844 lines
14 KiB
HTML
844 lines
14 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Required network setup for IPSec</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
|
|
REL="HOME"
|
|
TITLE="Securing and Optimizing Linux"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Linux FreeS/WAN VPN"
|
|
HREF="fSWAn.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Configure RSA private keys secrets"
|
|
HREF="chap25sec205.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Testing the installation"
|
|
HREF="chap25sec207.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap25sec205.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 25. Linux FreeS/WAN VPN</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap25sec207.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="AEN15198"
|
|
>25.9. Required network setup for IPSec</A
|
|
></H1
|
|
><P
|
|
> There are some considerations you must ensure are correct before running FreeS/WAN software. These considerations are important if you don't want to receive error messages during start up of your <SPAN
|
|
CLASS="acronym"
|
|
>VPN</SPAN
|
|
>. The following
|
|
are required:
|
|
</P
|
|
><P
|
|
> You will need to enable <SPAN
|
|
CLASS="acronym"
|
|
>TCP</SPAN
|
|
>/<SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> forwarding on the both gateway servers. In Red Hat Linux, this is accomplished by changing or adding the following line, depending on the Red Hat version you use:
|
|
|
|
<DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/Version6.1.gif"
|
|
ALT="Version 6.1 only"
|
|
></IMG
|
|
></P
|
|
></DIV
|
|
>
|
|
Edit the <TT
|
|
CLASS="filename"
|
|
>network</TT
|
|
> file, <B
|
|
CLASS="command"
|
|
>vi</B
|
|
> <TT
|
|
CLASS="filename"
|
|
>/etc/sysconfig/network</TT
|
|
>, and change the following line:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> FORWARD_IPV4="false"
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
To read:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> FORWARD_IPV4="yes"
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> You must restart your network for the change to take effect:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# /etc/rc.d/init.d/network restart
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="literallayout"
|
|
><TT
|
|
CLASS="computeroutput"
|
|
> Bringing up interface lo [ OK ]
|
|
Bringing up interface eth0 [ OK ]
|
|
Bringing up interface eth1 [ OK ]
|
|
</TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/Version6.2.gif"
|
|
ALT="Version 6.2 only"
|
|
></IMG
|
|
></P
|
|
></DIV
|
|
><P
|
|
> To enable IPv4 forwarding on your RH 6.2 system, use the following command:
|
|
|
|
Edit the <TT
|
|
CLASS="filename"
|
|
>/etc/sysctl.conf</TT
|
|
> file and add the following line:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # Enable packet forwarding
|
|
net.ipv4.ip_forward = 1
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> You must restart your network for the change to take effect. The command to restart the network is the following:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# /etc/rc.d/init.d/network <B
|
|
CLASS="command"
|
|
>restart</B
|
|
>
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="literallayout"
|
|
><TT
|
|
CLASS="computeroutput"
|
|
> Setting network parameters [ OK ]
|
|
Bringing up interface lo [ OK ]
|
|
Bringing up interface eth0 [ OK ]
|
|
Bringing up interface eth1 [ OK ]
|
|
</TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Recall that automatically keyed connections use keys automatically generated by the Pluto key negotiation daemon. The pluto daemon will start up, try to connect to the Pluto daemon at the other end of the tunnel, and establish a
|
|
connection. For this reason, an IPSEC gateway should have packet filters rules <EM
|
|
>in the firewall script file</EM
|
|
> permitting the following protocols to traverse the gateway when talking to other IPSEC gateway:
|
|
<P
|
|
></P
|
|
><OL
|
|
TYPE="i"
|
|
><LI
|
|
><P
|
|
> UDP port 500 for IKE implemented by the Pluto daemon
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Protocol 50 for ESP encryption and/or authentication
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Protocol 51 for AH packet-level authentication
|
|
</P
|
|
></LI
|
|
></OL
|
|
>
|
|
</P
|
|
><DIV
|
|
CLASS="procedure"
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> Edit the <TT
|
|
CLASS="filename"
|
|
>firewall</TT
|
|
> script file, <B
|
|
CLASS="command"
|
|
>vi</B
|
|
> <TT
|
|
CLASS="filename"
|
|
>/etc/rc.d/init.d/firewall</TT
|
|
> on both gateway machines, and add/check the following lines to allow IPSEC packets
|
|
to traverse the remote network gateway to your network gateway and vice versa:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # FreeS/WAN IPSec <SPAN
|
|
CLASS="acronym"
|
|
>VPN</SPAN
|
|
>
|
|
# -------------------
|
|
|
|
# If you are using the FreeSWAN IPSec <SPAN
|
|
CLASS="acronym"
|
|
>VPN</SPAN
|
|
>, you will need to fill in the
|
|
# addresses of the gateways in the IPSECSG and the virtual interfaces for
|
|
# FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of
|
|
# this firewall script rules file to set the parameters.
|
|
|
|
# IPSECSG is a Space separated list of remote gateways. FREESWANVI is a
|
|
# Space separated list of virtual interfaces for FreeS/Wan IPSEC
|
|
# implementation. Only include those that are actually used.
|
|
|
|
# Allow IPSEC protocol from remote gateways on external interface
|
|
# IPSEC uses three main types of packet:
|
|
# IKE uses the UDP protocol and port 500,
|
|
# ESP use the protocol number 50, and
|
|
# AH use the protocol number 51
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $IPSECSG -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
|
|
-d $IPSECSG -j ACCEPT
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p 50 \
|
|
-s $IPSECSG -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p 50 \
|
|
-d $IPSECSG -j ACCEPT
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p 51 \
|
|
-s $IPSECSG -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p 51 \
|
|
-d $IPSECSG -j ACCEPT
|
|
|
|
# Allow all traffic to FreeS/WAN Virtual Interface
|
|
ipchains -A input -i $FREESWANVI \
|
|
-s $ANYWHERE \
|
|
-d $ANYWHERE -j ACCEPT
|
|
|
|
ipchains -A output -i $FREESWANVI \
|
|
-s $ANYWHERE \
|
|
-d $ANYWHERE -j ACCEPT
|
|
|
|
# Forward anything from the FreeS/WAN virtual interface IPSEC tunnel
|
|
ipchains -A forward -i $FREESWANVI \
|
|
-s $ANYWHERE \
|
|
-d $ANYWHERE -j ACCEPT
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
where
|
|
<P
|
|
></P
|
|
><DIV
|
|
CLASS="variablelist"
|
|
><DL
|
|
><DT
|
|
>EXTERNAL_INTERFACE="eth0"</DT
|
|
><DD
|
|
><P
|
|
> You external interface to the Internet.
|
|
</P
|
|
></DD
|
|
><DT
|
|
>ANYWHERE="any/0"</DT
|
|
><DD
|
|
><P
|
|
> Mean everywhere 0.0.0.0/0.
|
|
</P
|
|
></DD
|
|
><DT
|
|
>IPSECSG=<TT
|
|
CLASS="literal"
|
|
>208.164.186.2</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
> Space separated list of remote <SPAN
|
|
CLASS="acronym"
|
|
>VPN</SPAN
|
|
> gateways.
|
|
</P
|
|
></DD
|
|
><DT
|
|
>FREESWANVI=<TT
|
|
CLASS="literal"
|
|
>ipsec0</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
> Space separated list of virtual interfaces for FreeS/Wan.
|
|
</P
|
|
></DD
|
|
></DL
|
|
></DIV
|
|
>
|
|
<DIV
|
|
CLASS="important"
|
|
><BLOCKQUOTE
|
|
CLASS="important"
|
|
><P
|
|
><B
|
|
><SPAN
|
|
CLASS="inlinemediaobject"
|
|
><IMG
|
|
SRC="./images/Important.gif"
|
|
ALT="Important"
|
|
></IMG
|
|
></SPAN
|
|
>: </B
|
|
>
|
|
See <A
|
|
HREF="soft-netfirew.html"
|
|
>Networking Firewall</A
|
|
>, for more information. Dont forget to add/check these firewall rules in the other gateway as well.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>
|
|
The <TT
|
|
CLASS="literal"
|
|
>rp_filter</TT
|
|
> subsystem related to <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> spoofing protection must be turned off on both gateways for IPSEC to work properly. This is accomplished by checking if the value 0 (off) is set in
|
|
the <TT
|
|
CLASS="filename"
|
|
>/proc/sys/net/ipv4/conf/ipsec0/rp_filter</TT
|
|
> and <TT
|
|
CLASS="filename"
|
|
>/proc/sys/net/ipv4/conf/eth0/rp_filter</TT
|
|
> files respectively:
|
|
</P
|
|
><OL
|
|
CLASS="SUBSTEPS"
|
|
TYPE="a"
|
|
><LI
|
|
><P
|
|
> To check if the value 0 (off) is set in the <TT
|
|
CLASS="filename"
|
|
>rp_filter</TT
|
|
> files, use the commands:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# <B
|
|
CLASS="command"
|
|
>cat</B
|
|
> /proc/sys/net/ipv4/conf/ipsec0/rp_filter
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="literallayout"
|
|
><TT
|
|
CLASS="computeroutput"
|
|
> 0
|
|
</TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# <B
|
|
CLASS="command"
|
|
>cat</B
|
|
> /proc/sys/net/ipv4/conf/eth0/rp_filter
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="literallayout"
|
|
><TT
|
|
CLASS="computeroutput"
|
|
> 0
|
|
</TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<DIV
|
|
CLASS="important"
|
|
><BLOCKQUOTE
|
|
CLASS="important"
|
|
><P
|
|
><B
|
|
><SPAN
|
|
CLASS="inlinemediaobject"
|
|
><IMG
|
|
SRC="./images/Important.gif"
|
|
ALT="Important"
|
|
></IMG
|
|
></SPAN
|
|
>: </B
|
|
>
|
|
The subdirectory <TT
|
|
CLASS="filename"
|
|
>ipsec0</TT
|
|
> in our example will be created only after the reboot of your system. So you may check the value of the <TT
|
|
CLASS="filename"
|
|
>rp_filter</TT
|
|
> file in the <TT
|
|
CLASS="filename"
|
|
>ipsec0</TT
|
|
>
|
|
directory after your system has been restarted.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> To set the value 0 (off) in the both <TT
|
|
CLASS="filename"
|
|
>rp_filter</TT
|
|
> files manually, use the command:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# <B
|
|
CLASS="command"
|
|
>echo</B
|
|
> 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>echo</B
|
|
> 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<DIV
|
|
CLASS="tip"
|
|
><BLOCKQUOTE
|
|
CLASS="tip"
|
|
><P
|
|
><B
|
|
><SPAN
|
|
CLASS="inlinemediaobject"
|
|
><IMG
|
|
SRC="./images/Tip.gif"
|
|
ALT="Tip"
|
|
></IMG
|
|
></SPAN
|
|
>: </B
|
|
>
|
|
Also you can put lines like the following in your firewall script files <TT
|
|
CLASS="filename"
|
|
>/etc/rc.d/init.d/firewall</TT
|
|
> on the both gateways to automatically set these values to 0 (off) and avoid making them manually:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # Disable <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> spoofing protection to allow IPSEC to work properly
|
|
<B
|
|
CLASS="command"
|
|
>echo</B
|
|
> 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
|
|
<B
|
|
CLASS="command"
|
|
>echo</B
|
|
> 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
>
|
|
</P
|
|
></LI
|
|
></OL
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <DIV
|
|
CLASS="note"
|
|
><BLOCKQUOTE
|
|
CLASS="note"
|
|
><P
|
|
><B
|
|
><SPAN
|
|
CLASS="inlinemediaobject"
|
|
><IMG
|
|
SRC="./images/Note.gif"
|
|
ALT="Note"
|
|
></IMG
|
|
></SPAN
|
|
>: </B
|
|
>
|
|
In the example of the firewall script file above, we assume that <TT
|
|
CLASS="literal"
|
|
>eth0</TT
|
|
> is the interface you use for your connection. Of course if you use <TT
|
|
CLASS="literal"
|
|
>eth1</TT
|
|
> you must change <TT
|
|
CLASS="literal"
|
|
>eth0</TT
|
|
> to <TT
|
|
CLASS="literal"
|
|
>eth1</TT
|
|
>, and so on.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
>
|
|
If you forget this step you will receive error messages on your terminal such as the following during the start up of FreeSWAN IPSEC:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="literallayout"
|
|
><TT
|
|
CLASS="computeroutput"
|
|
> ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work
|
|
ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0)
|
|
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
|
|
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)
|
|
</TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> It's important to note that any masquerading rules for internal networks that use IPSEC must come after the rules allowing IPSEC related traffic (The step 2 and 3 above), or the machine will try to masquerade the packets, instead of
|
|
them being passed over to IPSEC.
|
|
|
|
Edit the <TT
|
|
CLASS="filename"
|
|
>firewall</TT
|
|
> script file, <B
|
|
CLASS="command"
|
|
>vi</B
|
|
> <TT
|
|
CLASS="filename"
|
|
>/etc/rc.d/init.d/firewall</TT
|
|
> on both gateway machines and add/check the following lines to allow masqueraded packets to traverse the
|
|
remote network gateway to your network gateway and vice versa:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # Masquerade internal traffic.
|
|
|
|
# All internal traffic is masqueraded externally.
|
|
|
|
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
Where
|
|
<P
|
|
></P
|
|
><DIV
|
|
CLASS="variablelist"
|
|
><DL
|
|
><DT
|
|
>EXTERNAL_INTERFACE="eth0"</DT
|
|
><DD
|
|
><P
|
|
> You external interface to the Internet.
|
|
</P
|
|
></DD
|
|
><DT
|
|
>LOCALNET_1=" 192.168.1.0/24"</DT
|
|
><DD
|
|
><P
|
|
> whatever private range you use.
|
|
</P
|
|
></DD
|
|
></DL
|
|
></DIV
|
|
>
|
|
</P
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
><DIV
|
|
CLASS="note"
|
|
><BLOCKQUOTE
|
|
CLASS="note"
|
|
><P
|
|
><B
|
|
><SPAN
|
|
CLASS="inlinemediaobject"
|
|
><IMG
|
|
SRC="./images/Note.gif"
|
|
ALT="Note"
|
|
></IMG
|
|
></SPAN
|
|
>: </B
|
|
>
|
|
See <A
|
|
HREF="Masq-forward.html"
|
|
>Networking Firewall with Masquerading and Forwarding</A
|
|
> support for more information.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
><P
|
|
> Now, you can reboot your system, and the machines on Gateway A should be able to talk to the machines on Gateway B with no problems.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap25sec205.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap25sec207.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Configure <SPAN
|
|
CLASS="acronym"
|
|
>RSA</SPAN
|
|
> private keys secrets</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="fSWAn.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Testing the installation</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |