| 19.2. Setting up a tunnel | ||
|---|---|---|
 | Chapter 19. IPsec |  |
| 19.2. Setting up a tunnel | ||
|---|---|---|
| | Chapter 19. IPsec | |
One of the uses of IPsec is to create a private tunnel between two places. This could be two FireBricks, or between a FireBrick and some otehr device such as a router, VPN box, Linux box, etc.
The tunnel allows traffic to IP addresses at the far end to be routed over the Internet in secret, encrypted at the sending end and decrypted at the receiving end.
To set up a tunnel, it is necessary to configure the IP addresses of the endpoints, the algorithms and keys to be used (currently by using manual keying) and the required routing. To set up a new IPsec tunnel configuration select "Add: New IPsec tunnel /VPN settings" on the tunnel setup page.
Select the required encapsulation type - either AH (providing just authentication) or ESP (providing authentication and/or encryption). Select the required algorithms and choose appropriate keys. The key lengths depend on the selected algorithm according to the following table:
Table 19.1. IPsec algorithm key lengths
| Algorithm | Bytes | Hex digits | Example |
| HMAC-MD5 | 16 | 32 | 00112233445566778899AABBCCDDEEFF |
| HMAC-SHA1 | 20 | 40 | 0102030405060708090A0B0C0D0E0F10111213 |
| AES-XCBC | 16 | 32 | 0F0E0C0D0B0A09080706050403020100 |
| 3DES-CBC | 24 | 48 | 00112233445566778899AABBCCDDEEFF0011223344556677 |
| blowfish | 16 | 32 | 00112233445566778899AABBCCDDEEFF |
| AES-CBC | 16 | 32 | 00112233445566778899AABBCCDDEEFF |
Note that in the current implementation the same key is used for both incoming and outgoing traffic. The same keys and algorithms must be configured at the remote end of the link.
The above keys are examples only. To reduce the possibility that your link could be compromised by keys becoming known or guessed you should generate them using a source of random or pseudo-random data. On a Unix/Linux system the command xxd can be used in conjunction with the /dev/random file. For example to generate a 20-byte key the command would be:
xxd -len 20 -p /dev/random
You also need to configure an SPI (Security Parameter Index) for both the incoming and outgoing traffic. The SPI value is an integer from 256 to 232-1. These are configured as local-spi for incoming traffic and remote-spi for outgoing traffic. The local-spi uniquely identifies this IPsec connection, so must be distinct for all IPsec connections on this FireBrick. The incoming SPI must match the outgoing SPI of the far end of the link, and vice-versa.
You must configure routing to specify which traffic the FireBrick should send out through the tunnel. The routing configuration uses the same style as used elsewhere in FireBrick configuration. A simple set of IPs and/or IP ranges can be specified in the routes attribute, or for more complex routing a number of separate route elements can be added to the tunnel config. Metrics and the routing tables to be used may also be specified.
A graph may be specified to monitor data through the tunnel. A speed may be set to rate-limit the traffic. the mode should be set to the default (tunnel) for normal applications. Transport-mode IPsec is used in certain situations when the traffic to be encapsulated does not have its own IP header. With the current implementation the only use of this is when it is required to provide both AH and ESP protection to encapsulated packets; AH authentication with ESP encryption can provide marginally better authentication but is rarely used. To configure this, set up an ESP tunnel with just encryption, and set up a separate AH IPsec entry in transport mode. Each must have their own separate SPIs, and the ESP entry should have the outer-spi field set to the local-spi of the AH entry. The AH entry should have no IPs, routing, graph or speed set.
| |  | |
| Chapter 19. IPsec |  | 19.3. Tunnelling to a non-FireBrick device |