This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

Difference between revisions of "FireBrick to FireBrick IPsec (Howto)"

Jump to navigation Jump to search
[quality revision][quality revision]
(Prettyful colours)
==FireBrick London Config==
 
<syntaxhighlight lang=xml>
<ipsec-ike comment="toReading">
<connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
</ipsec-ike>
</syntaxhighlight>
 
If you firewall WAN to 'Self' (The FireBrick), then a firewall filter may be needed too, eg:
 
<syntaxhighlight lang=xml>
<rule name="IPsec from London FB" protocol="50" action="accept" source-ip="198.51.100.1"/>
</syntaxhighlight>
 
You will also want to add firewall rules to allow traffic between the two LANs, eg, this will allow all traffic to and from Reading and will not NAT the traffic:
 
<syntaxhighlight lang=xml>
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" />
</rule-set>
</syntaxhighlight>
 
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.
==FireBrick Reading Config==
 
<syntaxhighlight lang=xml>
<ipsec-ike comment="toLondon">
<connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
</ipsec-ike>
</syntaxhighlight>
 
If you firewall WAN to 'Self' (The Firebrick), then a firewall filter may be needed too, eg:
 
<syntaxhighlight lang=xml>
<rule name="IPsec from Reading FB" protocol="50" action="accept" source-ip="203.0.113.1"/>
</syntaxhighlight>
 
You will also want to add firewall rules to allow traffic between the two LANs, eg, this will allow all traffic to and from London and will not NAT the traffic:
 
<syntaxhighlight lang=xml>
<rule-set name="IPsec" source-interface="LAN ipsec" target-interface="LAN ipsec" no-match-action="continue" comment="Allow all traffic ">
<rule name="Allow" set-graph="IPSecTraffic" action="accept" set-nat="false" />
</rule-set>
</syntaxhighlight>
 
This rule actually allows all traffic from all IPSec connections - so do edit to suit your environment.