1SHOREWALL-TUNNELS(5) [FIXME: manual] SHOREWALL-TUNNELS(5)
2
6 tunnels - Shorewall VPN definition file
7
9 /etc/shorewall/tunnels
10
12 The tunnels file is used to define rules for encapsulated (usually
13 encrypted) traffic to pass between the Shorewall system and a remote
14 gateway. Traffic flowing through the tunnel is handled using the normal
15 zone/policy/rule mechanism. See http://www.shorewall.net/VPNBasics.html
16 for details.
17 The columns in the file are as follows.
19 TYPE -
21 {ipsec[:{noah|ah}]|ipsecnat|ipip|gre|l2tp|pptpclient|pptpserver|COMMENT|{openvpn|openvpnclient|openvpnserver}[:{tcp|udp}][:port]|generic:protocol[:port]}
22 Types are as follows:
23 6to4 - 6to4 or 6in4 tunnel
25 ipsec - IPv4 IPSEC
26 ipsecnat - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
27 ipip - IPv4 encapsulated in IPv4 (Protocol 4)
28 gre - Generalized Routing Encapsulation (Protocol 47)
29 l2tp - Layer 2 Tunneling Protocol (UDP port 1701)
30 pptpclient - PPTP Client runs on the firewall
31 pptpserver - PPTP Server runs on the firewall
32 openvpn - OpenVPN in point-to-point mode
33 openvpnclient - OpenVPN client runs on the firewall
34 openvpnserver - OpenVPN server runs on the firewall
35 generic - Other tunnel type
36 If the type is ipsec, it may be followed by :ah to indicate that
38 the Authentication Headers protocol (51) is used by the tunnel (the
39 default is :noah which means that protocol 51 is not used). NAT
40 traversal is only supported with ESP (protocol 50) so ipsecnat
41 tunnels don't allow the ah option (ipsecnat:noah may be specified
42 but is redundant).
43 If type is openvpn, openvpnclient or openvpnserver it may
45 optionally be followed by ":" and tcp or udp to specify the
46 protocol to be used. If not specified, udp is assumed.
47 If type is openvpn, openvpnclient or openvpnserver it may
49 optionally be followed by ":" and the port number used by the
50 tunnel. if no ":" and port number are included, then the default
51 port of 1194 will be used. . Where both the protocol and port are
52 specified, the protocol must be given first (e.g.,
53 openvpn:tcp:4444).
54 If type is generic, it must be followed by ":" and a protocol name
56 (from /etc/protocols) or a protocol number. If the protocol is tcp
57 or udp (6 or 17), then it may optionally be followed by ":" and a
58 port number.
59 Comments may be attached to Netfilter rules generated from entries
61 in this file through the use of COMMENT lines. These lines begin
62 with the word COMMENT; the remainder of the line is treated as a
63 comment which is attached to subsequent rules until another COMMENT
64 line is found or until the end of the file is reached. To stop
65 adding comments to rules, use a line with only the word COMMENT.
66 ZONE - zone
68 The zone of the physical interface through which tunnel traffic
69 passes. This is normally your internet zone.
70 GATEWAY - address-or-range
72 The IP address of the remote tunnel gateway. If the remote gateway
73 has no fixed address (Road Warrior) then specify the gateway as
74 0.0.0.0/0. May be specified as a network address and if your kernel
75 and iptables include iprange match support then IP address ranges
76 are also allowed.
77 GATEWAY ZONES (Optional) - [zone[,zone]...]
79 If the gateway system specified in the third column is a standalone
80 host then this column should contain a comma-separated list of the
81 names of the zones that the host might be in. This column only
82 applies to IPSEC tunnels where it enables ISAKMP traffic to flow
83 through the tunnel to the remote gateway.
84
86 Example 1:
87 IPSec tunnel.
88 The remote gateway is 4.33.99.124 and the remote subnet is
90 192.168.9.0/24. The tunnel does not use the AH protocol
91 #TYPE ZONE GATEWAY
93 ipsec:noah net 4.33.99.124
94 Example 2:
96 Road Warrior (LapTop that may connect from anywhere) where the "gw"
97 zone is used to represent the remote LapTop
98 #TYPE ZONE GATEWAY GATEWAY ZONES
100 ipsec net 0.0.0.0/0 gw
101 Example 3:
103 Host 4.33.99.124 is a standalone system connected via an ipsec
104 tunnel to the firewall system. The host is in zone gw.
105 #TYPE ZONE GATEWAY GATEWAY ZONES
107 ipsec net 4.33.99.124 gw
108 Example 4:
110 Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
111 FreeS/Wan _updown script will add the host to the appropriate zone
112 using the shorewall add command on connect and will remove the host
113 from the zone at disconnect time.
114 #TYPE ZONE GATEWAY GATEWAY ZONES
116 ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
117 Example 5:
119 You run the Linux PPTP client on your firewall and connect to
120 server 192.0.2.221.
121 #TYPE ZONE GATEWAY GATEWAY ZONES
123 pptpclient net 192.0.2.221
124 Example 6:
126 You run a PPTP server on your firewall.
127 #TYPE ZONE GATEWAY GATEWAY ZONES
129 pptpserver net 0.0.0.0/0
130 Example 7:
132 OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn uses
133 port 7777.
134 #TYPE ZONE GATEWAY GATEWAY ZONES
136 openvpn:7777 net 4.33.99.124
137 Example 8:
139 You have a tunnel that is not one of the supported types. Your
140 tunnel uses UDP port 4444. The other end of the tunnel is
141 4.3.99.124.
142 #TYPE ZONE GATEWAY GATEWAY ZONES
144 generic:udp:4444 net 4.3.99.124
145
147 /etc/shorewall/tunnels
148
150 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
151 shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
152 shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
153 shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
154 shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
155 shorewall-route_rules(5), shorewall-routestopped(5),
156 shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
157 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
158 shorewall-tos(5), shorewall-zones(5)
159[FIXME: source] 09/16/2011 SHOREWALL-TUNNELS(5)