FireBrick IPsec Tunnel with Manual Keys (Deprecated): Difference between revisions

← Older edit

FireBrick IPsec Tunnel with Manual Keys (Deprecated) (view source)

Revision as of 23:49, 30 June 2022

1,296 bytes added , 30 June 2022

→‎Side B Config: syntaxhighlight

Reedy

editor

699

edits

Revision as of 13:34, 1 July 2013 (view source) AA-Andrew (talk \| contribs) (→‎FireBrick to Linux) ← Older edit		Latest revision as of 23:49, 30 June 2022 (view source) Reedy (talk \| contribs) (→‎Side B Config: syntaxhighlight)
(18 intermediate revisions by 2 users not shown)
'''This is now a legacy way to do IPsec, see [[FireBrick to FireBrick IPsec (Howto)]] instead!''' ~~[[File:2700-small.png\|link=:Category:FireBrick]]~~ ---- =FireBrick IPSec Information=▼ ---- ---- ▲=FireBrick ~~IPSec~~IPsec Information= Information from May 2013: The ~~IPSec~~IPsec feature provides ESP with ESP-auth and a choice of algorithms to create tunnels with a static config for keys. Blowfish is the fastest, if you have a choice. Triple DES is slowest, as you may expect. At present the code can be used to create point to point fixed IP tunnels between FireBricks, or FireBrick and linux boxes. Other routers/VPN boxes may be able to handle fixed configs like this too. Next we will be doing IKE (key exchange) which is more commonly used to establish session keys. We also plan to link in ~~IPSec~~IPsec and L2TP which is commonly used for PCs and mobiles to VPN connect as an endpoint. More on this as we release it. ...this is all in-house code at every level with our own crypto libraries following the RFCs. We control every line of code in the FireBricks and the ~~IPSec~~IPsec code is no exception. This is an alpha release, and may well have bugs and issues that we need to work on, so we welcome feedback as usual. Please ensure crash logs are emailed as normal so we can pick up any fatal exceptions. There is lots of information on in the FireBrick Manuals: [http://www.firebrick.co.uk/fbsoftware/2701/V1.2535.~~101~~001/FB2700/V1.2535.~~101~~001-2701-FB2700-~~Dexter~~Nestor-html/~~ipsec~~tunnels.html ~~IPSec~~IPsec Chapter] =FireBrick to FireBrick= Here we will create a tunnel between 2 firebricks, Paul and Andrew. We will then set routing to route each ~~others~~other's LAN blocks though the Tunnel. As the 2 endpoints have IPv6, we'll establish the tunnel over IPv6. ==Side A Config== <syntaxhighlight lang="xml"> <ipsec name="Andrew-ipsec" mtu="1500" graph="andrew-ipsec" local-ip="2001:8b0:d6:1::1" remote-ip="2001:8b0:1635::1" local-spi="4242" remote-spi="999" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="90.155.90.128/27 2001:8b0:1635::/64"/> </syntaxhighlight> [[File:FireBrick-IPSec-SideA.png\|border\|300px\|Screenshot]] {\| class="wikitable" !colspan="2"\|~~IPSec~~IPsec settings overview \|- !name \|- !routes \|IP blocks to route through the tunnel - iei.e. LAN IPs of the other end \|} ==Side B Config== <syntaxhighlight lang="xml"> <ipsec name="Paul-ipsec" mtu="1500" graph="paul-ipsec" local-ip="2001:8b0:1635::1" remote-ip="2001:8b0:d6:1::1" local-spi="999" remote-spi="4242" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="91.241.56.1 81.2.97.160/27 91.241.56.0/24 2001:8b0:d6::/48"/> </syntaxhighlight> [[File:FireBrick-IPSec-SideB.png\|border\|300px]] ==Firewall== IPsec will need to be allowed in (and out) of the FireBricks - allow protocol 50 (ESP) to the FireBrick from the remote IP. ==Testing== These 2 FireBricks both happen to be on AAISP FTTC lines, and a normal traceroute would go via the AAISP router, but when the ~~IPSec~~IPsec tunnel is enabled the traceroute goes direct. Traceroute Before: traceroute to 91.241.56.1 (91.241.56.1), 30 hops max, 60 byte packets 1 brick.h.hearn.org.uk (90.155.90.129) 0.344 ms 0.321 ms 0.310 ms 2 a.gormless.~~thn~~then.aa.net.uk (90.155.53.51) 11.703 ms 11.712 ms 11.834 ms 3 brick.shibboleet.ltd.uk (91.241.56.1) 24.862 ms 24.871 ms 25.251 ms 1 brick.h.hearn.org.uk (90.155.90.129) 0.358 ms 0.342 ms 0.329 ms 2 brick.shibboleet.ltd.uk (91.241.56.1) 26.178 ms 26.861 ms 27.123 ms =Linux (CentOS Openswan) Example Using IKE2= yum install openswan (strongswan is much nicer, but not in yum on centos5. On centos6, use strongswan) In /etc/ipsec.conf uncomment include /etc/ipsec.d/.conf Put following two files in /etc/ipsec.d/ : mhbrick.conf: conn myFireBrick authby=secret auto=start ikev2=insist left=CentOS.IP.Address leftid=CentOS.IP.Address leftsubnet=CentOS.IP.Address/32 right=FireBrick.IP.Address rightid=FireBrick.IP.Address rightsubnet=FireBrick.LAN.SUBNET/24 in: myFireBrick.secrets: CentOS.IP.Address FireBrick.IP.Address : PSK "yourpasswordhere" chkconfig ipsec on service ipsec start Put the following in the FB at the other end: <connection name="IPSec" peer-ips=CentOS.IP.Address" auth-method="Secret" secret="yoursecrethere" internal-ipv4="FireBrick.LAN.IP.Address" routes="CentOS.IP.Address" log="default"/> =FireBrick to Linux= There is information in the FireBrick Manual: *[http://www.firebrick.co.uk/fbsoftware/2701/V1.2535.~~101~~001/FB2700/V1.2535.~~101~~001-2701-FB2700-~~Dexter~~Nestor-html/~~ch20s03~~tunnels.html#d0e5432 ~~IPSec~~Tunnelling ~~Chapter~~to ~~for~~a ~~Linux~~non-FireBrick device using Manually-Keyed ~~Devices~~IPsec] The FireBrick IPsec implementation should be compatible with any IPsec implementation providing manual keying, provided a common set of algorithms can be chosen. As an example, the configuration for a Linux system using the ipsec-tools package will be described. [[Category:FireBrick Tunnels\|IPSec]]