IPSec tunnels can be used to bridge two networks. The IPSec gateway can be the firewall system itself or it can be a masqueraded system. It can also support mobile systems that can establish a tunnel from anywhere.
For instructions on how to configure FreeS/WAN for these scnerios, see http://jixen.tripod.com
Suppose that we have the following situation:
We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with systems in the 10.0.0.0/8 network. This is accomplished an entry in /etc/seawall/tunnels.
In /etc/seawall/tunnels on system A, we need the following
TYPE GATEWAY NAME/SERVER SUBNET ipsec 134.28.54.2 ipsec0 10.0.0.0/8
In /etc/seawall/tunnels on system B, we would have:
TYPE GATEWAY NAME/SERVER SUBNET ipsec 206.161.148.0 ipsec0 192.168.1.0/24
Once you have these entries in place, restart Seattle Firewall (type seawall restart); you are now ready to configure the tunnel in FreeS/WAN.
Suppose that you have a laptop system (B) that you take with you when you travel and you want to be able to establish a secure connection back to your local network.
In this instance, the mobile system (B) has IP address 134.28.54.2 but that cannot be determined in advance. In the /etc/seawall/tunnels file on system A, the following entry should be made:
TYPE GATEWAY NAME/SERVER SUBNET ipsec 0.0.0.0/0 ipsec0
Notice that the SUBNET column has been left blank because we can't know the IP address of the remote system (B) in advance and must modify the firewall at run-time. This is done using the "updown" script that is included with Seattle Firewall (It's in the /usr/doc/seawall-<verion> directory if you use the RPM). Copy that script to /etc/seawall and modify the /etc/ipsec.conf entry for the above tunnel to specify /etc/seawall/updown as for the updown script for A's end of the tunnel. If system B is also running Seattle Firewall, it's /etc/seawall/tunnels file should contain:
TYPE GATEWAY NAME/SERVER SUBNET ipsec 206.161.148.9 ipsec0 192.168.1.1/24
Warning: Because FreeS/WAN is adds its own ipchains rules for Road Warriors, restarting the firewall while mobile users are connected will disable those users.
Seattle Firewall also allows you to place the IPSec gateway on a masqueraded system. You will need John Hardin's VPN Masquerading patch on the firewall system; be sure to read and understand the limitations of masquerading IPSec as described in the VPN Masquerade HOWTO.
Suppose that we have the same situation as shown above only that we want to run the IPSec gateways on 192.168.1.3 in the left-hand network and on 10.0.0.3 on the right-hand network.
In /etc/seawall/tunnels on system A:
TYPE GATEWAY NAME/SERVER SUBNET ipip 134.28.54.2 192.168.3.1 10.0.0.0/8
And on /etc/seawall/tunnels on system B:
TYPE GATEWAY NAME/SERVER SUBNET ipip 206.161.148.9 10.0.0.3 192.168.1.0/24
Last updated 5/22/2000 - Tom Eastep