1shorewall-tunnels(5) shorewall-tunnels(5)
2
6 tunnels - Shorewall VPN definition file
7
9 /etc/shorewall/tunnels
10
12 The tunnels file is used to define rules for encapsulated (usually en‐
13 crypted) traffic to pass between the Shorewall system and a remote
14 gateway. Traffic flowing through the tunnel is handled using the normal
15 zone/policy/rule mechanism. See ⟨http://www.shorewall.net/VPNBa‐
16 sics.html⟩ for details.
17 The columns in the file are as follows.
19 TYPE — {ipsec[:{noah|ah}]|ipsecnat|ipip|gre|pptpclient|pptpserv‐
21 er|{openvpn|openvpnclient|openvpnserver}[:{tcp|udp}][:port]|gener‐
22 ic:protocol[:port]}
23 Types are as follows:
24 ipsec - IPv4 IPSEC
26 ipsecnat - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
27 ipip - IPv4 encapsulated in IPv4 (Protocol 4)
28 gre - Generalized Routing Encapsulation (Protocol 47)
29 pptpclient - PPTP Client runs on the firewall
30 pptpserver - PPTP Server runs on the firewall
31 openvpn - OpenVPN in point-to-point mode
32 openvpnclient - OpenVPN client runs on the firewall
33 openvpnserver - OpenVPN server runs on the firewall
34 generic - Other tunnel type
35 If the type is ipsec, it may be followed by :ah to indicate that
37 the Authentication Headers protocol (51) is used by the tunnel
38 (the default is :noah which means that protocol 51 is not used).
39 NAT traversal is only supported with ESP (protocol 50) so ipsec‐
40 nat tunnels don't allow the ah option (ipsecnat:noah may be
41 specified but is redundant).
42 If type is openvpn, openvpnclient or openvpnserver it may op‐
44 tionally be followed by ":" and tcp or udp to specify the proto‐
45 col to be used. If not specified, udp is assumed.
46 If type is openvpn, openvpnclient or openvpnserver it may op‐
48 tionally be followed by ":" and the port number used by the tun‐
49 nel. if no ":" and port number are included, then the default
50 port of 1194 will be used. . Where both the protocol and port
51 are specified, the protocol must be given first (e.g., open‐
52 vpn:tcp:4444).
53 If type is generic, it must be followed by ":" and a protocol
55 name (from /etc/protocols) or a protocol number. If the protocol
56 is tcp or udp (6 or 17), then it may optionally be followed by
57 ":" and a port number.
58 ZONE - zone
60 The zone of the physical interface through which tunnel traffic
61 passes. This is normally your internet zone.
62 GATEWAY — address-or-range
64 The IP address of the remote tunnel gateway. If the remote gate‐
65 way has no fixed address (Road Warrior) then specify the gateway
66 as 0.0.0.0/0. May be specified as a network address and if your
67 kernel and iptables include iprange match support then IP ad‐
68 dress ranges are also allowed.
69 GATEWAY ZONES (Optional) — [zone[,zone]...]
71 If the gateway system specified in the third column is a stand‐
72 alone host then this column should contain a comma-separated
73 list of the names of the zones that the host might be in. This
74 column only applies to IPSEC tunnels where it enables ISAKMP
75 traffic to flow through the tunnel to the remote gateway.
76
78 Example 1:
79 IPSec tunnel.
80 The remote gateway is 4.33.99.124 and the remote subnet is
82 192.168.9.0/24. The tunnel does not use the AH protocol
83 #TYPE ZONE GATEWAY
85 ipsec:noah net 4.33.99.124
86 Example 2:
88 Road Warrior (LapTop that may connect from anywhere) where the
89 "gw" zone is used to represent the remote LapTop
90 #TYPE ZONE GATEWAY GATEWAY ZONES
92 ipsec net 0.0.0.0/0 gw
93 Example 3:
95 Host 4.33.99.124 is a standalone system connected via an ipsec
96 tunnel to the firewall system. The host is in zone gw.
97 #TYPE ZONE GATEWAY GATEWAY ZONES
99 ipsec net 4.33.99.124 gw
100 Example 4:
102 Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
103 FreeS/Wan _updown script will add the host to the appropriate
104 zone using the shorewall add command on connect and will remove
105 the host from the zone at disconnect time.
106 #TYPE ZONE GATEWAY GATEWAY ZONES
108 ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
109 Example 5:
111 You run the Linux PPTP client on your firewall and connect to
112 server 192.0.2.221.
113 #TYPE ZONE GATEWAY GATEWAY ZONES
115 pptpclient net 192.0.2.221
116 Example 6:
118 You run a PPTP server on your firewall.
119 #TYPE ZONE GATEWAY GATEWAY ZONES
121 pptpserver net 0.0.0.0/0
122 Example 7:
124 OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn
125 uses port 7777.
126 #TYPE ZONE GATEWAY GATEWAY ZONES
128 openvpn:7777 net 4.33.99.124
129 Example 8:
131 You have a tunnel that is not one of the supported types. Your
132 tunnel uses UDP port 4444. The other end of the tunnel is
133 4.3.99.124.
134 #TYPE ZONE GATEWAY GATEWAY ZONES
136 generic:udp:4444 net 4.3.99.124
137
139 /etc/shorewall/tunnels
140
142 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
143 blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-
144 ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
145 shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shore‐
146 wall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
147 shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
148 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
149 shorewall-tos(5), shorewall-zones(5)
150 19 May 2008 shorewall-tunnels(5)