Shorewall users - Jun 2002 - (no subject)

On Mon, 24 Jun 2002, Paul Gear wrote:


 > Kelly Watts at Ring''s End wrote:
 >
 > > I have an iptables v.1.2.3 on Redhat 7.2 currently running with IP
masq,
 > > ssh and squid and apache.  Everything is fine in the UNIX world, that
is
 > > people can securely log in to the firewall box from the internet and
a
 > > telnet session from there is started to a UNIX box.  Now we need to
add a
 > > Windows 2000 server and allow some people to tunnel in to it from DSL
 > > connections at hone and run a client app and the VPN must use IPsec
and
 > > 3DES to conform to government regulations.  So, is using Shorewall a
good
 > > choice for me?  Getting rid of Windows 2000 is not an option for me
 > > unfortunately.  Is there a problem with having IP masq?  Thanks to
all
 >
 > (I didn''t see anyone else reply to this - did it get missed?)
 >
 > Kelly, the bottom line is that shorewall is a frontend/preprocessor for
 > iptables.  Thus, what iptables can do, shorewall can do.  You may find
some
 > areas of iptables which shorewall doesn''t handle natively, but
these are
 > typically fairly exotic things that are not normally required, and they
can
 > be implemented using manual iptables commands in conjunction with
shorewall.
 >


As for masquerading an IPSEC endpoint, if you forward protocol 50 (ESP)
and UDP port 500 to the server, it should work. Note that you can''t use
AH
(Protocol 51) since AH incorporates a cryptographic checksum that includes
the IP addresses in the IP header. Since any form of NAT (including
masquerade) rewrites those IP addresses, the NATed packets will fail the
checksum test and will be discarded by the destination IPSEC gateway.


-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy


Well that means that I can''t use NAT anymore since I have to use IPsec
and
AH is a part of IPsec as are ESP and IKE.  Right?  Or, since NAT is needed 
only for pc''s on the internal network to go out to the internet and
IPsec
is needed only for pc''s connecting from the internet, is it possible to
do
NAT only on internal addresses?  As you can see I am new to this.  Thanks 
for all comments.

----- Original Message -----
From: "Kelly Watts at Ring''s End" <rkwatts@ntplx.net>
To: <shorewall-users@shorewall.net>
Sent: Monday, June 24, 2002 10:23 AM
>
>
> Well that means that I can''t use NAT anymore since I have to use
IPsec and
> AH is a part of IPsec as are ESP and IKE.  Right?
You can choose not to use AH. IPSEC tunnels based on ESP work fine.

-Tom