IPsec Firewall: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 15: | Line 15: | ||
<syntaxhighlight> |
<syntaxhighlight> |
||
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow IPsec connections from PPP to the Brick"> |
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow IPsec connections from PPP to the Brick"> |
||
<rule name="IKENAT" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange |
<rule name="IKENAT" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/> |
||
<rule name="ESP" protocol="50" action="accept" comment="Encapsulating Security Payload - encryption protocol |
<rule name="ESP" protocol="50" action="accept" comment="Encapsulating Security Payload - encryption protocol"/> |
||
</rule-set> |
</rule-set> |
||
</syntaxhighlight> |
</syntaxhighlight> |
Revision as of 19:57, 30 July 2015
If there is no NAT involved, you need:
- UDP port 500 for the IKE control channel
- IP protocol ESP (50) for the data channel.
If NAT has been detected, or you force IKE to believe NAT is present (see below) you need:
- UDP port 4500 only (no need for protocol ESP).
- You may need UDP port 500 too, to allow the initial contact to be made - though as soon as NAT is detected (or it has been forced) IKE switches to 4500.
- UDP 4500 for IKE
The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI.
Here is an example rule set for allowing IPsec in to a FireBrick:
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow IPsec connections from PPP to the Brick">
<rule name="IKENAT" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/>
<rule name="ESP" protocol="50" action="accept" comment="Encapsulating Security Payload - encryption protocol"/>
</rule-set>