19.3. Tunnelling to a non-FireBrick device

19.3. Tunnelling to a non-FireBrick device
	Chapter 19. IPsec

The FireBrick IPsec implementation should be compatible with any IPsec implementation providing manual keying, provided a common set of algorithms can be chosen. As an example, the configuration for a Linux system using the ipsec-tools package will be described.

Consider a tunnel between a FireBrick and a Linux system with the following setup:

FireBrick has IP address 192.168.1.1, Linux system has IP address 192.168.2.2
ESP encapsulation using HMAC-SHA1 authentication and AES-CBC encryption
Authentication key 0123456789012345678901234567890123456789
Encryption key 00010203040506070809101112131415
Incoming SPI 1000, Outgoing SPI 2000
FireBrick is providing connectivity for a local user subnet 10.1.1.0/24
Linux system is providing connectivity for a local user subnet 10.2.2.0/24

A suitable FireBrick xml config for this would be:

<ipsec
  local-ip="192.168.1.1" remote-ip="192.168.2.2"
  local-spi="1000" remote-spi="2000" type="ESP"
  auth-algorithm="HMAC-SHA1"
  auth-key="0123456789012345678901234567890123456789"
  crypt-algorithm="AES-CBC"
  crypt-key="00010203040506070809101112131415"
  routes="10.2.2.0/24" />

A corresponding ipsec-tools config file would be:

  flush;
  spdflush;

  add 192.168.2.2 192.168.1.1 esp 1000 -m tunnel
    -E rijndael-cbc 0x00010203040506070809101112131415
    -A hmac-sha1 0x0123456789012345678901234567890123456789;
  
  add 192.168.1.1 192.168.2.2 esp 2000 -m tunnel
    -E rijndael-cbc 0x00010203040506070809101112131415
    -A hmac-sha1 0x0123456789012345678901234567890123456789;

  spdadd 10.1.1.0/24 10.2.2.0/24 any
    -P in ipsec esp/tunnel/192.168.1.1-192.168.2.2/require;
  spdadd 10.2.2.0/24 10.1.1.0/24 any
    -P out ipsec esp/tunnel/192.168.2.2-192.168.1.1/require;

Note that rijndael is the name used by ipsec-tools for the AES algorithm.


19.2. Setting up a tunnel		19.4. Remote connection - IPsec and L2TP