Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

FireBrick IPsec Tunnel with Manual Keys (Deprecated): Difference between revisions

FireBrick IPsec Tunnel with Manual Keys (Deprecated) (view source)

Revision as of 16:02, 28 June 2013

1,940 bytes added ,  28 June 2013
→‎FireBrick to Linux
 
=FireBrick to Linux=
*[http://www.firebrick.co.uk/fbsoftware/2701/V1.25.101/FB2700/V1.25.101-2701-FB2700-Dexter-html/ch20s03.html|IPSec Chapter]
 
The FireBrick IPsec implementation should be compatible with any IPsec implementation providing manual keying, provided a common set of algorithms can be chosen. As an example, the configuration for a Linux system using the ipsec-tools package will be described.
 
Consider a tunnel between a FireBrick and a Linux system with the following setup:
 
*FireBrick has IP address 192.168.1.1, Linux system has IP address 192.168.2.2
*ESP encapsulation using HMAC-SHA1 authentication and AES-CBC encryption
*Authentication key 0123456789012345678901234567890123456789
*Encryption key 00010203040506070809101112131415
*Incoming SPI 1000, Outgoing SPI 2000
*FireBrick is providing connectivity for a local user subnet 10.1.1.0/24
*Linux system is providing connectivity for a local user subnet 10.2.2.0/24
*A suitable FireBrick xml config for this would be:
 
<ipsec
local-ip="192.168.1.1" remote-ip="192.168.2.2"
local-spi="1000" remote-spi="2000" type="ESP"
auth-algorithm="HMAC-SHA1"
auth-key="0123456789012345678901234567890123456789"
crypt-algorithm="AES-CBC"
crypt-key="00010203040506070809101112131415"
routes="10.2.2.0/24" />
 
A corresponding ipsec-tools config file would be:
 
flush;
spdflush;
add 192.168.2.2 192.168.1.1 esp 1000 -m tunnel
-E rijndael-cbc 0x00010203040506070809101112131415
-A hmac-sha1 0x0123456789012345678901234567890123456789;
add 192.168.1.1 192.168.2.2 esp 2000 -m tunnel
-E rijndael-cbc 0x00010203040506070809101112131415
-A hmac-sha1 0x0123456789012345678901234567890123456789;
spdadd 10.1.1.0/24 10.2.2.0/24 any
-P in ipsec esp/tunnel/192.168.1.1-192.168.2.2/require;
spdadd 10.2.2.0/24 10.1.1.0/24 any
-P out ipsec esp/tunnel/192.168.2.2-192.168.1.1/require;
Note that rijndael is the name used by ipsec-tools for the AES algorithm.
 
 
[[Category:FireBrick]]
AA-Andrew
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,291

edits

Retrieved from ‘http://support.aa.net.uk/Special:MobileDiff/3630