FireBrick IPsec (Road Warrior Howto): Difference between revisions
mNo edit summary |
m (Redirected page to Category:FireBrick IPsec Road Warrior) |
||
(53 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
#REDIRECT [[:Category:FireBrick_IPsec_Road_Warrior]] |
|||
<indicator name="FireBrick Tunnels">[[File:FBimgtunnel.svg|link=:Category:FireBrick_Tunnels|30px|Back up to the Tunnels Category]]</indicator> |
|||
= FireBrick mobile phone IPsec = |
|||
The FireBrick manual goes in to some detail on configuring IPsec. This page contains specific examples for a simple scenario where you have one or more iPhones or Android phones, and a FireBrick in your home or office, and you would like to VPN (using IPsec) to the FireBrick and have an IP address on your LAN. |
|||
In this example we are assuming you can allocate some IP addresses on you LAN. You do this by picking a range of addresses and setting in the <tt>roam-pool</tt> (see below). You need to ensure these do not clash with devices on the LAN and are not in the DHCP ranges that could allocate to the LAN. You would also need to set <tt>proxy-arp</tt> on the LAN interface settings to allow communications to other devices on your LAN. Alternatively you could set private IP addresses in the pool and set the <tt>nat</tt> setting. You should probably also include need to consider firewalling rules for traffic to/from IPsec connections. |
|||
== Tools == |
|||
There are three tools on the FireBrick web site. You can download these (save from browser, or use curl or wget). [http://www.firebrick.co.uk/tools/make-key make-key] creates a private key. [http://www.firebrick.co.uk/tools/make-cert make-cert] makes a certificate (signed with a key). [http://www.firebrick.co.uk/tools/make-profile make-profile] makes an iPhone profile file that allows the VPN to be configured on the iPhone. For security reasons, all of these need you to run them commands locally (e.g. on a linux box, or windows under Cygwin). |
|||
== Certificate Authority == |
|||
Let's start by making a Certificate Authority (CA). This signs certificates, such as the one we load in to the FireBrick end of the link. The CA ends up as being two files - one is the private ''key'' file, which you keep secret. This is what you need to sign things with the CA. The other is the actual certificate file, signed by the key. |
|||
First making the private ''key'' file. We'll calls it <tt>ca-key.pem</tt>. This file should be kept secret. |
|||
<tt>./make-key ca-key.pem</tt> |
|||
Then make a certificate file, and signing using the ''key'' file. We'll call it <tt>ca-cert.pem</tt>. This involves several attributes in the DN (Distinguished name) which mostly don't matter much for your own certificate (/C=Country, /ST=State, /L=Locality, /O=OrganisationName, /CN=CommonName). |
|||
<tt>./make-cert CA DN="/C=GB/O=My Office/CN=example.com" KEY=ca-key.pem ca-cert.pem</tt> |
|||
== FireBrick (server) certificate == |
|||
Here we make a certificate file for the FireBrick itself. This is how the FireBrick proves itself to the phone. Again, there is a ''key'' and a ''cert'' file for this, with both being loaded in to the FireBrick. The ''key'' is what allows the FireBrick to prove itself. The ''cert'' is signed by the CA key, which is how the phone knows to trust the FireBrick. Note the extra <tt>FQDN=</tt> which sets the SubjectAltName. The <tt>FQDN</tt> entry is just a name used to get the right certificate, and should match the <tt>local-id</tt> (prefixed <tt>FQDN:</tt>) in the config so that the FireBrick can work our which certificate to use when negotiating. |
|||
First make a private key, e.g. <tt>server-key.pem</tt> |
|||
<tt>./make-key server-key.pem</tt> |
|||
Then make a certificate, e.g. <tt>server-cert.pem</tt> |
|||
<tt>./make-cert DN="/C=GB/O=Server/CN=server.example.com" FQDN=server.example.com KEY=server-key.pem ISSUER-KEY=ca-key.pem ISSUER=ca-cert.pem server-cert.pem</tt> |
|||
== FireBrick Config == |
|||
The FireBrick needs a configuration for the connection, and roaming pools and user identities. The connection can be used for any number of devices at once with the same pool of IP addresses, each would have a user name and password defined. |
|||
The basic server config is in <tt>ipsec-ike</tt> containing a <tt>connection</tt> and <tt>roaming</tt> entry, e.g. |
|||
<ipsec-ike> |
|||
<connection name="''server''" roaming-pool="''roam-pool''" auth-method="Certificate" peer-auth-method="EAP" mode="Wait" local-ID="FQDN:''server.example.com''"/> |
|||
<roaming name="''roam-pool''" ip="''[ranges of LAN IPs]''" DNS="''[DNS, e.g. 8.8.8.8]''"/> |
|||
</ipsec-ike> |
|||
Each roaming user then needs an <tt>eap</tt> user record. |
|||
<tt><eap name="''fred''" full-name="''Fred Bloggs''" password="''[password]''" subsystem="IPsec" methods="MSChapV2"/></tt> |
|||
Load the files <tt>ca-cert.pem</tt>, <tt>server-key.pem</tt>, and <tt>server-cert.pem</tt> in to teh FireBrick certificates. |
|||
== iPhone profile == |
|||
Each iPhone then needs a profile file specific to that user. Once created you can email this, or make a web link to it, and the iPhone will recognise it and allow it to be installed. Let's call it <tt>fred.mobileconfig</tt> for our user called ''fred'' as in the above example config. |
|||
<tt>./make-profile SERVER=''IP-of-server'' LOCALID="''Fred's iPhone''" CA=ca-cert.pem SERVERID=''server.example.com'' USERNAME=''fred'' PROFNAME="''Office VPN''" VPNNAME=FireBrick ''fred''.mobileconfig</tt> |
|||
Note that the SERVERID must match the FQDN entry used when making the server certificate, and hence the local-ID in the config for the connection. |
|||
[[File:Ipsec-iphione.png|none|frame|VPN up on an iPhone]] |
|||
== Android setup == |
|||
We recommend you use the StrongSwan app on Android. The app then needs the CA certificate which you can email yourself and install, and the settings for the host name, user name, password. |
|||
[[Category:FireBrick_Tunnels|IPsec]] |
Latest revision as of 15:39, 30 July 2015
Redirect to: