editor
706
edits
This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!
mNo edit summary |
m (clean up, typos fixed: eg: → e.g.: (4)) |
||
(2 intermediate revisions by 2 users not shown) | |||
<indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category:
Here we will use an IPsec tunnel between two FireBricks. We will use IKEv2 and use a preshared-secret password.
Do read the official FireBrick manuals for more information - this is just a simple howto covering the basics.
==Network Overview
{| class="wikitable"
==FireBrick London Config==
<syntaxhighlight lang=xml>
<ipsec-ike comment="toReading">
<connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
</ipsec-ike>
</syntaxhighlight>
If you firewall WAN to 'Self' (The FireBrick), then a firewall filter may be needed too,
<syntaxhighlight lang=xml>
<rule name="IPsec from London FB" protocol="50" action="accept" source-ip="198.51.100.1"/>
</syntaxhighlight>
You will also want to add firewall rules to allow traffic between the two LANs,
<syntaxhighlight lang=xml>
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" />
</rule-set>
</syntaxhighlight>
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.
==FireBrick Reading Config==
<syntaxhighlight lang=xml>
<ipsec-ike comment="toLondon">
<connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
</ipsec-ike>
</syntaxhighlight>
If you firewall WAN to 'Self' (The Firebrick), then a firewall filter may be needed too,
<syntaxhighlight lang=xml>
<rule name="IPsec from Reading FB" protocol="50" action="accept" source-ip="203.0.113.1"/>
</syntaxhighlight>
You will also want to add firewall rules to allow traffic between the two LANs,
<syntaxhighlight lang=xml>
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" />
</rule-set>
</syntaxhighlight>
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.
[[Category:
|