Rob King wrote:
> I need to implement an IPSEC tunnel with an endpoint on a Windows 2000 box
> located in a DMZ. I have located a lot of information on setting up a
> tunnel with an end point on the FW, but not behind it. Can anyone tell me
> what is required to get this working? I can deploy routable or
non-routable
> IP address on the Windows 2000 box. The tunnel is tested and working
> without the FW in place.
Go to the Shorewall website; in the Documentation index under VPN is a
link entitied:
"IPSEC/PPTP passthrough from a system behind your firewall to a remote
network".
That article describes an IPSEC endpoint behind a firewall using RFC
1918 addresses; if you use public IP addresses (which tends to work
better), simply replace the DNAT rules with ACCEPT rules.
The article also assumes a loc->net ACCEPT policy so if your dmz->net
policy is not ACCEPT, then you need ACCEPT rules for protocol 50 and for
UDP port 500 in the outbound direction as well.
Finally, if use a public IP address on the endpoint then your tunnel can
also use the Authendication Header protocol (protocol 51) so it would be
a good idea to add ACCEPT rules for protocol 51 as well (unless you know
for sure that you won''t need it).
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net