VPN: IPsec - add example (23.1)

AdSchellevis · AdSchellevis · commit 19310b18bdf9 · 2022-12-22T18:35:25.000+01:00
diff --git a/source/manual/how-tos/ipsec-s2s-conn-route.rst b/source/manual/how-tos/ipsec-s2s-conn-route.rst
@@ -1,5 +1,5 @@
 ====================================
-IPsec VTI - Route based PSK setup
+IPsec - Route based (VTI) PSK setup
 ====================================
 
 This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in routed mode
@@ -44,7 +44,7 @@ to peer both firewalls. We will create a tunnel network using :code:`192.168.123
 
 
 --------------------------------
-Preperations
+Preparations
 --------------------------------
 
 .....................
@@ -91,8 +91,8 @@ Property                site A              site B
 ======================= =================== ===================
 Name                    IPSEC10_GW          IPSEC10_GW
 Interface               IPSEC10             IPSEC10
-Address Family	        IPv4                IPv4
-IP address	            **192.168.123.2**   **192.168.123.1**
+Address Family          IPv4                IPv4
+IP address              **192.168.123.2**   **192.168.123.1**
 ======================= =================== ===================
 
 
@@ -114,6 +114,12 @@ Gateway                 IPSEC10_GW          IPSEC10_GW
 ======================= =================== ===================
 
 
+.....................
+Enable IPsec
+.....................
+
+Before configuring the connections, we enable the IPsec module. Just mark the "enable" checkbox on the connections tab.
+
 --------------------------------
 Setting up the IPsec connection
 --------------------------------
diff --git a/source/manual/how-tos/ipsec-s2s-conn.rst b/source/manual/how-tos/ipsec-s2s-conn.rst
@@ -0,0 +1,159 @@
+========================================
+IPsec - Policy based public key setup
+========================================
+
+This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in policy mode
+between two OPNsense machines using key pairs.
+
+.. contents:: Index
+
+--------------------------------
+Network topology
+--------------------------------
+
+The schema below describes the situation we are implementing. Two networks (A,B) and a transit network (10.10.1.0/24)
+to peer both firewalls.
+
+.. nwdiag::
+  :scale: 100%
+
+    nwdiag {
+
+      span_width = 90;
+      node_width = 180;
+      network A {
+          address = "10.1.0.0/24";
+          pclana [label="PC Site A\n10.1.0.20",shape="cisco.pc"];
+          fwa [shape = "cisco.firewall", address="10.1.0.1/24"];
+      }
+      network Ext {
+          address = "10.10.1.0/24";
+          label = "Ext";
+          fwa [shape = "cisco.firewall", address="10.10.1.1/24"];
+          fwb [shape = "cisco.firewall", address="10.10.1.2/24"];
+      }
+      network B {
+          address = "192.168.1.0/24"
+          fwb [shape = "cisco.firewall", address="192.168.1.20"];
+          pclanb [label="PC Site B\n192.168.1.20",shape="cisco.pc"];
+      }
+
+
+    }
+
+
+--------------------------------
+Preparations
+--------------------------------
+
+Since our policy based setup doesn't require interfaces, gateways and routes, we only need to make sure the IPsec
+module is enabled on the Connections tab and Key pairs are registered for both hosts.
+
+..................................
+Key pairs
+..................................
+
+Go to the :menuselection:`VPN->IPsec->Key Pairs` option in the menu and create a new key on both hosts, then copy the public part
+from Site A to Site B and vise versa. Keys may easily be generated with the gear button in the Key type field.
+
+
+--------------------------------
+Setting up the IPsec connection
+--------------------------------
+
+In order to setup a simple (and common) IPsec connection, we go to :menuselection:`VPN->IPsec->Connections` and add
+a new entry.
+
+
+.....................
+General settings
+.....................
+
+Side by side the following general settings need to be set in this case, which configures the first part of the security association between
+both sites:
+
+===============================================================
+
+======================= =================== ===================
+Property                site A              site B
+======================= =================== ===================
+Local addresses         **10.10.1.1**       **10.10.1.2**
+Remote addresses        **10.10.1.2**       **10.10.1.1**
+======================= =================== ===================
+
+Press <save> to go to the next step.
+
+.. Note::
+
+    One may omit the local address if any address may be used to initiate the connection from, other valid options
+    are also mentioned in the help text of the attribute.
+
+
+.....................
+Authentication
+.....................
+
+Next we will need to add local authentication (add a new record in the local grid):
+
+===============================================================
+
+======================= =================== ===================
+Property                site A              site B
+======================= =================== ===================
+Authentication          Public Key          Public Key
+Id                      **hostA**           **hostB**
+Public Keys             **hostA-key**       **hostB-key**
+======================= =================== ===================
+
+Then we need to set Pre-Shared Key for remote authentication as well:
+
+===============================================================
+
+======================= =================== ===================
+Property                site A              site B
+======================= =================== ===================
+Authentication          Public Key          Public Key
+Id                      **hostB**           **hostA**
+Public Keys             **hostB-key**       **hostA-key**
+======================= =================== ===================
+
+
+.. Note::
+
+    On host A the private key for Host A should be known and only the public key of Host B, Host B is exactly the oposite.
+
+
+.....................
+Children
+.....................
+
+Finally we may add a child which will add security policies and kernel routes.
+
+
+======================= =================== ===================
+Property                site A              site B
+======================= =================== ===================
+Mode                    Tunnel              Tunnel
+Policies                [checked]           [checked]
+Local                   **192.168.1.0/24**  **10.0.1.0/24**
+Remote                  **10.0.1.0/24**     **192.168.1.0/24**
+======================= =================== ===================
+
+.....................
+Save and apply
+.....................
+
+Finally save the settings and hit apply on the connections page to establish the tunnel.
+
+--------------------------------
+Validate
+--------------------------------
+
+Now can check if the tunnel is active on both side using the status overview in :menuselection:`VPN->IPsec->Status Overview`
+
+--------------------------------
+Install firewall policies
+--------------------------------
+
+With the tunnel active, all that remains is to accept traffic on this tunnel using the :menuselection:`Firewall->Rules->IPsec`
+menu option.
diff --git a/source/manual/vpnet.rst b/source/manual/vpnet.rst
@@ -228,6 +228,7 @@ New > 23.1 (:menuselection:`VPN -> IPsec -> Connections`)
    :maxdepth: 2
    :titlesonly:
 
+   how-tos/ipsec-s2s-conn
    how-tos/ipsec-s2s-conn-route
 
 
