Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

IPsec Firewall: Difference between revisions

← Older editNewer edit →
Content deleted Content added
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,616 edits
mNo edit summary
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,616 edits
mNo edit summary
Line 4: Line 4:
*IP protocol ESP (50) for the data channel.
*IP protocol ESP (50) for the data channel.


Example:
<syntaxhighlight>
<syntaxhighlight>
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Non-NATed IPsec connections from PPP to the Brick">
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Non-NATed IPsec connections from PPP to the Brick">
Line 20: Line 21:
The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI.
The config force-NAT option [Note the capitalisation ] can be used to force IKE to treat the connection as if it was NATed. This is in the top-level ipsec-ike config item and you need "Show all" on the UI.


Example:
Here is an example rule set for allowing IPsec in to a FireBrick:

<syntaxhighlight>
<syntaxhighlight>
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed IPsec connections from PPP to the Brick">
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed IPsec connections from PPP to the Brick">
Line 28: Line 28:
</syntaxhighlight>
</syntaxhighlight>


You can join the two rules to create a set that will work for NAT and NON-NAT:
You can join the two rules to create a set that will work for NAT and Non-NAT:


Example:
<syntaxhighlight>
<syntaxhighlight>
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed and Non-NATed IPsec connections from PPP to the Brick">
<rule-set name="IPsec" source-interface="pppoe" target-interface="self" no-match-action="continue" comment="Allow NATed and Non-NATed IPsec connections from PPP to the Brick">
Retrieved from "http://support.aa.net.uk/IPsec_Firewall"