Difference between revisions of "FireBrick to FireBrick IPsec (Howto)"

From AAISP Support Site
Jump to navigation Jump to search
[quality revision][quality revision]
m
Line 25: Line 25:
   
 
<ipsec-ike comment="toReading">
 
<ipsec-ike comment="toReading">
<connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate"/>
+
<connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
 
</ipsec-ike>
 
</ipsec-ike>
   
Line 35: Line 35:
   
 
<ipsec-ike comment="toLondon">
 
<ipsec-ike comment="toLondon">
<connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24"local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate"/>
+
<connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24"local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
 
</ipsec-ike>
 
</ipsec-ike>
   

Revision as of 15:44, 6 May 2015

Here we will use an IPsec tunnel between two FireBricks. We will use IKE2 and use a (strong) preshared password.

Manuals

Do read the official FireBrick manuals for more information this is just a simple howto, which just covers the basics.

Network Overview:

FireBrick London FireBrick Reading
LAN IP range 192.168.0.0/24 10.0.0.0/24
WAN Address 203.0.113.1 198.51.100.1

We'll want to end up with machines on each LAN being able to contact each other.

FireBrick London Config

  <ipsec-ike comment="toReading">
     <connection name="toReading" local-ip="203.0.113.1" peer-ips="198.51.100.1" graph="ReadingIPsec" routes="10.0.0.0/24" local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
  </ipsec-ike>

If you firewall WAN to 'Self' (The Firebrick, then a firewall filter may be needed too, eg:

     <rule name="IPsec from London FB" protocol="50" action="accept" source-ip="198.51.100.1"/>

FireBrick B Config

  <ipsec-ike comment="toLondon">
     <connection name="toLondon" local-ip="198.51.100.1" peer-ips="203.0.113.1" graph="LondonIPsec" routes="192.168.0.0/24"local-ID="1" peer-ID="1" auth-method="Secret" secret="mySecretPassword" mode="Immediate" blackhole="true"/>
  </ipsec-ike>

If you firewall WAN to 'Self' (The Firebrick, then a firewall filter may be needed too, eg:

     <rule name="IPsec from Reading FB" protocol="50" action="accept" source-ip="203.0.113.1"/>