Ruben Moretti wrote: > Uuuppss sorry. > Alcohol lacking at work is not good :-) > Thanks
It is my understanding that the way that Microsoft's IPSEC/L2TP works is as
follows:
a) First an IPSEC SA is negotiated between the endpoints.
b) The client then initiates an L2TP (UDP 1701) session through the tunnel and
will tunnel all of the VPN traffic through L2TP. So the only traffic to/from
your remote ipsec zone will be L2TP.
c) The LT2P client or server that you run on the Shorewall box will create a ppp
interface. It is through that interface that the real VPN traffic flows.
What does this mean with Shorewall?
1) It means that you need an ipsec zone; call it 'l2tp'. The only traffic
to/from 'l2tp' will be UDP 1701 traffic to/from the firewall itself. Suppose
that your 'net' interface is eth0. Then:
/etc/shorewall/zones:
...
l2tp ipsec
/etc/shorewall/interfaces:
net eth0 detect ...
/etc/shorewall/hosts:
l2tp eth0:0.0.0.0/0
/etc/shorewall/rules:
ACCEPT l2tp $FW udp 1701
ACCEPT $FW l2tp udp 1701
2) You must define the ppp interface to Shorewall. Your 'vpn' zone is assigned
to that interface through an entry in /etc/shorewall/interfaces.
/etc/shorewall/zones
vpn ipv4
/etc/shorewall/interfaces
vpn ppp+ - ...
Please understand that the above is based on my understanding of how this works.
I have not installed or tested any L2TP configuration and I have no plans to do
so.
HTH,
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
