Hi, I had a look at this page which describes a single VPN zone called "vpn": http://www.shorewall.net/IPSEC-2.6.html Is this the most current information? It is the top page found by Google for "shorewall ipsec" Is there any information about setting up multiple VPN zones for different classes of road warrior? E.g. lets say there are two classes of road warrior: vpn_a: mobile devices vpn_b: laptop devices (trusted more than the mobile devices) The IPsec platform (e.g. StrongSwan) gives all the road warriors a pool IP. It uses different pools for users from vpn_a and vpn_b Looking at the ShoreWall IPsec example in the link above, it suggests that all of 0.0.0.0/0 has to be mapped to a single VPN zone in the /etc/shorewall/tunnels file, so it''s not clear that Shorewall can cope with multiple classes of road warrior. Can anybody comment on this? Regards, Daniel ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On Jul 2, 2013, at 4:40 AM, Daniel Pocock <daniel@pocock.com.au> wrote:> > Hi, > > I had a look at this page which describes a single VPN zone called "vpn": > > http://www.shorewall.net/IPSEC-2.6.html > > Is this the most current information? It is the top page found by > Google for "shorewall ipsec" > > Is there any information about setting up multiple VPN zones for > different classes of road warrior? E.g. lets say there are two classes > of road warrior: > > vpn_a: mobile devices > > vpn_b: laptop devices (trusted more than the mobile devices) > > The IPsec platform (e.g. StrongSwan) gives all the road warriors a pool > IP. It uses different pools for users from vpn_a and vpn_b > > Looking at the ShoreWall IPsec example in the link above, it suggests > that all of 0.0.0.0/0 has to be mapped to a single VPN zone in the > /etc/shorewall/tunnels file, so it''s not clear that Shorewall can cope > with multiple classes of road warrior. Can anybody comment on this?You can certainly use the /etc/shorewall/hosts file to create different IPSEC zones corresponding to different IP networks and/or address ranges. -Tom Tom Eastep \ Nothing is foolproof to a Shoreline, \ sufficiently talented fool Washington, USA \ http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 02/07/13 15:05, Tom Eastep wrote:> > On Jul 2, 2013, at 4:40 AM, Daniel Pocock <daniel@pocock.com.au> wrote: > >> >> Hi, >> >> I had a look at this page which describes a single VPN zone called "vpn": >> >> http://www.shorewall.net/IPSEC-2.6.html >> >> Is this the most current information? It is the top page found by >> Google for "shorewall ipsec" >> >> Is there any information about setting up multiple VPN zones for >> different classes of road warrior? E.g. lets say there are two classes >> of road warrior: >> >> vpn_a: mobile devices >> >> vpn_b: laptop devices (trusted more than the mobile devices) >> >> The IPsec platform (e.g. StrongSwan) gives all the road warriors a pool >> IP. It uses different pools for users from vpn_a and vpn_b >> >> Looking at the ShoreWall IPsec example in the link above, it suggests >> that all of 0.0.0.0/0 has to be mapped to a single VPN zone in the >> /etc/shorewall/tunnels file, so it''s not clear that Shorewall can cope >> with multiple classes of road warrior. Can anybody comment on this? > > You can certainly use the /etc/shorewall/hosts file to create different IPSEC zones corresponding to different IP networks and/or address ranges. >Ok, I can confirm that is working for me, it just wasn''t clear from reading the IPsec document alone. When I compared a few of the IPsec and VPN documents I was able to see how to implement it. FYI, I''m using the DN values in certificates to help strongSwan match the road warriors to their IP pools, as described here: https://lists.strongswan.org/pipermail/users/2013-June/009399.html and this appears to go well with Shorewall VPN zones ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev