Shorewall 1.1 IPSec Tunneling

IPSec Gateway on the Firewall System

Suppose that we have the following situation:

We want systems in the 192.168.1.0/24 sub-network to be able to communicate with systems in the 10.0.0.0/8 network.

In /etc/shorewall/tunnels on system A, we need the following 

TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 134.28.54.2  

In /etc/shorewall/tunnels on system B, we would have:

TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 134.28.54.2  

At both systems, ipsec0 would be included in /etc/shorewall/internet as a "gw" interface:

ZONE INTERFACE BROADCAST OPTIONS
gw ipsec0    

Once you have these entries in place, restart Shorewall (type shorewall restart); you are now ready to configure the tunnel in FreeS/WAN.


Mobile System (Road Warrior)

Suppose that you have a laptop system (B) that you take with you when you travel and you want to be able to establish a secure connection back to your local network.

In this instance, the mobile system (B) has IP address 134.28.54.2 but that cannot be determined in advance. In the /etc/shorewall/tunnels file on system A, the following entry should be made:

TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 0.0.0.0/0 gw

Note that the GATEWAY ZONE column contains the name of the zone corresponding to peer subnetworks (gw in the default /etc/shorewall/zones). This indicates that the gateway system itself comprises the peer subnetwork; in other words, the remote gateway is a standalone system.


Last updated 5/23/2001 - Tom Eastep