Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

FireBrick Road Warrior FireBrick Config: Difference between revisions

← Older edit
Content deleted Content added
Reedy (talk | contribs)
editor
706 edits
AA-James (talk | contribs)
autoreview, Bots, Bureaucrats, editor, Interface administrators, reviewer, Administrators, upwizcampeditors
42 edits
No edit summary
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick_IPsec_Road_Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick IPsec Road Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>
= FireBrick IPsec config =
= FireBrick IPsec config =


Line 9: Line 9:


Choose an IP range not used anywhere else in your FB config
Choose an IP range not used anywhere else in your FB config
(and to avoid confusion choose something non-routable eg from 10...)
(and to avoid confusion choose something non-routable e.g. from 10...)
Set the NAT flag on the ipsec roaming pool definition.
Set the NAT flag on the ipsec roaming pool definition.


Line 36: Line 36:
'''Think about the NAT'''
'''Think about the NAT'''


A problem arises however when the LAN subnet is non-routable (RFC1918 IPs, eg 1923.168.x.x).
A problem arises however when the LAN subnet is non-routable (RFC1918 IPs, e.g. 192.168.x.x).
In this case the LAN subnet is usually marked NAT in the FB config,
In this case the LAN subnet is usually marked NAT in the FB config,
so LAN devices can communicate externally (obviously for outgoing
so LAN devices can communicate externally (obviously for outgoing
Line 48: Line 48:
on the LAN and destined off-LAN).
on the LAN and destined off-LAN).


This is overcome, either, by using mapping rules, or by disabling NAT on the LAN subnet and instead enabling NAT on the external internet connection, eg in most cases this would be the PPP connection.
This is overcome, either, by using mapping rules, or by disabling NAT on the LAN subnet and instead enabling NAT on the external internet connection, e.g. in most cases this would be the PPP connection.


==Overview==
==Overview==
In this example we are assuming you can allocate some IP addresses on you LAN. You do this by picking a range of addresses and setting up a roaming-pool (see below). You need to ensure the IP range does not clash with devices on the LAN and is not in the DHCP ranges that could allocate to the LAN.
In this example we are assuming you can allocate some IP addresses on your LAN. You do this by picking a range of addresses and setting up a roaming-pool (see below). You need to ensure the IP range does not clash with devices on the LAN and is not in the DHCP ranges that could allocate to the LAN.


The FireBrick needs a configuration for the connection, and roaming pools and user identities. The connection can be used for any number of devices at once with the same pool of IP addresses; each would have a user name and password defined.
The FireBrick needs a configuration for the connection, and roaming pools and user identities. The connection can be used for any number of devices at once with the same pool of IP addresses; each would have a user name and password defined.
Line 63: Line 63:


<syntaxhighlight lang=xml>
<syntaxhighlight lang=xml>
<ipsec-ike>
<ipsec-ike force-NAT="0.0.0.0/0">
<connection name="server" roaming-pool="roam-pool" auth-method="Certificate" peer-auth-method="EAP" mode="Wait" local-ID="FQDN:server.example.com"/>
<connection name="server" roaming-pool="roam-pool" auth-method="Certificate" peer-auth-method="EAP" mode="Wait" local-ID="FQDN:server.example.com"/>
<roaming name="roam-pool" ip="[ranges of LAN IPs]" DNS="[DNS, e.g. 8.8.8.8]"/>
<roaming name="roam-pool" ip="[ranges of LAN IPs, inc IPv6]" DNS="[DNS, e.g. 8.8.8.8]"/>
</ipsec-ike>
</ipsec-ike>
</syntaxhighlight>
</syntaxhighlight>


Note: the <tt>force-NAT="0.0.0.0/0"</tt> forces keep-alives which are needed when NAT is involved between the endpoints but and also helps where stateful firewalls are in the route too. (without this set, you may find that the ipsec tunnel drops every hour or so)
Each roaming user then needs an <tt>eap</tt> user record.

Each roaming user then needs an <tt>eap</tt> user record. This goes with any user entries near the top of the config.


<syntaxhighlight lang=xml>
<syntaxhighlight lang=xml>
Line 76: Line 78:


Here is how the above three config sections look in the User Interface (UI):
Here is how the above three config sections look in the User Interface (UI):
<gallery widths=250px caption="FireBrick SCreenshots">
<gallery widths=250px caption="FireBrick Screenshots">
FireBrick-IPsec-IKESettings.png|IKE Settings (UI). (Config - Edit - Tunnels - IPsec - Add, IKE connection)
FireBrick-IPsec-IKESettings.png|IKE Settings (UI). (Config - Edit - Tunnels - IPsec - Add, IKE connection)
FireBrick-IPsec-RoamingPool.png|Roaming Pool Settings (UI). (Config - Edit - Tunnels - IPsec - Add, IKE roaming IP pools
FireBrick-IPsec-RoamingPool.png|Roaming Pool Settings (UI). (Config - Edit - Tunnels - IPsec - Add, IKE roaming IP pools
Line 105: Line 107:
*Editing the DNS Service to allow non-local users, we'd recommend using an Allow list that includes the IPsec clients as well as the LAN clients if they are to also use the FireBrick as their DNS resolver. (Setup - General System Services - DNS)
*Editing the DNS Service to allow non-local users, we'd recommend using an Allow list that includes the IPsec clients as well as the LAN clients if they are to also use the FireBrick as their DNS resolver. (Setup - General System Services - DNS)


[[Category:FireBrick_IPsec_Road_Warrior|FireBrick Config]]
[[Category:FireBrick IPsec Road Warrior|FireBrick Config]]
Retrieved from "http://support.aa.net.uk/FireBrick_Road_Warrior_FireBrick_Config"