autoreview, Bots, Bureaucrats, editor, Interface administrators, reviewer, Administrators, upwizcampeditors
39
edits
This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!
(→Configuration: eap near top) |
No edit summary |
||
(5 intermediate revisions by 2 users not shown) | |||
'''Think about the NAT'''
A problem arises however when the LAN subnet is non-routable (RFC1918 IPs, e.g.
In this case the LAN subnet is usually marked NAT in the FB config,
so LAN devices can communicate externally (obviously for outgoing
==Overview==
In this example we are assuming you can allocate some IP addresses on
The FireBrick needs a configuration for the connection, and roaming pools and user identities. The connection can be used for any number of devices at once with the same pool of IP addresses; each would have a user name and password defined.
<syntaxhighlight lang=xml>
<ipsec-ike force-NAT="0.0.0.0/0">
<connection name="server" roaming-pool="roam-pool" auth-method="Certificate" peer-auth-method="EAP" mode="Wait" local-ID="FQDN:server.example.com"/>
<roaming name="roam-pool" ip="[ranges of LAN IPs, inc IPv6]" DNS="[DNS, e.g. 8.8.8.8]"/>
</ipsec-ike>
</syntaxhighlight>
Note: the <tt>force-NAT="0.0.0.0/0"</tt> forces keep-alives which are needed when NAT is involved between the endpoints but and also helps where stateful firewalls are in the route too. (without this set, you may find that the ipsec tunnel drops every hour or so)
Each roaming user then needs an <tt>eap</tt> user record. This goes with any user entries near the top of the config.
|
edits