IPsec Firewall: Difference between revisions
Content deleted Content added
mNo edit summary |
→top: clean up |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
<indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category: |
<indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category:FireBrick IPsec|30px|Back up to the FireBrick IPsec Tunnels Category Page]]</indicator> |
||
If there is no NAT involved, you need: |
If there is no NAT involved, you need: |
||
*UDP port 500 for the IKE control channel |
*UDP port 500 for the IKE control channel |
||
*IP protocol ESP (50) for the data channel. |
*IP protocol ESP (50) for the data channel. |
||
Example: |
|||
<syntaxhighlight> |
<syntaxhighlight lang=xml> |
||
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Non-NATed IPsec connections from PPP to the Brick"> |
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Non-NATed IPsec connections from PPP to the Brick"> |
||
<rule name="IKE" target-port="500" protocol="17" action="accept" comment="Internet Key Exchange"/> |
<rule name="IKE" target-port="500" protocol="17" action="accept" comment="Internet Key Exchange"/> |
||
| Line 20: | Line 21: | ||
The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI. |
The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI. |
||
Example: |
|||
Here is an example rule set for allowing IPsec in to a FireBrick: |
|||
| ⚫ | |||
| ⚫ | |||
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed IPsec connections from PPP to the Brick"> |
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed IPsec connections from PPP to the Brick"> |
||
<rule name="IKE" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/> |
<rule name="IKE" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/> |
||
| Line 28: | Line 28: | ||
</syntaxhighlight> |
</syntaxhighlight> |
||
You can join the two rules to create a set that will work for NAT and |
You can join the two rules to create a set that will work for NAT and Non-NAT: |
||
Example: |
|||
<syntaxhighlight> |
<syntaxhighlight lang=xml> |
||
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed and Non-NATed IPsec connections from PPP to the Brick"> |
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed and Non-NATed IPsec connections from PPP to the Brick"> |
||
<rule name="IKE" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/> |
<rule name="IKE" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/> |
||
| Line 37: | Line 38: | ||
</syntaxhighlight> |
</syntaxhighlight> |
||
[[Category: |
[[Category:FireBrick IPsec|Firewall]] |
||