FireBrick Road Warrior OSX: Difference between revisions

Back up to the FireBrick Road Warrior Category Page
From AAISP Support Site
 
(27 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick_IPsec_Road_Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick IPsec Road Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>
It is possible to connect an Apple Mac with OSX to a FireBrick over IPSEC with IKEv2 and EAP. Regrettably the IPSEC facilities within OSX are not fully enough featured to achieve this alone, so some additional VPN client software can be installed called StrongSwan.


== Downloading & installing the StrongSwan Native Client ==


It is possible to connect an modern Apple Mac with OSX to a FireBrick over IPSEC with IKEv2 and EAP.
Visit [http://download.strongswan.org/osx/ the download site] and download the latest binary. At the time of writing the latest version was '''strongswan-5.2.2-1.app.zip'''. Allow the machine to unarchive it; usually by selecting the "Open with Archive Utility" option. This will deposit the StrongSwan.app into your downloads directory. Drag the app from the downloads directory into your Applications folder. This completes installation of the StrongSwan Client.


=OSX versions 10.11 El Capitan, and newer=
<gallery>
*If you have El Capitan newer, then the built in VPN connection settings should just work.
StrongSwanOSXscreenshot.png|strongSwan OSX
*If you're not using Let's Encrypt then you will still need to install the Certificate as below.
</gallery>
*You can skip the StrongSwan parts below and just use the Network Settings to add a VPN IKEv2 connection.


===Create the VPN Connection===
== Getting the CA from the FireBrick ==
[[File:Osx-firebrick-ipsec-config.png|thumb|Settings screen]]


#Go to Apple Menu - System Preferences
Note: this guide doesn't go into actual configuration of the FireBrick to be an endpoint, merely how to connect your Mac client to it. Therefore it is assumed the certificate already exists on the FireBrick. It may also be that this is emailed to you by whoever maintains your FireBrick, in which case skip this step.
#Go to Network
#Click the + Icon on the bottom/left, and choose:
#*Interface: VPN
#*VPN Type: IKEv2
#*Service Name: e.g. 'FireBrick' or 'Office'
#On the next window fill in the information:
#*Server Address: Hostname or IP of your FireBrick. e.g.: server.example.com
#*Remote ID: The 'FQDN' of the Firebrick as created when you created the Certificate (Usually the full hostname of the FireBrick). e.g.: server.example.com
#*Local ID - leave empty
#In the Authentication Settings:
#*Username: your EAP Username as set on the FireBrick, e.g. fred
#*Password: your EAP Password as set on the FireBrick
#May as well tick 'Show VPN status in menu bar' as you'll then be able to connect etc. from the menu in your top bar



'''The details below are only useful of you have a very old mac or need to install the certificate if you're not using Lets Encrypt.'''

==Non-Lets Encrypt Certificates==

=== Getting the CA from the FireBrick ===

'''(This is not needed if you are using Let's Encrypt, which is strongly recommended)'''

Note: this guide doesn't go into actual configuration of the FireBrick to be an endpoint, merely how to connect your Mac client to it. Therefore, it is assumed the certificate already exists on the FireBrick. It may also be that this is emailed to you by whoever maintains your FireBrick, in which case skip this step.


#Log into the Firebrick.
#Log into the Firebrick.
Line 18: Line 43:
#Click on the Certificates menu beneath that.
#Click on the Certificates menu beneath that.
#You should be presented with a list of certificates installed. Each line will look approximately as follows : [[File:Toothless_-_Cliff_s_test_FB2700_2700-0001-9224_Certificate_management.jpg]]
#You should be presented with a list of certificates installed. Each line will look approximately as follows : [[File:Toothless_-_Cliff_s_test_FB2700_2700-0001-9224_Certificate_management.jpg]]
#At the right hand end of the row corresponding the the certificate you wish to download, click on the PEM link.
#At the right hand end of the row corresponding the certificate you wish to download, click on the PEM link.

=== Installing the CA certificate into OSX ===
'''(This is not needed if you are using Let's Encrypt)'''


== Installing the CA certificate into OSX ==
#Go to: Applications - Utilities - Keychain Access
#Go to: Applications - Utilities - Keychain Access
#In the top/left area named 'Keychains, click on System
#In the top/left area named 'Keychains, click on System
#In the bottom/left are named 'Category', click on Certificates
#In the bottom/left are named 'Category', click on Certificates
#Go to: File - Import Items
#Go to: File - Import Items
#Select the file you've downloaded, eg ca-cert.pem
#Select the file you've downloaded, e.g. ca-cert.pem
#Review the certificate and then select Always Trust, you may be asked to confirm your apple user password.
#Review the certificate and then select Always Trust, you may be asked to confirm your apple user password.


Line 33: Line 60:
</gallery>
</gallery>


=OSX version 10.10,'Yosemite' and earlier (Legacy information)=
==Configure strongSwan==
For versions 10.10 and earlier you'll need to use the StronSwan program. You will still need to install the CA certificate as above.

=== Downloading & installing the StrongSwan Native Client ===

'''Usually on OSX, you can simply use the built in VPN settings as above.'''

Visit [http://download.strongswan.org/osx/ the download site] and download the latest binary. At the time of writing the latest version was '''strongswan-5.3.2-1.app.zip'''. Allow the machine to unarchive it; usually by selecting the "Open with Archive Utility" option. This will deposit the StrongSwan.app into your downloads directory. Drag the app from the downloads directory into your Applications folder. This completes installation of the StrongSwan Client.

<gallery>
StrongSwanOSXscreenshot.png|strongSwan OSX
</gallery>

===Configure strongSwan===
Run strong swan by either:
Run strong swan by either:
#Go to Applications and click on the strongSwan icon
#Go to Applications and click on the strongSwan icon
Line 39: Line 79:




You'll then have a swan icon in your clock tool bar at the top (it actually looks like a Dalek!)
You'll then have a swan icon in your clock tool bar at the top (it actually looks like a Dalek!) (Screenshot below)


#Click Add Connection
#Click Add Connection (Screenshot below)
##Name: eg FireBrick
##Name: e.g. FireBrick (Screenshot below)
##Authentication IKEv2 EAP
##Authentication IKEv2 EAP
##Server address: IP or Name of your FireBrick
##Server address: IP or Name of your FireBrick, e.g. server.example.com
##Click OK
##Click OK


Line 53: Line 93:
</gallery>
</gallery>


==Connect!==
===Connect!===
#Click on the <del>Dalek</del> StrongSwan icon once more,
#Click on the <del>Dalek</del> StrongSwan icon once more,
#Click your connection name then connect.
#Click your connection name then connect.
#The first time, you may be asked to install a 'Helper' application for Strong Swan, your computer password will be required
#The first time, you may be asked to install a 'Helper' application for Strong Swan, your computer password will be required
#You'll be prompted for the password, this is the one as set up in the EAP Identity on the FireBrick (in this example, we had set up a user of fred with a password)
#You'll be prompted for the password, this is the one as set up in the EAP Identity on the FireBrick (in this example, we had set up a user of fred with a password)




=Error: Unsupported integrity algorithm=
=Error: Unsupported integrity algorithm=
Line 80: Line 118:




[[Category:FireBrick_IPsec_Road_Warrior|OS X]]
[[Category:FireBrick IPsec Road Warrior|OS X]]

Latest revision as of 13:35, 9 October 2023


It is possible to connect an modern Apple Mac with OSX to a FireBrick over IPSEC with IKEv2 and EAP.

OSX versions 10.11 El Capitan, and newer

  • If you have El Capitan newer, then the built in VPN connection settings should just work.
  • If you're not using Let's Encrypt then you will still need to install the Certificate as below.
  • You can skip the StrongSwan parts below and just use the Network Settings to add a VPN IKEv2 connection.

Create the VPN Connection

Settings screen
  1. Go to Apple Menu - System Preferences
  2. Go to Network
  3. Click the + Icon on the bottom/left, and choose:
    • Interface: VPN
    • VPN Type: IKEv2
    • Service Name: e.g. 'FireBrick' or 'Office'
  4. On the next window fill in the information:
    • Server Address: Hostname or IP of your FireBrick. e.g.: server.example.com
    • Remote ID: The 'FQDN' of the Firebrick as created when you created the Certificate (Usually the full hostname of the FireBrick). e.g.: server.example.com
    • Local ID - leave empty
  5. In the Authentication Settings:
    • Username: your EAP Username as set on the FireBrick, e.g. fred
    • Password: your EAP Password as set on the FireBrick
  6. May as well tick 'Show VPN status in menu bar' as you'll then be able to connect etc. from the menu in your top bar


The details below are only useful of you have a very old mac or need to install the certificate if you're not using Lets Encrypt.

Non-Lets Encrypt Certificates

Getting the CA from the FireBrick

(This is not needed if you are using Let's Encrypt, which is strongly recommended)

Note: this guide doesn't go into actual configuration of the FireBrick to be an endpoint, merely how to connect your Mac client to it. Therefore, it is assumed the certificate already exists on the FireBrick. It may also be that this is emailed to you by whoever maintains your FireBrick, in which case skip this step.

  1. Log into the Firebrick.
  2. Click on the Config menu in the bar on the left.
  3. Click on the Certificates menu beneath that.
  4. You should be presented with a list of certificates installed. Each line will look approximately as follows : Toothless - Cliff s test FB2700 2700-0001-9224 Certificate management.jpg
  5. At the right hand end of the row corresponding the certificate you wish to download, click on the PEM link.

Installing the CA certificate into OSX

(This is not needed if you are using Let's Encrypt)

  1. Go to: Applications - Utilities - Keychain Access
  2. In the top/left area named 'Keychains, click on System
  3. In the bottom/left are named 'Category', click on Certificates
  4. Go to: File - Import Items
  5. Select the file you've downloaded, e.g. ca-cert.pem
  6. Review the certificate and then select Always Trust, you may be asked to confirm your apple user password.

OSX version 10.10,'Yosemite' and earlier (Legacy information)

For versions 10.10 and earlier you'll need to use the StronSwan program. You will still need to install the CA certificate as above.

Downloading & installing the StrongSwan Native Client

Usually on OSX, you can simply use the built in VPN settings as above.

Visit the download site and download the latest binary. At the time of writing the latest version was strongswan-5.3.2-1.app.zip. Allow the machine to unarchive it; usually by selecting the "Open with Archive Utility" option. This will deposit the StrongSwan.app into your downloads directory. Drag the app from the downloads directory into your Applications folder. This completes installation of the StrongSwan Client.

Configure strongSwan

Run strong swan by either:

  1. Go to Applications and click on the strongSwan icon
  2. Use the 'spotlight' search tool neat the clock to search for strongSwan


You'll then have a swan icon in your clock tool bar at the top (it actually looks like a Dalek!) (Screenshot below)

  1. Click Add Connection (Screenshot below)
    1. Name: e.g. FireBrick (Screenshot below)
    2. Authentication IKEv2 EAP
    3. Server address: IP or Name of your FireBrick, e.g. server.example.com
    4. Click OK

Connect!

  1. Click on the Dalek StrongSwan icon once more,
  2. Click your connection name then connect.
  3. The first time, you may be asked to install a 'Helper' application for Strong Swan, your computer password will be required
  4. You'll be prompted for the password, this is the one as set up in the EAP Identity on the FireBrick (in this example, we had set up a user of fred with a password)

Error: Unsupported integrity algorithm

There is one "gotcha" with StrongSwan on MAC though - it may negotiate an encryption algorithm for the data connection which OS X doesn't support, the FireBrick will create a log like:

failed to create ESP context: unsupported integrity algorithm AES_XCBC_96

This really a bug in the way the StrongSwan app was built - it shouldn't negotiate AES if the underlying OS can't do it (which as of July 2015 OSX can't manage AES). However, the easy workaround is to set up an ipsec-proposal to avoid this:

  1. On the FB config editor create a 'Proposals for IPsec AH/ESP security association'.
  2. Give is a name, and set, for example, HMAC-SHA1 for authset.
  3. Then, back in the 'IPsec IKE connection settings' select the new Proposal in the 'ipsec-proposals' drop down.

Here is example config for this:

<IPsec-proposal name="custom" authset="HMAC-SHA1"/>