Shorewall users - Jan 2003 - MULTIPLE IPSEC TUNNELS

I am have a shorewall firewall and freeswan ipsec running on a redhat 8.0
Linux gateway machine. I have one working tunnel defined, all works well. I
am not clear how to define mutiple concurrent tunnels. I can not add further
interface  entries as all the tunnels come in on ipsec0, do I still have
mutiple zone definitions? some of the tunnels will be dynamic roadwarriors
and as such would need a gateway entry in tunnels, which zone to I
referrence?

Any help greatly appreciated.

Regards


Roy

There are a couple of outstanding questions about this on the list and
I''ll
try to address them here.

DISCLAIMER: I have not set up a multi-tunnel configuration so this is all 
from theory.

1) FreeS/Wan associates ipsec interfaces with ''real''
interfaces. So if all
of your tunnels route through your eth1 interface then FreeW/Wan will only 
use its first ipsec interface (ipsec0) regardless of how many tunnels that 
you have.

2) The question gets asked "Do I want one zone? One zone per tunnel?
???".
Folks -- how you break the network into zones is ENTIRELY YOUR CHOICE but 
you are going to apply the same policy to all hosts in each zone so you 
want to avoid grouping hosts will wildly different firewalling requirements 
into a single zone.

Example 1: You have two remote offices and you have a tunnel to each of 
them. In this case, it''s unlikely that your policy and rules for one
office
are going to be very different for those from the other office so you can 
put them into the same zone. Just remember that if Shorewall doesn''t 
automatically accept intra-zone connection requests so you will need to add 
an ACCEPT policy from the zone to itself if you want the two offices to 
communicate with one another.

Example 2: You have a remote R&D office and you also have a tunnel to 
company supplying contract work. In this case, your policies and rules 
regarding the two are different so you would probably want to put them in 
different zones.

3) "Given that there is only one interface, how do I define the
zones?"
Answer: It depends.

If the IP address(es) of the host/subnet at the other end of the tunnel is 
static, you can use the /etc/shorewall/hosts file. In Example 2 above, 
suppose that the remote subnet of the R&D group is 192.168.128.0/17 and 
that the contractors are at 10.10.33.0/16. You define zones "rnd" and 
"cont" for the two. Your configuration would include:

/etc/shorewall/zones

rnd	R&D			R&D group in Tuwilla
cont	Contractors	Contractors in Issaquah

/etc/shorewall/interfaces

-	ipsec0	-

/etc/shorewall/hosts

rnd	ipsec0:192.168.128.0/17
cont	ipsec0:10.10.33.0/16

In this case, you would also have a separate entry in the 
/etc/shorewall/tunnels for each tunnel.

4) What if I also have roadwarriors

If as in case 3) above, you also have road warriors then you would have:

/etc/shorewall/zones

rnd	R&D			R&D group in Tuwilla
cont	Contractors	Contractors in Issaquah
rw	RoadWarriors	Road Warriors

/etc/shorewall/interfaces

-	ipsec0	-

/etc/shorewall/hosts

rnd	ipsec0:192.168.128.0/17
cont	ipsec0:10.10.33.0/16
rw	ipsec0:0.0.0.0/0

In this case, this is what I would have in the /etc/shorewall/tunnels:

ipsec	net	<gw1>		rnd
ipsec	net <gw2>		cont
ipsec	net	0.0.0.0/0	rw

Where <gw1> is the gateway to the R&D tunnel and <gw2> the
gateway to the
contractors.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ http://shorewall.sf.net
ICQ: #60745924 \ teastep@shorewall.net