diff --git a/source/manual/how-tos/ipsec-s2s-conn-route.rst b/source/manual/how-tos/ipsec-s2s-conn-route.rst index cb2d83e..0db6aec 100644 --- a/source/manual/how-tos/ipsec-s2s-conn-route.rst +++ b/source/manual/how-tos/ipsec-s2s-conn-route.rst @@ -1,5 +1,5 @@ ==================================== -IPsec VTI - Route based PSK setup +IPsec - Route based (VTI) PSK setup ==================================== This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in routed mode @@ -44,7 +44,7 @@ to peer both firewalls. We will create a tunnel network using :code:`192.168.123 -------------------------------- -Preperations +Preparations -------------------------------- ..................... @@ -91,8 +91,8 @@ Property site A site B ======================= =================== =================== Name IPSEC10_GW IPSEC10_GW Interface IPSEC10 IPSEC10 -Address Family IPv4 IPv4 -IP address **192.168.123.2** **192.168.123.1** +Address Family IPv4 IPv4 +IP address **192.168.123.2** **192.168.123.1** ======================= =================== =================== @@ -114,6 +114,12 @@ Gateway IPSEC10_GW IPSEC10_GW ======================= =================== =================== +..................... +Enable IPsec +..................... + +Before configuring the connections, we enable the IPsec module. Just mark the "enable" checkbox on the connections tab. + -------------------------------- Setting up the IPsec connection -------------------------------- diff --git a/source/manual/how-tos/ipsec-s2s-conn.rst b/source/manual/how-tos/ipsec-s2s-conn.rst new file mode 100644 index 0000000..99bc59b --- /dev/null +++ b/source/manual/how-tos/ipsec-s2s-conn.rst @@ -0,0 +1,159 @@ +======================================== +IPsec - Policy based public key setup +======================================== + +This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in policy mode +between two OPNsense machines using key pairs. + +.. contents:: Index + +-------------------------------- +Network topology +-------------------------------- + +The schema below describes the situation we are implementing. Two networks (A,B) and a transit network (10.10.1.0/24) +to peer both firewalls. + +.. nwdiag:: + :scale: 100% + + nwdiag { + + span_width = 90; + node_width = 180; + network A { + address = "10.1.0.0/24"; + pclana [label="PC Site A\n10.1.0.20",shape="cisco.pc"]; + fwa [shape = "cisco.firewall", address="10.1.0.1/24"]; + } + network Ext { + address = "10.10.1.0/24"; + label = "Ext"; + fwa [shape = "cisco.firewall", address="10.10.1.1/24"]; + fwb [shape = "cisco.firewall", address="10.10.1.2/24"]; + } + network B { + address = "192.168.1.0/24" + fwb [shape = "cisco.firewall", address="192.168.1.20"]; + pclanb [label="PC Site B\n192.168.1.20",shape="cisco.pc"]; + } + + + } + + +-------------------------------- +Preparations +-------------------------------- + +Since our policy based setup doesn't require interfaces, gateways and routes, we only need to make sure the IPsec +module is enabled on the Connections tab and Key pairs are registered for both hosts. + +.................................. +Key pairs +.................................. + +Go to the :menuselection:`VPN->IPsec->Key Pairs` option in the menu and create a new key on both hosts, then copy the public part +from Site A to Site B and vise versa. Keys may easily be generated with the gear button in the Key type field. + + +-------------------------------- +Setting up the IPsec connection +-------------------------------- + +In order to setup a simple (and common) IPsec connection, we go to :menuselection:`VPN->IPsec->Connections` and add +a new entry. + + +..................... +General settings +..................... + +Side by side the following general settings need to be set in this case, which configures the first part of the security association between +both sites: + +=============================================================== + +======================= =================== =================== +Property site A site B +======================= =================== =================== +Local addresses **10.10.1.1** **10.10.1.2** +Remote addresses **10.10.1.2** **10.10.1.1** +======================= =================== =================== + +Press to go to the next step. + +.. Note:: + + One may omit the local address if any address may be used to initiate the connection from, other valid options + are also mentioned in the help text of the attribute. + + +..................... +Authentication +..................... + +Next we will need to add local authentication (add a new record in the local grid): + +=============================================================== + +======================= =================== =================== +Property site A site B +======================= =================== =================== +Authentication Public Key Public Key +Id **hostA** **hostB** +Public Keys **hostA-key** **hostB-key** +======================= =================== =================== + +Then we need to set Pre-Shared Key for remote authentication as well: + +=============================================================== + +======================= =================== =================== +Property site A site B +======================= =================== =================== +Authentication Public Key Public Key +Id **hostB** **hostA** +Public Keys **hostB-key** **hostA-key** +======================= =================== =================== + + +.. Note:: + + On host A the private key for Host A should be known and only the public key of Host B, Host B is exactly the oposite. + + +..................... +Children +..................... + +Finally we may add a child which will add security policies and kernel routes. + + +======================= =================== =================== +Property site A site B +======================= =================== =================== +Mode Tunnel Tunnel +Policies [checked] [checked] +Local **192.168.1.0/24** **10.0.1.0/24** +Remote **10.0.1.0/24** **192.168.1.0/24** +======================= =================== =================== + +..................... +Save and apply +..................... + +Finally save the settings and hit apply on the connections page to establish the tunnel. + +-------------------------------- +Validate +-------------------------------- + +Now can check if the tunnel is active on both side using the status overview in :menuselection:`VPN->IPsec->Status Overview` + +-------------------------------- +Install firewall policies +-------------------------------- + +With the tunnel active, all that remains is to accept traffic on this tunnel using the :menuselection:`Firewall->Rules->IPsec` +menu option. diff --git a/source/manual/vpnet.rst b/source/manual/vpnet.rst index 68a005b..99c38d0 100644 --- a/source/manual/vpnet.rst +++ b/source/manual/vpnet.rst @@ -228,6 +228,7 @@ New > 23.1 (:menuselection:`VPN -> IPsec -> Connections`) :maxdepth: 2 :titlesonly: + how-tos/ipsec-s2s-conn how-tos/ipsec-s2s-conn-route