2
0
mirror of https://github.com/opnsense/docs synced 2024-10-30 21:20:20 +00:00

VPN: IPsec - add example (23.1)

This commit is contained in:
Ad Schellevis 2022-12-22 18:35:25 +01:00
parent ac814e6b56
commit 19310b18bd
3 changed files with 170 additions and 4 deletions

View File

@ -1,5 +1,5 @@
====================================
IPsec VTI - Route based PSK setup
IPsec - Route based (VTI) PSK setup
====================================
This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in routed mode
@ -44,7 +44,7 @@ to peer both firewalls. We will create a tunnel network using :code:`192.168.123
--------------------------------
Preperations
Preparations
--------------------------------
.....................
@ -114,6 +114,12 @@ Gateway IPSEC10_GW IPSEC10_GW
======================= =================== ===================
.....................
Enable IPsec
.....................
Before configuring the connections, we enable the IPsec module. Just mark the "enable" checkbox on the connections tab.
--------------------------------
Setting up the IPsec connection
--------------------------------

View File

@ -0,0 +1,159 @@
========================================
IPsec - Policy based public key setup
========================================
This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in policy mode
between two OPNsense machines using key pairs.
.. contents:: Index
--------------------------------
Network topology
--------------------------------
The schema below describes the situation we are implementing. Two networks (A,B) and a transit network (10.10.1.0/24)
to peer both firewalls.
.. nwdiag::
:scale: 100%
nwdiag {
span_width = 90;
node_width = 180;
network A {
address = "10.1.0.0/24";
pclana [label="PC Site A\n10.1.0.20",shape="cisco.pc"];
fwa [shape = "cisco.firewall", address="10.1.0.1/24"];
}
network Ext {
address = "10.10.1.0/24";
label = "Ext";
fwa [shape = "cisco.firewall", address="10.10.1.1/24"];
fwb [shape = "cisco.firewall", address="10.10.1.2/24"];
}
network B {
address = "192.168.1.0/24"
fwb [shape = "cisco.firewall", address="192.168.1.20"];
pclanb [label="PC Site B\n192.168.1.20",shape="cisco.pc"];
}
}
--------------------------------
Preparations
--------------------------------
Since our policy based setup doesn't require interfaces, gateways and routes, we only need to make sure the IPsec
module is enabled on the Connections tab and Key pairs are registered for both hosts.
..................................
Key pairs
..................................
Go to the :menuselection:`VPN->IPsec->Key Pairs` option in the menu and create a new key on both hosts, then copy the public part
from Site A to Site B and vise versa. Keys may easily be generated with the gear button in the Key type field.
--------------------------------
Setting up the IPsec connection
--------------------------------
In order to setup a simple (and common) IPsec connection, we go to :menuselection:`VPN->IPsec->Connections` and add
a new entry.
.....................
General settings
.....................
Side by side the following general settings need to be set in this case, which configures the first part of the security association between
both sites:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Local addresses **10.10.1.1** **10.10.1.2**
Remote addresses **10.10.1.2** **10.10.1.1**
======================= =================== ===================
Press <save> to go to the next step.
.. Note::
One may omit the local address if any address may be used to initiate the connection from, other valid options
are also mentioned in the help text of the attribute.
.....................
Authentication
.....................
Next we will need to add local authentication (add a new record in the local grid):
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Authentication Public Key Public Key
Id **hostA** **hostB**
Public Keys **hostA-key** **hostB-key**
======================= =================== ===================
Then we need to set Pre-Shared Key for remote authentication as well:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Authentication Public Key Public Key
Id **hostB** **hostA**
Public Keys **hostB-key** **hostA-key**
======================= =================== ===================
.. Note::
On host A the private key for Host A should be known and only the public key of Host B, Host B is exactly the oposite.
.....................
Children
.....................
Finally we may add a child which will add security policies and kernel routes.
======================= =================== ===================
Property site A site B
======================= =================== ===================
Mode Tunnel Tunnel
Policies [checked] [checked]
Local **192.168.1.0/24** **10.0.1.0/24**
Remote **10.0.1.0/24** **192.168.1.0/24**
======================= =================== ===================
.....................
Save and apply
.....................
Finally save the settings and hit apply on the connections page to establish the tunnel.
--------------------------------
Validate
--------------------------------
Now can check if the tunnel is active on both side using the status overview in :menuselection:`VPN->IPsec->Status Overview`
--------------------------------
Install firewall policies
--------------------------------
With the tunnel active, all that remains is to accept traffic on this tunnel using the :menuselection:`Firewall->Rules->IPsec`
menu option.

View File

@ -228,6 +228,7 @@ New > 23.1 (:menuselection:`VPN -> IPsec -> Connections`)
:maxdepth: 2
:titlesonly:
how-tos/ipsec-s2s-conn
how-tos/ipsec-s2s-conn-route