|
In this example we are assuming you can allocate some IP addresses on you LAN. You do this by picking a range of addresses and setting up a <tt>roaming-pool</tt> (see below). You need to ensure the IP range does not clash with devices on the LAN and is not in the DHCP ranges that could allocate to the LAN. You also need to set <tt>proxy-arp</tt> on the LAN interface settings to allow communications to other devices on your LAN. Alternatively you could set private IP addresses in the pool and set the <tt>nat</tt> setting. You should probably also consider firewalling rules for traffic to/from IPsec connections.
= Creating Certificates =
There are three tools to help with setting up Road Warrior connections on the FireBrick web site. You can download these
by viewing with a browser and saving the source, or using curl or wget. [http://www.firebrick.co.uk/tools/make-key make-key] creates a private key. [http://www.firebrick.co.uk/tools/make-cert make-cert] makes a certificate (signed with a key). [http://www.firebrick.co.uk/tools/make-profile make-profile] makes an iPhone profile file that allows the VPN to be configured on the iPhone. For security reasons, all of these need you to run them locally (e.g. on a linux box, or windows under Cygwin).
== Certificate Authority ==
Let's start by making a Certificate Authority (CA). This signs certificates, such as the one we load in to the FireBrick end of the link. The CA ends up as being two files - one is the private ''key'' file, which you keep secret. This is what you need to sign things with the CA. The other is the actual certificate file, signed by the key.
First make the private ''key'' file for the CA. We'll call it <tt>ca-key.pem</tt>. This file should be kept secret.
./make-key ca-key.pem
Then make a certificate file, and sign it using the ''key'' file. We'll call it <tt>ca-cert.pem</tt>. This involves several attributes in the DN (Distinguished name) which mostly don't matter much for your own certificate (/C=Country, /ST=State, /L=Locality, /O=OrganisationName, /CN=CommonName). Typically you would set just the CommonName, using your home or company name
(eg /CN=Acme Widget CA).
./make-cert CA DN="/C=GB/O=My Office/CN=example.com" KEY=ca-key.pem ca-cert.pem
== FireBrick (server) certificate ==
Next we make a certificate file for the FireBrick itself. This is how the FireBrick proves itself to the client device. Again, there is a ''key'' and a ''cert'' file for this, with both being loaded in to the FireBrick. The ''key'' is what allows the FireBrick to prove itself. The ''cert'' is signed by the CA key, which is how the remote devices know to trust the FireBrick. Note the extra <tt>FQDN=</tt> which sets the SubjectAltName. The <tt>FQDN</tt> entry is just a name used to get the right certificate, and should match the <tt>local-id</tt> (prefixed <tt>FQDN:</tt>) in the config so that the FireBrick can work our which certificate to use when negotiating, and the client can check the certificate matches the server.
First make a private key, e.g. <tt>server-key.pem</tt>
./make-key server-key.pem
Then make a certificate, e.g. <tt>server-cert.pem</tt>
./make-cert DN="/C=GB/O=Server/CN=server.example.com" FQDN=server.example.com KEY=server-key.pem ISSUER-KEY=ca-key.pem ISSUER=ca-cert.pem server-cert.pem
== FireBrick Certificate Config ==
The FireBrick needs copies of the CA certificate and the server certificate and private key.
Load these files - <tt>ca-cert.pem</tt>, <tt>server-key.pem</tt>, and <tt>server-cert.pem</tt> - using the FireBrick
X.509 certificate and key management UI page (Config Certificates).
The private key associated with the CA certificate <tt>ca-key.pem</tt> is no longer needed once it has been used to sign
the server certificate. It is a good idea to store this file in a safe place (eg on a memory stick in a secure location), and
remove it from any networked machine. It can of course be retrieved and reused if you wish to make further server
certificates using the same CA certificate.
==Summary of Certificates==
Once you've run the commands above to create the certificates, you'll end up with five files as follows:
{| class="wikitable"
|+Summary of what to do with the Certificate files
|-
! File !! Description !! Where to place
|-
| ca-key.pem || Private 'Company' Certificate Authority (CA) key, This signs other certificates || Store in a safe place off net
|-
| ca-cert.pem || 'Company' Certificate Authority Certificate file, signed by the Private key above || Upload to FireBrick
|-
| ca-cert.srl || ||
|-
| server-cert.pem || FireBrick 'Server' Certificate, signed by the CA key which means devices know to trust the FireBrick.|| Upload to FireBrick
|-
| server-key.pem || FireBrick 'Server' Key, allows the FireBrick to prove itself to devices. || Upload to FireBrick
|}
On the FireBrick, you should have a set of certificates such as:
[[File:FireBrick-IPsec-Certificates.png|frame|none|Certificates on the FireBrick]]
= FireBrick IPsec config =
| 