Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

FireBrick to FireBrick IPsec (Howto): Difference between revisions

Back up to the FireBrick Tunnels Category Page
From AAISP Support Site
← Older editNewer edit →
Content deleted Content added
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,616 edits
mNo edit summary
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,616 edits
mNo edit summary
Line 1: Line 1:
<indicator name="FireBrick Tunnels">[[File:FBimgtunnel.svg|link=:Category:FireBrick_Tunnels|30px|Back up to the Tunnels Category]]</indicator>
<indicator name="Tunnels">[[File:FBimgtunnel.svg|link=:Category:FireBrick_Tunnels|30px|Back up to the FireBrick Tunnels Category Page]]</indicator>
<indicator name="Tunnels">[[File:FBimgtunnel.svg|link=:Category:FireBrick_Tunnels|30px|Back up to the FireBrick Tunnels Category Page]]</indicator>
Here we will use an IPsec tunnel between two FireBricks. We will use IKEv2 and use a preshared-secret password.
Here we will use an IPsec tunnel between two FireBricks. We will use IKEv2 and use a preshared-secret password.

Revision as of 14:20, 30 June 2015

Here we will use an IPsec tunnel between two FireBricks. We will use IKEv2 and use a preshared-secret password.

Note that the password shown in the config entries below is an example only. A strong passphrase should be used in a real config.

Manuals

Do read the official FireBrick manuals for more information - this is just a simple howto covering the basics.

Network Overview:

FireBrick London FireBrick Reading
LAN IP range 192.168.0.0/24 10.0.0.0/24
WAN Address 203.0.113.1 198.51.100.1

We'll want to end up with machines on each LAN being able to contact each other.

FireBrick London Config

  <ipsec-ike comment="toReading">
     <connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
  </ipsec-ike>

If you firewall WAN to 'Self' (The FireBrick), then a firewall filter may be needed too, eg: 

     <rule name="IPsec from London FB" protocol="50" action="accept" source-ip="198.51.100.1"/>

FireBrick Reading Config

  <ipsec-ike comment="toLondon">
     <connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
  </ipsec-ike>

If you firewall WAN to 'Self' (The Firebrick), then a firewall filter may be needed too, eg: 

     <rule name="IPsec from Reading FB" protocol="50" action="accept" source-ip="203.0.113.1"/>
Retrieved from "http://support.aa.net.uk/index.php?title=FireBrick_to_FireBrick_IPsec_(Howto)&oldid=9854"