This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
configuration:ipsec [2020/06/30 06:12] dodenhoeft |
configuration:ipsec [2020/06/30 06:50] dodenhoeft [Network setup] |
||
---|---|---|---|
Line 54: | Line 54: | ||
===== Network setup ===== | ===== Network setup ===== | ||
- | For this configuration we will use the most common mode, __**the tunnel mode**__. | + | For this configuration we will use the most common mode, __**the tunnel mode**__. For this example we are using PSK as authentification method. |
{{:configuration:ipsec1.png|}} | {{:configuration:ipsec1.png|}} | ||
Line 61: | Line 61: | ||
- | ^SideA^^^Backend^ | + | ^SideA^^Backend^^ |
^Local WAN^Remote WAN^Local WAN^Remote WAN^ | ^Local WAN^Remote WAN^Local WAN^Remote WAN^ | ||
- | |10.10.10.1|10.10.10.2| | + | |10.10.10.1|10.10.10.2|10.10.10.2|10.10.10.1| |
- | ^General^Parameter^ | + | ^General^Parameter^General^Parameter^ |
- | |Remote peer address|10.10.10.2| | + | |Remote peer address|10.10.10.2|Remote peer address|0.0.0.0| |
- | ^Dead Peer Detection(DPD)^Parameter^ | + | ^Dead Peer Detection(DPD)^Parameter^Dead Peer Detection(DPD)^Parameter^ |
- | |Detection cycle|30 sec| | + | |Detection cycle|30 sec|Detection cycle|30 sec| |
- | |Failure threshold|3| | + | |Failure threshold|3|Failure threshold|3| |
- | |Action|hold| | + | |Action|hold|Action|hold| |
- | ^Authentication^Parameter^ | + | ^Authentication^Parameter^Authentication^Parameter^ |
- | |Key exchange|IKEv2| | + | |Key exchange|IKEv2|Key exchange|IKEv2| |
- | |Authentication type|pre shared key| | + | |Authentication type|pre shared key|Authentication type|pre shared key| |
- | |PSK|"TopSecret01"| | + | |PSK|"TopSecret01"|PSK|"TopSecret01"| |
- | |Local ID type|FQDN| | + | |Local ID type|FQDN|Local ID type|FQDN| |
- | |Local ID|"sideA"| | + | |Local ID|"sideA"|Local ID|"backend"| |
- | |Peer ID type|FQDN| | + | |Peer ID type|FQDN| Peer ID type|FQDN| |
- | |Peer ID|"sideB"| | + | |Peer ID|"backend"|Peer ID|"sideA"| |
- | ^IKE Proposal - Phase1^Parameter^ | + | ^IKE Proposal - Phase1^Parameter^IKE Proposal - Phase1^Parameter^ |
- | |Negotiation mode|aggressive| | + | |Negotiation mode|aggressive|Negotiation mode|aggressive| |
- | |Encryption algorithm|AES256| | + | |Encryption algorithm|AES256|Encryption algorithm|AES256| |
- | |Authentication algorithm|SHA256| | + | |Authentication algorithm|SHA256|Authentication algorithm|SHA256| |
- | |Diffie-Hellman group|Group14(modp2048)| | + | |Diffie-Hellman group|Group14(modp2048)|Diffie-Hellman group|Group14(modp2048)| |
- | |Pseudo-random function|undefined| | + | |Pseudo-random function|undefined|Pseudo-random function|undefined| |
- | |SA life time|86400 sec| | + | |SA life time|86400 sec|SA life time|86400 sec| |
- | ^IPsec Proposal - Phase2^Parameter^ | + | ^IPsec Proposal - Phase2^Parameter^IPsec Proposal - Phase2^Parameter^ |
- | |Encapsulation mode|Tunnel| | + | |Encapsulation mode|Tunnel|Encapsulation mode|Tunnel| |
- | |IPsec protocol|ESP| | + | |IPsec protocol|ESP|IPsec protocol|ESP| |
- | |Encryption algorithm|AES256| | + | |Encryption algorithm|AES256|Encryption algorithm|AES256| |
- | |Authentication algorithm|SHA256| | + | |Authentication algorithm|SHA256|Authentication algorithm|SHA256| |
- | |SA life time|28800 sec| | + | |SA life time|28800 sec|SA life time|28800 sec| |
- | |Perfect forward secrecy (PFS)| - | | + | |Perfect forward secrecy (PFS)|disable|Perfect forward secrecy (PFS)|disable| |
- | |Force encapsulation|enable| | + | |Force encapsulation|enable|Force encapsulation|enable| |
- | ^Networks^Parameter^ | + | ^Networks^Parameter^Networks^Parameter^ |
- | |Local network|192.168.1.0| | + | |Local network|192.168.1.0|Local network|192.168.2.0| |
- | |Local netmask|24| | + | |Local netmask|24|Local netmask|24| |
- | |Remote network|192.168.2.0| | + | |Remote network|192.168.2.0|Remote network|192.168.1.0| |
- | |Remote netmask|24| | + | |Remote netmask|24|Remote netmask|24| |
+ | |||
+ | All necessary firewall rules for the IPsec functionality will be set automatically, with the enable of the IPsec service. | ||
- | ==== SideB ==== | ||
- | ^Local WAN^Remote WAN^ | ||
- | |10.10.10.2|10.10.10.1| | ||
- | ^General^Parameter^ | ||
- | |Remote peer address|10.10.10.1| | ||
- | ^Dead Peer Detection(DPD)^Parameter^ | ||
- | |Detection cycle|30 sec| | ||
- | |Failure threshold|3| | ||
- | |Action|hold| | ||
- | ^Authentication^Parameter^ | ||
- | |Key exchange|IKEv2| | ||
- | |Authentication type|pre shared key| | ||
- | |PSK|"TopSecret01"| | ||
- | |Local ID type|FQDN| | ||
- | |Local ID|"sideB"| | ||
- | |Peer ID type|FQDN| | ||
- | |Peer ID|"sideA"| | ||
- | ^IKE Proposal - Phase1^Parameter^ | ||
- | |Negotiation mode|aggressive| | ||
- | |Encryption algorithm|AES256| | ||
- | |Authentication algorithm|SHA256| | ||
- | |Diffie-Hellman group|Group14(modp2048)| | ||
- | |Pseudo-random function|undefined| | ||
- | |SA life time|86400 sec| | ||
- | ^IPsec Proposal - Phase2^Parameter^ | ||
- | |Encapsulation mode|Tunnel| | ||
- | |IPsec protocol|ESP| | ||
- | |Encryption algorithm|AES256| | ||
- | |Authentication algorithm|SHA256| | ||
- | |SA life time|28800 sec| | ||
- | |Perfect forward secrecy (PFS)| - | | ||
- | |Force encapsulation|enable| | ||
- | ^Networks^Parameter^ | ||
- | |Local network|192.168.2.0| | ||
- | |Local netmask|24| | ||
- | |Remote network|192.168.1.0| | ||
- | |Remote netmask|24| | ||
- | All necessary firewall rules for the IPsec functionality will be set automatically, with the enable of the IPsec service. | ||
===== Server mode ===== | ===== Server mode ===== |