Kitz Forum
Chat => Tech Chat => Topic started by: owensit on April 22, 2021, 05:56:39 PM
-
Hi
We have a Firebrick and unfortunately there is very limited examples on the internet so hopefully an expert here will be able to guide us. Consider us novices please.
We want to set up an IPSEC VPN on LAN2 connection of the firebrick. The other side is a Fortigate and is set up correctly as we have several VPNs running on the Fortigate side. The Fortigate does not even see the Firebrick (no logs or phase 1). Is there anyone who can guide us on the correct settings for the firebrick?
AES with authentication
Main Mode
Phase1 AES128 SHA1 G2
Phase 2 AES128 SHA1
IKE Phase 1 Lifetime 28800
IKE Phase 2 Lifetime 3600
Host IP: 51.179.164.188
Host LAN IP: 192.168.100.0/23
Pre-Shared Key: Goblins
Local IP: 146.254.214.77
Local LAN IP: 192.168.50.1/24
The settings we have on the firebrick in order as below are
<ipsec-ike>
<connection name="VPN3CX" local-ip="192.168.50.1" peer-ips="52.179.164.188" type="ESP" routes="192.168.100.0/23" auth-method="Secret" peer-auth-method="Secret" secret="Goblins" peer-secret="Goblins" mode="Immediate" blackhole="true" lifetime="8:00:00"/>
<IKE-proposal name="3CXAUT1" authset="AES-XCBC" cryptset="AES-CBC" PRFset="HMAC-SHA1" DHset="MODP-2048"/>
<IPsec-proposal name="3CXAUT" authset="AES-XCBC" cryptset="AES-CBC" DHset="MODP-2048"/>
</ipsec-ike>
<rule-set name="VPN" target-interface="LAN2" no-match-action="drop">
<rule name="vpn_a" target-port="500" protocol="50 51" comment="VPN" action="accept"/>
<rule name="vpn_b" target-port="4500" protocol="50 51" comment="VPN" action="accept"/>
</rule-set>
<rule-set name="Firewall: LAN" target-interface="LAN2" no-match-action="reject" comment="Default firewall rule for traffic to LAN">
<rule name="Allow NAT-PMP/PCP" pcp="true" profile="disabled" comment="NAT-PMP/PCP allow in (example)"/>
<rule name="Allow from FireBrick" source-interface="WAN"/>
</rule-set>
Thank you for any help in advance.
-
I assume you've seen the examples here ?
https://support.aa.net.uk/Category:FireBrick_IPsec
Have you also tried enabling the ipsec debugging on the firebrick?
I'm a bit confused by what you're trying to do - is the Firebrick directly connected to the internet (with IP 146.254.214.77 ?) or is it sitting behind another device which is performing NAT?
I also hope those aren't the real passwords in the xml file...
-
Welcome to the forum! I too have an FB2900 but I have no experience with IPSEC. Can you try pinging the other end without IPSEC, using the Firebrick’s Ping debugging function? Under the diagnostics menu. Just to sanity-check comms first. You can then apply your firewall rules and check them using the diagnostics: firewall test. That will ensure that your firewall rules make sense in the particular circumstances you’re using them.
Where did you buy your Firebrick from ?
-
Hi
Thank you. We have looked on the examples and that is how we have managed to get our code.
No, none of these are our valid IP addresses :).
The Fortigate can ping the firebrick and the firebrick can ping the Fortigate
The Firebrick is a bit of an enigma so really hard to decipher how to do the basic things.
We will have a look on how to enable logs on the firebrick over the weekend.
Do the the rule-set and rule names have to match something??
I ma guessing we may also be missing the bit that links LAN2 to the ipsec-ike??
When we initially set the brick up, we ran into that issue but could not find any documentation.
We were directed to an IRC chat room which we can't seem to find now and someone gave us the examples that worked.
If we get it working, we will let you know.
-
The rule and rule-set names are arbitrary.
When you bought your Brick you get lifetime free support, so if stuck, call your reseller in to have a look at your xml config. I got mine from Andrews and Arnold (aa.net.uk) and they gave me an initial config which I then expanded on.