2
0
mirror of https://github.com/opnsense/docs synced 2024-11-17 03:25:33 +00:00
opensense-docs/source/manual/how-tos/ipsec-s2s-conn.rst
2022-12-22 18:35:25 +01:00

160 lines
5.3 KiB
ReStructuredText

========================================
IPsec - Policy based public key setup
========================================
This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in policy mode
between two OPNsense machines using key pairs.
.. contents:: Index
--------------------------------
Network topology
--------------------------------
The schema below describes the situation we are implementing. Two networks (A,B) and a transit network (10.10.1.0/24)
to peer both firewalls.
.. nwdiag::
:scale: 100%
nwdiag {
span_width = 90;
node_width = 180;
network A {
address = "10.1.0.0/24";
pclana [label="PC Site A\n10.1.0.20",shape="cisco.pc"];
fwa [shape = "cisco.firewall", address="10.1.0.1/24"];
}
network Ext {
address = "10.10.1.0/24";
label = "Ext";
fwa [shape = "cisco.firewall", address="10.10.1.1/24"];
fwb [shape = "cisco.firewall", address="10.10.1.2/24"];
}
network B {
address = "192.168.1.0/24"
fwb [shape = "cisco.firewall", address="192.168.1.20"];
pclanb [label="PC Site B\n192.168.1.20",shape="cisco.pc"];
}
}
--------------------------------
Preparations
--------------------------------
Since our policy based setup doesn't require interfaces, gateways and routes, we only need to make sure the IPsec
module is enabled on the Connections tab and Key pairs are registered for both hosts.
..................................
Key pairs
..................................
Go to the :menuselection:`VPN->IPsec->Key Pairs` option in the menu and create a new key on both hosts, then copy the public part
from Site A to Site B and vise versa. Keys may easily be generated with the gear button in the Key type field.
--------------------------------
Setting up the IPsec connection
--------------------------------
In order to setup a simple (and common) IPsec connection, we go to :menuselection:`VPN->IPsec->Connections` and add
a new entry.
.....................
General settings
.....................
Side by side the following general settings need to be set in this case, which configures the first part of the security association between
both sites:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Local addresses **10.10.1.1** **10.10.1.2**
Remote addresses **10.10.1.2** **10.10.1.1**
======================= =================== ===================
Press <save> to go to the next step.
.. Note::
One may omit the local address if any address may be used to initiate the connection from, other valid options
are also mentioned in the help text of the attribute.
.....................
Authentication
.....................
Next we will need to add local authentication (add a new record in the local grid):
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Authentication Public Key Public Key
Id **hostA** **hostB**
Public Keys **hostA-key** **hostB-key**
======================= =================== ===================
Then we need to set Pre-Shared Key for remote authentication as well:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Authentication Public Key Public Key
Id **hostB** **hostA**
Public Keys **hostB-key** **hostA-key**
======================= =================== ===================
.. Note::
On host A the private key for Host A should be known and only the public key of Host B, Host B is exactly the oposite.
.....................
Children
.....................
Finally we may add a child which will add security policies and kernel routes.
======================= =================== ===================
Property site A site B
======================= =================== ===================
Mode Tunnel Tunnel
Policies [checked] [checked]
Local **192.168.1.0/24** **10.0.1.0/24**
Remote **10.0.1.0/24** **192.168.1.0/24**
======================= =================== ===================
.....................
Save and apply
.....................
Finally save the settings and hit apply on the connections page to establish the tunnel.
--------------------------------
Validate
--------------------------------
Now can check if the tunnel is active on both side using the status overview in :menuselection:`VPN->IPsec->Status Overview`
--------------------------------
Install firewall policies
--------------------------------
With the tunnel active, all that remains is to accept traffic on this tunnel using the :menuselection:`Firewall->Rules->IPsec`
menu option.