FireBrick IPsec Tunnel with Manual Keys (Deprecated): Difference between revisions

← Older edit

FireBrick IPsec Tunnel with Manual Keys (Deprecated) (view source)

Revision as of 23:49, 30 June 2022

1,220 bytes added , 30 June 2022

→‎Side B Config: syntaxhighlight

Reedy

editor

699

edits

Revision as of 11:05, 4 October 2013 (view source) AA-Andrew (talk \| contribs) mNo edit summary ← Older edit		Latest revision as of 23:49, 30 June 2022 (view source) Reedy (talk \| contribs) (→‎Side B Config: syntaxhighlight)
(15 intermediate revisions by 2 users not shown)
'''This is now a legacy way to do IPsec, see [[FireBrick to FireBrick IPsec (Howto)]] instead!''' ~~[[File:2700-small.png\|link=:Category:FireBrick]]~~ ---- ---- ---- =FireBrick IPsec Information= There is lots of information on in the FireBrick Manuals: [http://www.firebrick.co.uk/fbsoftware/2701/V1.2535.~~101~~001/FB2700/V1.2535.~~101~~001-2701-FB2700-~~Dexter~~Nestor-html/~~ipsec~~tunnels.html IPsec Chapter] =FireBrick to FireBrick= Here we will create a tunnel between 2 firebricks, Paul and Andrew. We will then set routing to route each ~~others~~other's LAN blocks though the Tunnel. As the 2 endpoints have IPv6, we'll establish the tunnel over IPv6. ==Side A Config== <syntaxhighlight lang="xml"> <ipsec name="Andrew-ipsec" mtu="1500" graph="andrew-ipsec" local-ip="2001:8b0:d6:1::1" remote-ip="2001:8b0:1635::1" local-spi="4242" remote-spi="999" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="90.155.90.128/27 2001:8b0:1635::/64"/> </syntaxhighlight> [[File:FireBrick-IPSec-SideA.png\|border\|300px\|Screenshot]] {\| class="wikitable" \|- !routes \|IP blocks to route through the tunnel - iei.e. LAN IPs of the other end \|} ==Side B Config== <syntaxhighlight lang="xml"> <ipsec name="Paul-ipsec" mtu="1500" graph="paul-ipsec" local-ip="2001:8b0:1635::1" remote-ip="2001:8b0:d6:1::1" local-spi="999" remote-spi="4242" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="91.241.56.1 81.2.97.160/27 91.241.56.0/24 2001:8b0:d6::/48"/> </syntaxhighlight> [[File:FireBrick-IPSec-SideB.png\|border\|300px]] ==Firewall== IPsec will need to be allowed in (and out) of the FireBricks - allow protocol 50 (ESP) to the FireBrick from the remote IP. ==Testing== traceroute to 91.241.56.1 (91.241.56.1), 30 hops max, 60 byte packets 1 brick.h.hearn.org.uk (90.155.90.129) 0.344 ms 0.321 ms 0.310 ms 2 a.gormless.~~thn~~then.aa.net.uk (90.155.53.51) 11.703 ms 11.712 ms 11.834 ms 3 brick.shibboleet.ltd.uk (91.241.56.1) 24.862 ms 24.871 ms 25.251 ms 1 brick.h.hearn.org.uk (90.155.90.129) 0.358 ms 0.342 ms 0.329 ms 2 brick.shibboleet.ltd.uk (91.241.56.1) 26.178 ms 26.861 ms 27.123 ms =Linux (CentOS Openswan) Example Using IKE2= yum install openswan (strongswan is much nicer, but not in yum on centos5. On centos6, use strongswan) In /etc/ipsec.conf uncomment include /etc/ipsec.d/.conf Put following two files in /etc/ipsec.d/ : mhbrick.conf: conn myFireBrick authby=secret auto=start ikev2=insist left=CentOS.IP.Address leftid=CentOS.IP.Address leftsubnet=CentOS.IP.Address/32 right=FireBrick.IP.Address rightid=FireBrick.IP.Address rightsubnet=FireBrick.LAN.SUBNET/24 in: myFireBrick.secrets: CentOS.IP.Address FireBrick.IP.Address : PSK "yourpasswordhere" chkconfig ipsec on service ipsec start Put the following in the FB at the other end: <connection name="IPSec" peer-ips=CentOS.IP.Address" auth-method="Secret" secret="yoursecrethere" internal-ipv4="FireBrick.LAN.IP.Address" routes="CentOS.IP.Address" log="default"/> =FireBrick to Linux= There is information in the FireBrick Manual: *[http://www.firebrick.co.uk/fbsoftware/2701/V1.2535.~~101~~001/FB2700/V1.2535.~~101~~001-2701-FB2700-~~Dexter~~Nestor-html/~~ch20s03~~tunnels.html#d0e5432 ~~IPsec~~Tunnelling ~~Chapter~~to ~~for~~a ~~Linux~~non-FireBrick ~~Devices~~device using Manually-Keyed IPsec] The FireBrick IPsec implementation should be compatible with any IPsec implementation providing manual keying, provided a common set of algorithms can be chosen. As an example, the configuration for a Linux system using the ipsec-tools package will be described. [[Category:FireBrick Tunnels\|IPSec]]