On 02/07/13 15:05, Tom Eastep wrote: > > On Jul 2, 2013, at 4:40 AM, Daniel Pocock <[email protected]> wrote: > >> >> Hi, >> >> I had a look at this page which describes a single VPN zone called "vpn": >> >> http://www.shorewall.net/IPSEC-2.6.html >> >> Is this the most current information? It is the top page found by >> Google for "shorewall ipsec" >> >> Is there any information about setting up multiple VPN zones for >> different classes of road warrior? E.g. lets say there are two classes >> of road warrior: >> >> vpn_a: mobile devices >> >> vpn_b: laptop devices (trusted more than the mobile devices) >> >> The IPsec platform (e.g. StrongSwan) gives all the road warriors a pool >> IP. It uses different pools for users from vpn_a and vpn_b >> >> Looking at the ShoreWall IPsec example in the link above, it suggests >> that all of 0.0.0.0/0 has to be mapped to a single VPN zone in the >> /etc/shorewall/tunnels file, so it's not clear that Shorewall can cope >> with multiple classes of road warrior. Can anybody comment on this? > > You can certainly use the /etc/shorewall/hosts file to create different IPSEC > zones corresponding to different IP networks and/or address ranges. >
Ok, I can confirm that is working for me, it just wasn't clear from reading the IPsec document alone. When I compared a few of the IPsec and VPN documents I was able to see how to implement it. FYI, I'm using the DN values in certificates to help strongSwan match the road warriors to their IP pools, as described here: https://lists.strongswan.org/pipermail/users/2013-June/009399.html and this appears to go well with Shorewall VPN zones ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
