FireBrick IPsec Tunnel with Manual Keys (Deprecated): Difference between revisions

From AAISP Support Site
(→‎Side B Config: syntaxhighlight)
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
'''This is now a legacy way to do IPsec, see [[FireBrick to FireBrick IPsec (Howto)]] instead!'''
[[File:2700-small.png|link=:Category:FireBrick]]

----

----

----


=FireBrick IPsec Information=
=FireBrick IPsec Information=
Line 16: Line 22:


There is lots of information on in the FireBrick Manuals:
There is lots of information on in the FireBrick Manuals:
*[http://www.firebrick.co.uk/fbsoftware/2701/V1.25.101/FB2700/V1.25.101-2701-FB2700-Dexter-html/ipsec.html IPsec Chapter]
*[http://www.firebrick.co.uk/fbsoftware/2701/V1.35.001/FB2700/V1.35.001-2701-FB2700-Nestor-html/tunnels.html IPsec Chapter]


=FireBrick to FireBrick=
=FireBrick to FireBrick=


Here we will create a tunnel between 2 firebricks, Paul and Andrew. We will then set routing to route each others LAN blocks though the Tunnel. As the 2 endpoints have IPv6, we'll establish the tunnel over IPv6.
Here we will create a tunnel between 2 firebricks, Paul and Andrew. We will then set routing to route each other's LAN blocks though the Tunnel. As the 2 endpoints have IPv6, we'll establish the tunnel over IPv6.


==Side A Config==
==Side A Config==
<syntaxhighlight lang="xml">
<ipsec name="Andrew-ipsec" mtu="1500" graph="andrew-ipsec" local-ip="2001:8b0:d6:1::1" remote-ip="2001:8b0:1635::1" local-spi="4242" remote-spi="999" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="90.155.90.128/27 2001:8b0:1635::/64"/>
<ipsec name="Andrew-ipsec" mtu="1500" graph="andrew-ipsec" local-ip="2001:8b0:d6:1::1" remote-ip="2001:8b0:1635::1" local-spi="4242" remote-spi="999" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="90.155.90.128/27 2001:8b0:1635::/64"/>
</syntaxhighlight>

[[File:FireBrick-IPSec-SideA.png|border|300px|Screenshot]]
[[File:FireBrick-IPSec-SideA.png|border|300px|Screenshot]]




{| class="wikitable"
{| class="wikitable"
Line 65: Line 72:
|-
|-
!routes
!routes
|IP blocks to route through the tunnel - ie LAN IPs of the other end
|IP blocks to route through the tunnel - i.e. LAN IPs of the other end
|}
|}


==Side B Config==
==Side B Config==
<syntaxhighlight lang="xml">
<ipsec name="Paul-ipsec" mtu="1500" graph="paul-ipsec" local-ip="2001:8b0:1635::1" remote-ip="2001:8b0:d6:1::1" local-spi="999" remote-spi="4242" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="91.241.56.1 81.2.97.160/27 91.241.56.0/24 2001:8b0:d6::/48"/>
<ipsec name="Paul-ipsec" mtu="1500" graph="paul-ipsec" local-ip="2001:8b0:1635::1" remote-ip="2001:8b0:d6:1::1" local-spi="999" remote-spi="4242" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="91.241.56.1 81.2.97.160/27 91.241.56.0/24 2001:8b0:d6::/48"/>
</syntaxhighlight>

[[File:FireBrick-IPSec-SideB.png|border|300px]]
[[File:FireBrick-IPSec-SideB.png|border|300px]]


Line 83: Line 93:
traceroute to 91.241.56.1 (91.241.56.1), 30 hops max, 60 byte packets
traceroute to 91.241.56.1 (91.241.56.1), 30 hops max, 60 byte packets
1 brick.h.hearn.org.uk (90.155.90.129) 0.344 ms 0.321 ms 0.310 ms
1 brick.h.hearn.org.uk (90.155.90.129) 0.344 ms 0.321 ms 0.310 ms
2 a.gormless.thn.aa.net.uk (90.155.53.51) 11.703 ms 11.712 ms 11.834 ms
2 a.gormless.then.aa.net.uk (90.155.53.51) 11.703 ms 11.712 ms 11.834 ms
3 brick.shibboleet.ltd.uk (91.241.56.1) 24.862 ms 24.871 ms 25.251 ms
3 brick.shibboleet.ltd.uk (91.241.56.1) 24.862 ms 24.871 ms 25.251 ms


Line 94: Line 104:




=Linux (CentOS Openswan) Example=
=Linux (CentOS Openswan) Example Using IKE2=


yum install openswan
yum install openswan
Line 120: Line 130:
CentOS.IP.Address FireBrick.IP.Address : PSK "yourpasswordhere"
CentOS.IP.Address FireBrick.IP.Address : PSK "yourpasswordhere"


chkconfig ipsec on
service ipsec start
service ipsec start


Line 127: Line 138:
=FireBrick to Linux=
=FireBrick to Linux=
There is information in the FireBrick Manual:
There is information in the FireBrick Manual:
*[http://www.firebrick.co.uk/fbsoftware/2701/V1.25.101/FB2700/V1.25.101-2701-FB2700-Dexter-html/ch20s03.html IPsec Chapter for Linux Devices]
*[http://www.firebrick.co.uk/fbsoftware/2701/V1.35.001/FB2700/V1.35.001-2701-FB2700-Nestor-html/tunnels.html#d0e5432 Tunnelling to a non-FireBrick device using Manually-Keyed IPsec]


The FireBrick IPsec implementation should be compatible with any IPsec implementation providing manual keying, provided a common set of algorithms can be chosen. As an example, the configuration for a Linux system using the ipsec-tools package will be described.
The FireBrick IPsec implementation should be compatible with any IPsec implementation providing manual keying, provided a common set of algorithms can be chosen. As an example, the configuration for a Linux system using the ipsec-tools package will be described.
Line 170: Line 181:




[[Category:FireBrick]]
[[Category:FireBrick Tunnels|IPSec]]

Latest revision as of 23:49, 30 Haziran 2022

This is now a legacy way to do IPsec, see FireBrick to FireBrick IPsec (Howto) instead!




FireBrick IPsec Information

Information from May 2013:

The IPsec feature provides ESP with ESP-auth and a choice of algorithms to create tunnels with a static config for keys. Blowfish is the fastest, if you have a choice. Triple DES is slowest, as you may expect.

At present the code can be used to create point to point fixed IP tunnels between FireBricks, or FireBrick and linux boxes. Other routers/VPN boxes may be able to handle fixed configs like this too.

Next we will be doing IKE (key exchange) which is more commonly used to establish session keys. We also plan to link in IPsec and L2TP which is commonly used for PCs and mobiles to VPN connect as an endpoint. More on this as we release it.

...this is all in-house code at every level with our own crypto libraries following the RFCs. We control every line of code in the FireBricks and the IPsec code is no exception.

This is an alpha release, and may well have bugs and issues that we need to work on, so we welcome feedback as usual. Please ensure crash logs are emailed as normal so we can pick up any fatal exceptions.

There is lots of information on in the FireBrick Manuals:

FireBrick to FireBrick

Here we will create a tunnel between 2 firebricks, Paul and Andrew. We will then set routing to route each other's LAN blocks though the Tunnel. As the 2 endpoints have IPv6, we'll establish the tunnel over IPv6.

Side A Config

    <ipsec name="Andrew-ipsec" mtu="1500" graph="andrew-ipsec" local-ip="2001:8b0:d6:1::1" remote-ip="2001:8b0:1635::1" local-spi="4242" remote-spi="999" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="90.155.90.128/27 2001:8b0:1635::/64"/>

Screenshot

IPsec settings overview
name Just a name for this Tunnel
mtu
graph Just a name so as to create a CQM graph
local-ip Our FireBrick IP to use as the source
remote-ip Remote FireBrick IP
local-spi
remote-spi
auth-algorithm
auth-key
crypt-algorithm
crypt-key
routes IP blocks to route through the tunnel - i.e. LAN IPs of the other end

Side B Config

   <ipsec name="Paul-ipsec" mtu="1500" graph="paul-ipsec" local-ip="2001:8b0:1635::1" remote-ip="2001:8b0:d6:1::1" local-spi="999" remote-spi="4242" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="91.241.56.1 81.2.97.160/27 91.241.56.0/24 2001:8b0:d6::/48"/>

FireBrick-IPSec-SideB.png

Firewall

IPsec will need to be allowed in (and out) of the FireBricks - allow protocol 50 (ESP) to the FireBrick from the remote IP.

Testing

These 2 FireBricks both happen to be on AAISP FTTC lines, and a normal traceroute would go via the AAISP router, but when the IPsec tunnel is enabled the traceroute goes direct.

Traceroute Before:

$ traceroute 91.241.56.1
traceroute to 91.241.56.1 (91.241.56.1), 30 hops max, 60 byte packets
 1  brick.h.hearn.org.uk (90.155.90.129)  0.344 ms  0.321 ms  0.310 ms
 2  a.gormless.then.aa.net.uk (90.155.53.51)  11.703 ms  11.712 ms  11.834 ms
 3  brick.shibboleet.ltd.uk (91.241.56.1)  24.862 ms  24.871 ms  25.251 ms

Traceroute After:

$ traceroute 91.241.56.1
traceroute to 91.241.56.1 (91.241.56.1), 30 hops max, 60 byte packets
 1  brick.h.hearn.org.uk (90.155.90.129)  0.358 ms  0.342 ms  0.329 ms
 2  brick.shibboleet.ltd.uk (91.241.56.1)  26.178 ms  26.861 ms  27.123 ms


Linux (CentOS Openswan) Example Using IKE2

yum install openswan

(strongswan is much nicer, but not in yum on centos5. On centos6, use strongswan)

In /etc/ipsec.conf uncomment

include /etc/ipsec.d/*.conf


Put following two files in /etc/ipsec.d/ :

mhbrick.conf:
conn myFireBrick
       authby=secret
       auto=start
       ikev2=insist
       left=CentOS.IP.Address
       leftid=CentOS.IP.Address
       leftsubnet=CentOS.IP.Address/32
       right=FireBrick.IP.Address
       rightid=FireBrick.IP.Address
       rightsubnet=FireBrick.LAN.SUBNET/24

in: myFireBrick.secrets:

CentOS.IP.Address FireBrick.IP.Address : PSK "yourpasswordhere"
chkconfig ipsec on
service ipsec start

Put the following in the FB at the other end:

<connection name="IPSec" peer-ips=CentOS.IP.Address" auth-method="Secret" secret="yoursecrethere" internal-ipv4="FireBrick.LAN.IP.Address" routes="CentOS.IP.Address" log="default"/>

FireBrick to Linux

There is information in the FireBrick Manual:

The FireBrick IPsec implementation should be compatible with any IPsec implementation providing manual keying, provided a common set of algorithms can be chosen. As an example, the configuration for a Linux system using the ipsec-tools package will be described.

Consider a tunnel between a FireBrick and a Linux system with the following setup:

  • FireBrick has IP address 192.168.1.1, Linux system has IP address 192.168.2.2
  • ESP encapsulation using HMAC-SHA1 authentication and AES-CBC encryption
  • Authentication key 0123456789012345678901234567890123456789
  • Encryption key 00010203040506070809101112131415
  • Incoming SPI 1000, Outgoing SPI 2000
  • FireBrick is providing connectivity for a local user subnet 10.1.1.0/24
  • Linux system is providing connectivity for a local user subnet 10.2.2.0/24

A suitable FireBrick xml config for this would be:

<ipsec
 local-ip="192.168.1.1" remote-ip="192.168.2.2"
 local-spi="1000" remote-spi="2000" type="ESP"
 auth-algorithm="HMAC-SHA1"
 auth-key="0123456789012345678901234567890123456789"
 crypt-algorithm="AES-CBC"
 crypt-key="00010203040506070809101112131415"
 routes="10.2.2.0/24" />

A corresponding ipsec-tools config file would be:

 flush;
 spdflush;
 add 192.168.2.2 192.168.1.1 esp 1000 -m tunnel
   -E rijndael-cbc 0x00010203040506070809101112131415
   -A hmac-sha1 0x0123456789012345678901234567890123456789;
 add 192.168.1.1 192.168.2.2 esp 2000 -m tunnel
   -E rijndael-cbc 0x00010203040506070809101112131415
   -A hmac-sha1 0x0123456789012345678901234567890123456789;
 spdadd 10.1.1.0/24 10.2.2.0/24 any
   -P in ipsec esp/tunnel/192.168.1.1-192.168.2.2/require;
 spdadd 10.2.2.0/24 10.1.1.0/24 any
   -P out ipsec esp/tunnel/192.168.2.2-192.168.1.1/require;
 

Note that rijndael is the name used by ipsec-tools for the AES algorithm.