Revision as of 16:00, 28 Haziran 2013

FireBrick IPSec Information

Information from May 2013:

The IPSec feature provides ESP with ESP-auth and a choice of algorithms to create tunnels with a static config for keys. Blowfish is the fastest, if you have a choice. Triple DES is slowest, as you may expect.

At present the code can be used to create point to point fixed IP tunnels between FireBricks, or FireBrick and linux boxes. Other routers/VPN boxes may be able to handle fixed configs like this too.

Next we will be doing IKE (key exchange) which is more commonly used to establish session keys. We also plan to link in IPSec and L2TP which is commonly used for PCs and mobiles to VPN connect as an endpoint. More on this as we release it.

...this is all in-house code at every level with our own crypto libraries following the RFCs. We control every line of code in the FireBricks and the IPSec code is no exception.

This is an alpha release, and may well have bugs and issues that we need to work on, so we welcome feedback as usual. Please ensure crash logs are emailed as normal so we can pick up any fatal exceptions.

There is lots of information on in the FireBrick Manuals:

[1]

FireBrick to FireBrick

Here we will create a tunnel between 2 firebricks, Paul and Andrew. We will then set routing to route each others LAN blocks though the Tunnel. As the 2 endpoints have IPv6, we'll establish the tunnel over IPv6.

Side A Config

   <ipsec name="Andrew-ipsec" mtu="1500" graph="andrew-ipsec" local-ip="2001:8b0:d6:1::1" remote-ip="2001:8b0:1635::1" local-spi="4242" remote-spi="999" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="90.155.90.128/27 2001:8b0:1635::/64"/>

IPSec settings overview
name	Just a name for this Tunnel
mtu
graph	Just a name so as to create a CQM graph
local-ip	Our FireBrick IP to use as the source
remote-ip	Remote FireBrick IP
local-spi
remote-spi
auth-algorithm
auth-key
crypt-algorithm
crypt-key
routes	IP blocks to route through the tunnel - ie LAN IPs of the other end

name="Andrew-ipsec" mtu="1500" graph="andrew-ipsec" local-ip="2001:8b0:d6:1::1" remote-ip="2001:8b0:1635::1" local-spi="4242" remote-spi="999" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="90.155.90.128/27 2001:8b0:1635::/64"/>

Side B Config

  <ipsec name="Paul-ipsec" mtu="1500" graph="paul-ipsec" local-ip="2001:8b0:1635::1" remote-ip="2001:8b0:d6:1::1" local-spi="999" remote-spi="4242" auth-algorithm="AES-XCBC" auth-key="1310B855522E8D457B814BD9DD78B6AB" crypt-algorithm="AES-CBC" crypt-key="0BC4DF636566667BEEC9F02117CB57C3" routes="91.241.56.1 81.2.97.160/27 91.241.56.0/24 2001:8b0:d6::/48"/>

Testing

These 2 FireBricks both happen to be on AAISP FTTC lines, and a normal traceroute would go via the AAISP router, but when the IPSec tunnel is enabled the traceroute goes direct.

Traceroute Before:

$ traceroute 91.241.56.1
traceroute to 91.241.56.1 (91.241.56.1), 30 hops max, 60 byte packets
 1  brick.h.hearn.org.uk (90.155.90.129)  0.344 ms  0.321 ms  0.310 ms
 2  a.gormless.thn.aa.net.uk (90.155.53.51)  11.703 ms  11.712 ms  11.834 ms
 3  brick.shibboleet.ltd.uk (91.241.56.1)  24.862 ms  24.871 ms  25.251 ms

Traceroute After:

$ traceroute 91.241.56.1
traceroute to 91.241.56.1 (91.241.56.1), 30 hops max, 60 byte packets
 1  brick.h.hearn.org.uk (90.155.90.129)  0.358 ms  0.342 ms  0.329 ms
 2  brick.shibboleet.ltd.uk (91.241.56.1)  26.178 ms  26.861 ms  27.123 ms

FireBrick to Linux

@@ Line 14: / Line 14: @@
 This is an alpha release, and may well have bugs and issues that we need to work on, so we welcome feedback as usual. Please ensure crash logs are emailed as normal so we can pick up any fatal exceptions.
+There is lots of information on in the FireBrick Manuals:
+*[http://www.firebrick.co.uk/fbsoftware/2701/V1.25.101/FB2700/V1.25.101-2701-FB2700-Dexter-html/ipsec.html]
 =FireBrick to FireBrick=