editor
699
edits
This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!
mNo edit summary |
(→Side B Config: syntaxhighlight) |
||
(15 intermediate revisions by 2 users not shown) | |||
'''This is now a legacy way to do IPsec, see [[FireBrick to FireBrick IPsec (Howto)]] instead!'''
----
----
----
=FireBrick IPsec Information=
There is lots of information on in the FireBrick Manuals:
*[http://www.firebrick.co.uk/fbsoftware/2701/V1.
=FireBrick to FireBrick=
Here we will create a tunnel between 2 firebricks, Paul and Andrew. We will then set routing to route each
==Side A Config==
<syntaxhighlight lang="xml">
<ipsec name="Andrew-ipsec" mtu="1500" graph="andrew-ipsec" local-ip="2001:8b0:d6:1::1" remote-ip="2001:8b0:1635::1" local-spi="4242" remote-spi="999" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="90.155.90.128/27 2001:8b0:1635::/64"/>
</syntaxhighlight>
[[File:FireBrick-IPSec-SideA.png|border|300px|Screenshot]]
{| class="wikitable"
|-
!routes
|IP blocks to route through the tunnel -
|}
==Side B Config==
<syntaxhighlight lang="xml">
<ipsec name="Paul-ipsec" mtu="1500" graph="paul-ipsec" local-ip="2001:8b0:1635::1" remote-ip="2001:8b0:d6:1::1" local-spi="999" remote-spi="4242" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="91.241.56.1 81.2.97.160/27 91.241.56.0/24 2001:8b0:d6::/48"/>
</syntaxhighlight>
[[File:FireBrick-IPSec-SideB.png|border|300px]]
==Firewall==
IPsec will need to be allowed in (and out) of the FireBricks - allow protocol 50 (ESP) to the FireBrick from the remote IP.
==Testing==
traceroute to 91.241.56.1 (91.241.56.1), 30 hops max, 60 byte packets
1 brick.h.hearn.org.uk (90.155.90.129) 0.344 ms 0.321 ms 0.310 ms
2 a.gormless.
3 brick.shibboleet.ltd.uk (91.241.56.1) 24.862 ms 24.871 ms 25.251 ms
1 brick.h.hearn.org.uk (90.155.90.129) 0.358 ms 0.342 ms 0.329 ms
2 brick.shibboleet.ltd.uk (91.241.56.1) 26.178 ms 26.861 ms 27.123 ms
=Linux (CentOS Openswan) Example Using IKE2=
yum install openswan
(strongswan is much nicer, but not in yum on centos5. On centos6, use strongswan)
In /etc/ipsec.conf uncomment
include /etc/ipsec.d/*.conf
Put following two files in /etc/ipsec.d/ :
mhbrick.conf:
conn myFireBrick
authby=secret
auto=start
ikev2=insist
left=CentOS.IP.Address
leftid=CentOS.IP.Address
leftsubnet=CentOS.IP.Address/32
right=FireBrick.IP.Address
rightid=FireBrick.IP.Address
rightsubnet=FireBrick.LAN.SUBNET/24
in: myFireBrick.secrets:
CentOS.IP.Address FireBrick.IP.Address : PSK "yourpasswordhere"
chkconfig ipsec on
service ipsec start
Put the following in the FB at the other end:
<connection name="IPSec" peer-ips=CentOS.IP.Address" auth-method="Secret" secret="yoursecrethere" internal-ipv4="FireBrick.LAN.IP.Address" routes="CentOS.IP.Address" log="default"/>
=FireBrick to Linux=
There is information in the FireBrick Manual:
*[http://www.firebrick.co.uk/fbsoftware/2701/V1.
The FireBrick IPsec implementation should be compatible with any IPsec implementation providing manual keying, provided a common set of algorithms can be chosen. As an example, the configuration for a Linux system using the ipsec-tools package will be described.
[[Category:FireBrick Tunnels|IPSec]]
|