IPsec Firewall: Difference between revisions

Revision as of 19:57, 30 July 2015

If there is no NAT involved, you need:

UDP port 500 for the IKE control channel
IP protocol ESP (50) for the data channel.

If NAT has been detected, or you force IKE to believe NAT is present (see below) you need:

UDP port 4500 only (no need for protocol ESP).
You may need UDP port 500 too, to allow the initial contact to be made - though as soon as NAT is detected (or it has been forced) IKE switches to 4500.
UDP 4500 for IKE

The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI.

Here is an example rule set for allowing IPsec in to a FireBrick:

   <rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow IPsec connections from PPP to the Brick">
      <rule name="IKENAT" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/>
      <rule name="ESP" protocol="50" action="accept" comment="Encapsulating Security Payload - encryption protocol"/>
   </rule-set>

@@ Line 15: / Line 15: @@
 <syntaxhighlight>
    <rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow IPsec connections from PPP to the Brick">
-      <rule name="IKENAT" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange - network protocol used by IPSec"/>
+      <rule name="IKENAT" target-port="500 4500" protocol="17" action="accept" comment="Internet Key Exchange"/>
-      <rule name="ESP" protocol="50" action="accept" comment="Encapsulating Security Payload - encryption protocol within the IPsec suite"/>
+      <rule name="ESP" protocol="50" action="accept" comment="Encapsulating Security Payload - encryption protocol"/>
    </rule-set>
 </syntaxhighlight>