Man Linux: Main Page and Category List


       tunnels - Shorewall VPN definition file




       The tunnels file is used to define rules for encapsulated (usually
       encrypted) traffic to pass between the Shorewall system and a remote
       gateway. Traffic flowing through the tunnel is handled using the normal
       zone/policy/rule mechanism. See
       for details.

       The columns in the file are as follows.

       TYPE -
           Types are as follows:

                       ipsec         - IPv4 IPSEC
                       ipsecnat      - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
                       ipip          - IPv4 encapsulated in IPv4 (Protocol 4)
                       gre           - Generalized Routing Encapsulation (Protocol 47)
                       l2tp          - Layer 2 Tunneling Protocol (UDP port 1701)
                       pptpclient    - PPTP Client runs on the firewall
                       pptpserver    - PPTP Server runs on the firewall
                       openvpn       - OpenVPN in point-to-point mode
                       openvpnclient - OpenVPN client runs on the firewall
                       openvpnserver - OpenVPN server runs on the firewall
                       generic       - Other tunnel type

           If the type is ipsec, it may be followed by :ah to indicate that
           the Authentication Headers protocol (51) is used by the tunnel (the
           default is :noah which means that protocol 51 is not used). NAT
           traversal is only supported with ESP (protocol 50) so ipsecnat
           tunnels don't allow the ah option (ipsecnat:noah may be specified
           but is redundant).

           If type is openvpn, openvpnclient or openvpnserver it may
           optionally be followed by ":" and tcp or udp to specify the
           protocol to be used. If not specified, udp is assumed.

           If type is openvpn, openvpnclient or openvpnserver it may
           optionally be followed by ":" and the port number used by the
           tunnel. if no ":" and port number are included, then the default
           port of 1194 will be used. . Where both the protocol and port are
           specified, the protocol must be given first (e.g.,

           If type is generic, it must be followed by ":" and a protocol name
           (from /etc/protocols) or a protocol number. If the protocol is tcp
           or udp (6 or 17), then it may optionally be followed by ":" and a
           port number.

           Comments may be attached to Netfilter rules generated from entries
           in this file through the use of COMMENT lines. These lines begin
           with the word COMMENT; the remainder of the line is treated as a
           comment which is attached to subsequent rules until another COMMENT
           line is found or until the end of the file is reached. To stop
           adding comments to rules, use a line with only the word COMMENT.

       ZONE - zone
           The zone of the physical interface through which tunnel traffic
           passes. This is normally your internet zone.

       GATEWAY - address-or-range
           The IP address of the remote tunnel gateway. If the remote gateway
           has no fixed address (Road Warrior) then specify the gateway as
  May be specified as a network address and if your kernel
           and iptables include iprange match support then IP address ranges
           are also allowed.

       GATEWAY ZONES (Optional) - [zone[,zone]...]
           If the gateway system specified in the third column is a standalone
           host then this column should contain a comma-separated list of the
           names of the zones that the host might be in. This column only
           applies to IPSEC tunnels where it enables ISAKMP traffic to flow
           through the tunnel to the remote gateway.


       Example 1:
           IPSec tunnel.

           The remote gateway is and the remote subnet is
  The tunnel does not use the AH protocol

                       #TYPE           ZONE    GATEWAY
                       ipsec:noah      net

       Example 2:
           Road Warrior (LapTop that may connect from anywhere) where the "gw"
           zone is used to represent the remote LapTop

                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                       ipsec           net       gw

       Example 3:
           Host is a standalone system connected via an ipsec
           tunnel to the firewall system. The host is in zone gw.

                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                       ipsec           net     gw

       Example 4:
           Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
           FreeS/Wan _updown script will add the host to the appropriate zone
           using the shorewall add command on connect and will remove the host
           from the zone at disconnect time.

                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                       ipsec           net       vpn1,vpn2,vpn3

       Example 5:
           You run the Linux PPTP client on your firewall and connect to

                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                       pptpclient      net

       Example 6:
           You run a PPTP server on your firewall.

                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                       pptpserver      net

       Example 7:
           OPENVPN tunnel. The remote gateway is and openvpn uses
           port 7777.

                       #TYPE           ZONE    GATEWAY         GATEWAY ZONES
                       openvpn:7777    net

       Example 8:
           You have a tunnel that is not one of the supported types. Your
           tunnel uses UDP port 4444. The other end of the tunnel is

                       #TYPE            ZONE    GATEWAY         GATEWAY ZONES
                       generic:udp:4444 net




       shorewall(8), shorewall-accounting(5), shorewall-actions(5),
       shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
       shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
       shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
       shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
       shorewall-route_rules(5), shorewall-routestopped(5),
       shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5),
       shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),

[FIXME: source]                   06/17/2010