Shorewall users - Jan 2002 - IPSEC VPN & Shorewall

--=======642A246======Content-Type: text/plain; x-avg-checked=avg-ok-44416D3C;
charset=us-ascii; format=flowed
Content-Transfer-Encoding: 8bit

Hi Folks,

I am trying to set up an IPSEC VPN with Gauntlet on one end and a IPTABLES 
based firewall on the other.  Needless to say, I went the smart route and 
am using SHOREWALL on the my Linux box.

I put the following entry into my /etc/shorewall/tunnels files (The ip 
addresses have been changed to protect the innocent):

# TYPE          ZONE    GATEWAY         GATEWAY ZONE
ipsec           net     1.2.3.4

Where 1.2.3.4 is the GAUNTLET box.

Now, there are several RFC1918 address blocks behind that 1.2.3.4 router, 
should I create a zone which contains all those blocks and put that in the 
"GATEWAY ZONE" parameter?

Also, I read in the IPSEC docs that the "tunnelled" packets should NOT
be
masq''ed.  Is that correct?

The SHOREWALL firewall is protecting another 192.168 address block (that is 
NOT being used on the other side of 1.2.3.4).

Also, how does one handle DNS so that addresses on the other side of the 
tunnel can be resolved?

Any help (pointers to docs), etc would be GREATLY appreciated.

Thanks!

-Emmett 

--=======642A246======Content-Type: text/plain; charset=us-ascii; x-avg=cert;
x-avg-checked=avg-ok-44416D3C
Content-Disposition: inline


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002

--=======642A246=======--

Emmett,

On Tuesday 22 January 2002 10:25 am, Emmett Hogan wrote:
> Hi Folks,
>
> I am trying to set up an IPSEC VPN with Gauntlet on one end and a IPTABLES
> based firewall on the other.  Needless to say, I went the smart route and
> am using SHOREWALL on the my Linux box.
>
> I put the following entry into my /etc/shorewall/tunnels files (The ip
> addresses have been changed to protect the innocent):
>
> # TYPE          ZONE    GATEWAY         GATEWAY ZONE
> ipsec           net     1.2.3.4
>
> Where 1.2.3.4 is the GAUNTLET box.
>
> Now, there are several RFC1918 address blocks behind that 1.2.3.4 router,
> should I create a zone which contains all those blocks and put that in the
> "GATEWAY ZONE" parameter?
You can place those address blocks in a zone of their own or you can place=20
them in your local zone. It all depends on what kind of firewalling (if any)=20
you want between the remote subnets and your local one. If you make them part=20
of your local zone, be sure you have the following in /etc/shorewall/policy:

local=09local=09ACCEPT

You usually don''t have to put anything in the GATEWAY ZONE unless you
start=20
seeing UDP port 500 packets from the GUANTLET coming thru the tunnel (that=20
usually doesn''t happen with IPSEC in tunnel mode).
>
> Also, I read in the IPSEC docs that the "tunnelled" packets
should NOT be
> masq''ed.  Is that correct?
That''s correct -- this means that the RFC1918 addresses at the other
end=20
can''t overlap your local ones.=20
>
> The SHOREWALL firewall is protecting another 192.168 address block (that is
> NOT being used on the other side of 1.2.3.4).
Good -- See above.
>
> Also, how does one handle DNS so that addresses on the other side of the
> tunnel can be resolved?
Add a "forward only" zone at your end for the domain at the other end
of the=20
tunnel and forward DNS lookups for that zone through the tunnel to the name=20
servers at the other end.

I do that here for compaq -- in /etc/named.conf, I have:

        zone "compaq.com" {
                type forward;
                forward only;
                forwarders{
                        1.2.3.4;
                        1.2.8.4;
                };
        };

Where 1.2.3.4 and 1.2.8.4 are Compaq-internal name servers.

I use PPTP between my firewall and Compaq but the idea is the same.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net