Provided by: shorewall-common_4.0.6-1_all bug


       tunnels - Shorewall VPN definition file




       The  tunnels  file  is  used  to define rules for encapsulated (usually
       encrypted) traffic to pass between the Shorewall system  and  a  remote
       gateway. Traffic flowing through the tunnel is handled using the normal
       zone/policy/rule                     mechanism.                     See
       〈〉 for details.

       The columns in the file are as follows.

       TYPE                                                                  —
              Types are as follows:

                      ipsec         - IPv4 IPSEC
                      ipsecnat      - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
                      ipip          - IPv4 encapsulated in IPv4 (Protocol 4)
                      gre           - Generalized Routing Encapsulation (Protocol 47)
                      pptpclient    - PPTP Client runs on the firewall
                      pptpserver    - PPTP Server runs on the firewall
                      openvpn       - OpenVPN in point-to-point mode
                      openvpnclient - OpenVPN client runs on the firewall
                      openvpnserver - OpenVPN server runs on the firewall
                      generic       - Other tunnel type

              If the type is ipsec, it may be followed by :ah to indicate that
              the Authentication Headers protocol (51) is used by  the  tunnel
              (the default is :noah which means that protocol 51 is not used).
              NAT traversal is  only  supported  with  ESP  (protocol  50)  so
              ipsecnat tunnels don’t allow the ah option (ipsecnat:noah may be
              specified but is redundant).

              If type  is  openvpn,  openvpnclient  or  openvpnserver  it  may
              optionally  be  followed  by  ":"  and tcp or udp to specify the
              protocol to be used. If not specified, udp is assumed.

              If type  is  openvpn,  openvpnclient  or  openvpnserver  it  may
              optionally  be  followed  by ":" and the port number used by the
              tunnel. if no ":" and port number are included, then the default
              port  of  1194 will be used. .  Where both the protocol and port
              are  specified,  the  protocol  must  be  given   first   (e.g.,

              If  type  is  generic, it must be followed by ":" and a protocol
              name (from /etc/protocols) or a protocol number. If the protocol
              is  tcp  or udp (6 or 17), then it may optionally be followed by
              ":" and a port number.

       ZONE - zone
              The zone of the physical interface through which tunnel  traffic
              passes. This is normally your internet zone.

              The  IP  address  of  the  remote  tunnel gateway. If the remote
              gateway has no fixed address (Road  Warrior)  then  specify  the
              gateway  as May be specified as a network address and
              if your kernel and iptables include iprange match  support  then
              IP address ranges are also allowed.

       GATEWAY ZONES (Optional) — [zone[,zone]...]
              If  the  gateway  system  specified  in  the  third  column is a
              standalone  host  then  this  column  should  contain  a  comma-
              separated  list of the names of the zones that the host might be
              in. This column only applies to IPSEC tunnels where  it  enables
              ISAKMP traffic to flow through the tunnel to the remote gateway.


       Example 1:
              IPSec tunnel.

              The remote gateway is  and  the  remote  subnet  is
     The tunnel does not use the AH protocol

                      #TYPE           ZONE    GATEWAY
                      ipsec:noah      net

       Example 2:
              Road  Warrior  (LapTop that may connect from anywhere) where the
              "gw" zone is used to represent the remote LapTop

                      #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                      ipsec           net       gw

       Example 3:
              Host is a standalone system connected via  an  ipsec
              tunnel to the firewall system. The host is in zone gw.

                      #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                      ipsec           net     gw

       Example 4:
              Road  Warriors  that may belong to zones vpn1, vpn2 or vpn3. The
              FreeS/Wan _updown script will add the host  to  the  appropriate
              zone  using the shorewall add command on connect and will remove
              the host from the zone at disconnect time.

                      #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                      ipsec           net       vpn1,vpn2,vpn3

       Example 5:
              You run the Linux PPTP client on your firewall  and  connect  to

                      #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                      pptpclient      net

       Example 6:
              You run a PPTP server on your firewall.

                      #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                      pptpserver      net

       Example 7:
              OPENVPN  tunnel.  The  remote gateway is and openvpn
              uses port 7777.

                      #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                      openvpn:7777    net

       Example 8:
              You have a tunnel that is not one of the supported  types.  Your
              tunnel  uses  UDP  port  4444.  The  other  end of the tunnel is

                      #TYPE            ZONE    GATEWAY         GATEWAY ZONES
                      generic:udp:4444 net




       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5),  shorewall-hosts(5),  shorewall-interfaces(5), shorewall-
       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
       shorewall-netmap(5),      shorewall-params(5),     shorewall-policy(5),
       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
       route_rules(5),      shorewall-routestopped(5),     shorewall-rules(5),
       shorewall.conf(5),   shorewall-tcclasses(5),    shorewall-tcdevices(5),
       shorewall-tcrules(5), shorewall-tos(5), shorewall-zones(5)

                               23 November 2007           shorewall-tunnels(5)