FireBrick Road Warrior Certificate Authentication: Difference between revisions
(add android instructions) |
(→Add the IPSec configuration: clean up) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 40: | Line 40: | ||
== Add the IPSec configuration == |
== Add the IPSec configuration == |
||
The configuration of the FireBrick is much the same as the configuration for using EAP secrets at [[ |
The configuration of the FireBrick is much the same as the configuration for using EAP secrets at [[FireBrick Road Warrior FireBrick Config]], but with two changes: |
||
* peer-auth-method is set to "Certificate" rather than EAP |
* <tt>peer-auth-method</tt> is set to "<tt>Certificate</tt>" rather than <tt>EAP</tt> |
||
* no need to add any EAP users. |
* no need to add any EAP users. |
||
Line 56: | Line 56: | ||
== Android, via StrongSwan == |
== Android, via StrongSwan == |
||
Before configuring StrongSwan, you will need to copy your CA certificate (in PEM format, ca-cert.pem in this example), and your client certificate (PKCS#12 .pfx format, client.pfx in this example) to your phone. |
Before configuring StrongSwan, you will need to copy your CA certificate (in PEM format, <tt>ca-cert.pem</tt> in this example), and your client certificate (PKCS#12 .pfx format, <tt>client.pfx</tt> in this example) to your phone. |
||
Once copied, open the StrongSwan app, and click "ADD VPN PROFILE" at the top right corner of the screen. |
Once copied, open the StrongSwan app, and click "<tt>ADD VPN PROFILE</tt>" at the top right corner of the screen. |
||
Fill out the following details: |
Fill out the following details: |
||
* Server: enter your fully-qualified domain name to connect to your FireBrick. |
* Server: enter your fully-qualified domain name to connect to your FireBrick. |
||
* VPN Type: Change this to "IKEv2 Certificate" |
* VPN Type: Change this to "<tt>IKEv2 Certificate</tt>" |
||
* User Certificate: Press the "INSTALL" button, and using the file browser on your phone, navigate to where you put your certificate, in this example it is "client.pfx". You will be prompted for the password you set earlier |
* User Certificate: Press the "<tt>INSTALL</tt>" button, and using the file browser on your phone, navigate to where you put your certificate, in this example it is "<tt>client.pfx</tt>". You will be prompted for the password you set earlier when you generated this certificate, enter this password at this point. |
||
* User identity: Change this from "Default", to the FQDN of your FireBrick. |
* User identity: Change this from "<tt>Default</tt>", to the FQDN of your FireBrick. |
||
*CA certificate: Untick "Select automatically", and select "Select CA certificate" that will appear below this box when unticked. Once the CA certificates window is open, press the menu button on the top right, and select import certificate. Select your CA certificate here. Once imported, select the "IMPORTED" option from the top right of your screen, and select your newly-imported CA certificate. |
*CA certificate: Untick "<tt>Select automatically</tt>", and select "<tt>Select CA certificate</tt>" that will appear below this box when unticked. Once the CA certificates window is open, press the menu button on the top right, and select import certificate. Select your CA certificate here. Once imported, select the "<tt>IMPORTED</tt>" option from the top right of your screen, and select your newly-imported CA certificate. |
||
Once these details are filled in, press Save from the top right corner. Your VPN profile should now be listed in StrongSwan, and you should be able to connect to it. |
Once these details are filled in, press Save from the top right corner. Your VPN profile should now be listed in StrongSwan, and you should be able to connect to it. |
Latest revision as of 23:56, 17 August 2018
It is possible to use Client Certificate authentication instead of using EAP Users. This method may be preferable to some, as your EAP password is not viewable from the FireBrick's configuration.
This page is a work-in-progress and is not currently complete.
Step 1 - Generating Certificates
Creating Certificates
Follow the guidance at FireBrick Road Warrior Certificates to generate the usual set of certificates required for Road Warrior.
Generate a Client Key
Using the make-key script you used during the previous steps to generate your certificates, you will need to generate a Client Key for your device.
./make-key client-key.pem
Generate the Client Certificate
Using a tool such as wget, download the make-client-cert script. This is a modified version of the make-cert script that changes extended=extendedKeyUsage=serverAuth to extended=extendedKeyUsage=clientAuth, to generate the client certificate.
wget http://www.firebrick.co.uk/tools/make-client-cert
Once downloaded, run the script to generate your Client Certificate, remembering to change the FQDN to the one you are using for your FireBrick.
./make-client-cert DN="/C=GB/O=Server/CN=server.example.com" FQDN=server.example.com KEY=client-key.pem ISSUER-KEY=ca-key.pem ISSUER=ca-cert.pem client-cert.pem
Convert your Client Certificate to a PKCS#12 file
The .pfx file, in PKCS #12 format is your actual Client Certificate that you will install on the end-device, such as Android or iOS.
openssl pkcs12 -export -out client.pfx -inkey client-key.pem -in client-cert.pem -certfile ca-cert.pem
Remember to set a password on this - you will need to use it when you import the certificate to your device.
Step 2 - Configuring the FireBrick
Upload keys to FireBrick
Upload your client-cert.pem and client-key.pem to the FireBrick.
Add the IPSec configuration
The configuration of the FireBrick is much the same as the configuration for using EAP secrets at FireBrick Road Warrior FireBrick Config, but with two changes:
- peer-auth-method is set to "Certificate" rather than EAP
- no need to add any EAP users.
Example:
<ipsec-ike>
<connection name="server" roaming-pool="roam-pool" auth-method="Certificate" peer-auth-method="Certificate" mode="Wait" local-ID="FQDN:server.example.com"/>
<roaming name="roam-pool" ip="[ranges of LAN IPs]" DNS="[DNS, e.g. 8.8.8.8]"/>
</ipsec-ike>
Step 3 - Configuring Devices
Android, via StrongSwan
Before configuring StrongSwan, you will need to copy your CA certificate (in PEM format, ca-cert.pem in this example), and your client certificate (PKCS#12 .pfx format, client.pfx in this example) to your phone.
Once copied, open the StrongSwan app, and click "ADD VPN PROFILE" at the top right corner of the screen.
Fill out the following details:
- Server: enter your fully-qualified domain name to connect to your FireBrick.
- VPN Type: Change this to "IKEv2 Certificate"
- User Certificate: Press the "INSTALL" button, and using the file browser on your phone, navigate to where you put your certificate, in this example it is "client.pfx". You will be prompted for the password you set earlier when you generated this certificate, enter this password at this point.
- User identity: Change this from "Default", to the FQDN of your FireBrick.
- CA certificate: Untick "Select automatically", and select "Select CA certificate" that will appear below this box when unticked. Once the CA certificates window is open, press the menu button on the top right, and select import certificate. Select your CA certificate here. Once imported, select the "IMPORTED" option from the top right of your screen, and select your newly-imported CA certificate.
Once these details are filled in, press Save from the top right corner. Your VPN profile should now be listed in StrongSwan, and you should be able to connect to it.