent the remote host.</para>
<para>/etc/shorewall/zones - System A</para>
<programlisting>#ZONE TYPE OPTIONS
vpn ipv4</programlisting>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels
file on system A, the following entry should be made:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 0.0.0.0/0</programlisting>
<para><note>
<para>the GATEWAY ZONE column contains the name of the zone
corresponding to peer subnetworks. This indicates that the gateway
system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</para>
</note></para>
<para>You will need to configure /etc/shorewall/interfaces and establish
your <quote>through the tunnel</quote> policy as shown under the first
example above.</para>
</example>
</section>
<section id="Dynamic">
<title>Dynamic RoadWarrior Zones</title>
<para>Beginning with Shorewall release 1.3.10, you can define multiple VPN
zones and add and delete remote endpoints dynamically using
/sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this
capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>.<important>
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 or
later versions. Use <ulink url="ipsets.html#Dynamic">dynamic zones
defined by ipsets</ulink> instead.</para>
</important></para>
<para>In /etc/shorewall/zones:</para>
<programlisting>#ZONE TYPE OPTIONS
vpn1 ipv4
vpn2 ipv4
vpn3 ipv4</programlisting>
<para>In /etc/shorewall/tunnels:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3</programlisting>
<para>When Shorewall is started, the zones vpn[1-3] will all be empty and
Shorewall will issue warnings to that effect. These warnings may be safely
ignored. FreeS/Wan may now be configured to have three different Road
Warrior connections with the choice of connection being based on X-509
certificates or some other means. Each of these connections will utilize a
different updown script that adds the remote station to the appropriate
zone when the connection comes up and that deletes the remote station when
the connection comes down. For example, when 134.28.54.2 connects for the
vpn2 zone the <quote>up</quote> part of the script will issue the
command:</para>
<programlisting>/sbin/shorewall add ipsec0:134.28.54.2 vpn2</programlisting>
<para>and the <quote>down</quote> part will:</para>
<programlisting>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2</programlisting>
</section>
</article>
|
