FireBrick to FireBrick IPsec (Howto): Difference between revisions

Back up to the FireBrick IPsec Tunnels Category Page
From AAISP Support Site
m (clean up, typos fixed: eg: → e.g.: (4))
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category:FireBrick_IPsec|30px|Back up to the FireBrick IPsec Tunnels Category Page]]</indicator>
<indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category:FireBrick IPsec|30px|Back up to the FireBrick IPsec Tunnels Category Page]]</indicator>
Here we will use an IPsec tunnel between two FireBricks. We will use IKEv2 and use a preshared-secret password.
Here we will use an IPsec tunnel between two FireBricks. We will use IKEv2 and use a preshared-secret password.


Line 7: Line 7:
Do read the official FireBrick manuals for more information - this is just a simple howto covering the basics.
Do read the official FireBrick manuals for more information - this is just a simple howto covering the basics.


==Network Overview:==
==Network Overview==


{| class="wikitable"
{| class="wikitable"
Line 27: Line 27:
==FireBrick London Config==
==FireBrick London Config==


<syntaxhighlight lang=xml>
<ipsec-ike comment="toReading">
<ipsec-ike comment="toReading">
<connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
<connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
</ipsec-ike>
</ipsec-ike>
</syntaxhighlight>


If you firewall WAN to 'Self' (The FireBrick), then a firewall filter may be needed too, eg:
If you firewall WAN to 'Self' (The FireBrick), then a firewall filter may be needed too, e.g.:


<syntaxhighlight lang=xml>
<rule name="IPsec from London FB" protocol="50" action="accept" source-ip="198.51.100.1"/>
<rule name="IPsec from London FB" protocol="50" action="accept" source-ip="198.51.100.1"/>
</syntaxhighlight>


You will also want to add firewall rules to allow traffic between the two LANs, eg, this will allow all traffic to and from Reading:
You will also want to add firewall rules to allow traffic between the two LANs, e.g., this will allow all traffic to and from Reading and will not NAT the traffic:


<syntaxhighlight lang=xml>
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
<rule name="Allow" set-graph="IPSecTraffic" action="accept"/>
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" />
</rule-set>
</rule-set>
</syntaxhighlight>

This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.


==FireBrick Reading Config==
==FireBrick Reading Config==


<syntaxhighlight lang=xml>
<ipsec-ike comment="toLondon">
<ipsec-ike comment="toLondon">
<connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
<connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
</ipsec-ike>
</ipsec-ike>
</syntaxhighlight>


If you firewall WAN to 'Self' (The Firebrick), then a firewall filter may be needed too, eg:
If you firewall WAN to 'Self' (The Firebrick), then a firewall filter may be needed too, e.g.:


<syntaxhighlight lang=xml>
<rule name="IPsec from Reading FB" protocol="50" action="accept" source-ip="203.0.113.1"/>
<rule name="IPsec from Reading FB" protocol="50" action="accept" source-ip="203.0.113.1"/>
</syntaxhighlight>


You will also want to add firewall rules to allow traffic between the two LANs, eg, this will allow all traffic to and from London:
You will also want to add firewall rules to allow traffic between the two LANs, e.g., this will allow all traffic to and from London and will not NAT the traffic:


<syntaxhighlight lang=xml>
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
<rule name="Allow" set-graph="IPSecTraffic" action="accept"/>
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" />
</rule-set>
</rule-set>
</syntaxhighlight>


This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.


[[Category:FireBrick_IPsec|FireBrick]]
[[Category:FireBrick IPsec|FireBrick]]

Latest revision as of 23:59, 14 March 2017

Here we will use an IPsec tunnel between two FireBricks. We will use IKEv2 and use a preshared-secret password.

Note that the password shown in the config entries below is an example only. A strong passphrase should be used in a real config.

Manuals

Do read the official FireBrick manuals for more information - this is just a simple howto covering the basics.

Network Overview

FireBrick London FireBrick Reading
LAN IP range 192.168.0.0/24 10.0.0.0/24
WAN Address 203.0.113.1 198.51.100.1

We'll want to end up with machines on each LAN being able to contact each other.

FireBrick London Config

   <ipsec-ike comment="toReading">
      <connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
   </ipsec-ike>

If you firewall WAN to 'Self' (The FireBrick), then a firewall filter may be needed too, e.g.:

      <rule name="IPsec from London FB" protocol="50" action="accept" source-ip="198.51.100.1"/>

You will also want to add firewall rules to allow traffic between the two LANs, e.g., this will allow all traffic to and from Reading and will not NAT the traffic:

   <rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
      <rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" />
   </rule-set>

This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.

FireBrick Reading Config

   <ipsec-ike comment="toLondon">
      <connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
   </ipsec-ike>

If you firewall WAN to 'Self' (The Firebrick), then a firewall filter may be needed too, e.g.:

      <rule name="IPsec from Reading FB" protocol="50" action="accept" source-ip="203.0.113.1"/>

You will also want to add firewall rules to allow traffic between the two LANs, e.g., this will allow all traffic to and from London and will not NAT the traffic:

   <rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
      <rule name="Allow" set-graph="IPSecTraffic" action="accept"  set-nat="false" />
   </rule-set>

This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.