Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

FireBrick to FireBrick IPsec (Howto): Difference between revisions

m
clean up, typos fixed: eg: → e.g.: (4)
mNo edit summary
m (clean up, typos fixed: eg: → e.g.: (4))
 
(2 intermediate revisions by 2 users not shown)
<indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category:FireBrick_IPsecFireBrick IPsec|30px|Back up to the FireBrick IPsec Tunnels Category Page]]</indicator>
Here we will use an IPsec tunnel between two FireBricks. We will use IKEv2 and use a preshared-secret password.
 
Do read the official FireBrick manuals for more information - this is just a simple howto covering the basics.
 
==Network Overview:==
 
{| class="wikitable"
==FireBrick London Config==
 
<syntaxhighlight lang=xml>
<ipsec-ike comment="toReading">
<connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
</ipsec-ike>
</syntaxhighlight>
 
If you firewall WAN to 'Self' (The FireBrick), then a firewall filter may be needed too, ege.g.:
 
<syntaxhighlight lang=xml>
<rule name="IPsec from London FB" protocol="50" action="accept" source-ip="198.51.100.1"/>
</syntaxhighlight>
 
You will also want to add firewall rules to allow traffic between the two LANs, ege.g., this will allow all traffic to and from Reading and will not NAT the traffic:
 
<syntaxhighlight lang=xml>
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" />
</rule-set>
</syntaxhighlight>
 
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.
==FireBrick Reading Config==
 
<syntaxhighlight lang=xml>
<ipsec-ike comment="toLondon">
<connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
</ipsec-ike>
</syntaxhighlight>
 
If you firewall WAN to 'Self' (The Firebrick), then a firewall filter may be needed too, ege.g.:
 
<syntaxhighlight lang=xml>
<rule name="IPsec from Reading FB" protocol="50" action="accept" source-ip="203.0.113.1"/>
</syntaxhighlight>
 
You will also want to add firewall rules to allow traffic between the two LANs, ege.g., this will allow all traffic to and from London and will not NAT the traffic:
 
<syntaxhighlight lang=xml>
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" />
</rule-set>
</syntaxhighlight>
 
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.
 
[[Category:FireBrick_IPsecFireBrick IPsec|FireBrick]]
editor
706

edits