There are a couple of outstanding questions about this on the list and
I''ll
try to address them here.
DISCLAIMER: I have not set up a multi-tunnel configuration so this is all
from theory.
1) FreeS/Wan associates ipsec interfaces with ''real''
interfaces. So if all
of your tunnels route through your eth1 interface then FreeW/Wan will only
use its first ipsec interface (ipsec0) regardless of how many tunnels that
you have.
2) The question gets asked "Do I want one zone? One zone per tunnel?
???".
Folks -- how you break the network into zones is ENTIRELY YOUR CHOICE but
you are going to apply the same policy to all hosts in each zone so you
want to avoid grouping hosts will wildly different firewalling requirements
into a single zone.
Example 1: You have two remote offices and you have a tunnel to each of
them. In this case, it''s unlikely that your policy and rules for one
office
are going to be very different for those from the other office so you can
put them into the same zone. Just remember that if Shorewall doesn''t
automatically accept intra-zone connection requests so you will need to add
an ACCEPT policy from the zone to itself if you want the two offices to
communicate with one another.
Example 2: You have a remote R&D office and you also have a tunnel to
company supplying contract work. In this case, your policies and rules
regarding the two are different so you would probably want to put them in
different zones.
3) "Given that there is only one interface, how do I define the
zones?"
Answer: It depends.
If the IP address(es) of the host/subnet at the other end of the tunnel is
static, you can use the /etc/shorewall/hosts file. In Example 2 above,
suppose that the remote subnet of the R&D group is 192.168.128.0/17 and
that the contractors are at 10.10.33.0/16. You define zones "rnd" and
"cont" for the two. Your configuration would include:
/etc/shorewall/zones
rnd R&D R&D group in Tuwilla
cont Contractors Contractors in Issaquah
/etc/shorewall/interfaces
- ipsec0 -
/etc/shorewall/hosts
rnd ipsec0:192.168.128.0/17
cont ipsec0:10.10.33.0/16
In this case, you would also have a separate entry in the
/etc/shorewall/tunnels for each tunnel.
4) What if I also have roadwarriors
If as in case 3) above, you also have road warriors then you would have:
/etc/shorewall/zones
rnd R&D R&D group in Tuwilla
cont Contractors Contractors in Issaquah
rw RoadWarriors Road Warriors
/etc/shorewall/interfaces
- ipsec0 -
/etc/shorewall/hosts
rnd ipsec0:192.168.128.0/17
cont ipsec0:10.10.33.0/16
rw ipsec0:0.0.0.0/0
In this case, this is what I would have in the /etc/shorewall/tunnels:
ipsec net <gw1> rnd
ipsec net <gw2> cont
ipsec net 0.0.0.0/0 rw
Where <gw1> is the gateway to the R&D tunnel and <gw2> the
gateway to the
contractors.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: teastep \ http://shorewall.sf.net
ICQ: #60745924 \ teastep@shorewall.net