IPsec Firewall: Difference between revisions
mNo edit summary |
(→top: clean up) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
<indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category: |
<indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category:FireBrick IPsec|30px|Back up to the FireBrick IPsec Tunnels Category Page]]</indicator> |
||
If there is no NAT involved, you need: |
If there is no NAT involved, you need: |
||
*UDP port 500 for the IKE control channel |
*UDP port 500 for the IKE control channel |
||
*IP protocol ESP (50) for the data channel. |
*IP protocol ESP (50) for the data channel. |
||
Example: |
|||
⚫ | |||
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Non-NATed IPsec connections from PPP to the Brick"> |
|||
⚫ | |||
⚫ | |||
</rule-set> |
|||
</syntaxhighlight> |
|||
However, more likely if your devices are out on the road: |
|||
If NAT has been detected, or you force IKE to believe NAT is present (see below) you need: |
If NAT has been detected, or you force IKE to believe NAT is present (see below) you need: |
||
*UDP port 4500 |
*UDP port 4500 (IKE) |
||
*(no need for protocol ESP). |
|||
*You may need UDP port 500 too, to allow the initial contact to be made - though as soon as NAT is detected (or it has been forced) IKE switches to 4500. |
*You may need UDP port 500 too, to allow the initial contact to be made - though as soon as NAT is detected (or it has been forced) IKE switches to 4500. |
||
*UDP 4500 for IKE |
|||
The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI. |
The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI. |
||
Example: |
|||
Here is an example rule set for allowing IPsec in to a FireBrick: |
|||
<syntaxhighlight lang=xml> |
|||
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed IPsec connections from PPP to the Brick"> |
|||
⚫ | |||
<rule |
<rule name="IKE" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/> |
||
⚫ | |||
⚫ | |||
</rule-set> |
</rule-set> |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
You can join the two rules to create a set that will work for NAT and Non-NAT: |
|||
Example: |
|||
<syntaxhighlight lang=xml> |
|||
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed and Non-NATed IPsec connections from PPP to the Brick"> |
|||
<rule name="IKE" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/> |
|||
<rule name="ESP" protocol="50" action="accept" comment="Encapsulating Security Payload - encryption protocol"/> |
|||
</rule-set> |
|||
</syntaxhighlight> |
|||
[[Category: |
[[Category:FireBrick IPsec|Firewall]] |
Latest revision as of 23:59, 17 August 2018
If there is no NAT involved, you need:
- UDP port 500 for the IKE control channel
- IP protocol ESP (50) for the data channel.
Example:
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Non-NATed IPsec connections from PPP to the Brick">
<rule name="IKE" target-port="500" protocol="17" action="accept" comment="Internet Key Exchange"/>
<rule name="ESP" protocol="50" action="accept" comment="Encapsulating Security Payload - encryption protocol"/>
</rule-set>
However, more likely if your devices are out on the road:
If NAT has been detected, or you force IKE to believe NAT is present (see below) you need:
- UDP port 4500 (IKE)
- (no need for protocol ESP).
- You may need UDP port 500 too, to allow the initial contact to be made - though as soon as NAT is detected (or it has been forced) IKE switches to 4500.
The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI.
Example:
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed IPsec connections from PPP to the Brick">
<rule name="IKE" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/>
</rule-set>
You can join the two rules to create a set that will work for NAT and Non-NAT:
Example:
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed and Non-NATed IPsec connections from PPP to the Brick">
<rule name="IKE" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/>
<rule name="ESP" protocol="50" action="accept" comment="Encapsulating Security Payload - encryption protocol"/>
</rule-set>