Shorewall users - May 2004 - IPSEC terminating behind the FW

I need to implement an IPSEC tunnel with an endpoint on a Windows 2000 box
located in a DMZ.  I have located a lot of information on setting up a
tunnel with an end point on the FW, but not behind it.  Can anyone tell me
what is required to get this working?  I can deploy routable or non-routable
IP address on the Windows 2000 box.  The tunnel is tested and working
without the FW in place.
 
Thanks
 
Rob King
 
(I am not a member of the mailing list so please reply direct)

Rob King wrote:
> I need to implement an IPSEC tunnel with an endpoint on a Windows 2000 box
> located in a DMZ.  I have located a lot of information on setting up a
> tunnel with an end point on the FW, but not behind it.  Can anyone tell me
> what is required to get this working?  I can deploy routable or
non-routable
> IP address on the Windows 2000 box.  The tunnel is tested and working
> without the FW in place.
Go to the Shorewall website; in the Documentation index under VPN is a 
link entitied:

"IPSEC/PPTP passthrough from a system behind your firewall to a remote 
network".

That article describes an IPSEC endpoint behind a firewall using RFC 
1918 addresses; if you use public IP addresses (which tends to work 
better), simply replace the DNAT rules with ACCEPT rules.

The article also assumes a loc->net ACCEPT policy so if your dmz->net 
policy is not ACCEPT, then you need ACCEPT rules for protocol 50 and for 
UDP port 500 in the outbound direction as well.

Finally, if use a public IP address on the endpoint then your tunnel can 
also use the Authendication Header protocol (protocol 51) so it would be 
a good idea to add ACCEPT rules for protocol 51 as well (unless you know 
for sure that you won''t need it).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net