FireBrick IPsec (Road Warrior Howto): Difference between revisions
mNo edit summary |
No edit summary |
||
<indicator name="Tunnels">[[File:FBimgtunnel.svg|link=:Category:FireBrick_Tunnels|30px|Back up to the FireBrick Tunnels Category Page]]</indicator>
= FireBrick
The FireBrick manual goes
In this example we are assuming you can allocate some IP addresses on you LAN. You do this by picking a range of addresses and setting
== Tools ==
There are three tools to help with setting up Road Warrior connections on the FireBrick web site. You can download these
== Certificate Authority ==
Let's start by making a Certificate Authority (CA). This signs certificates, such as the one we load in to the FireBrick end of the link. The CA ends up as being two files - one is the private ''key'' file, which you keep secret. This is what you need to sign things with the CA. The other is the actual certificate file, signed by the key.
First
<tt>./make-key ca-key.pem</tt>
Then make a certificate file, and
(eg /CN=Acme Widget CA).
<tt>./make-cert CA DN="/C=GB/O=My Office/CN=example.com" KEY=ca-key.pem ca-cert.pem</tt>
== FireBrick (server) certificate ==
First make a private key, e.g. <tt>server-key.pem</tt>
<tt>./make-cert DN="/C=GB/O=Server/CN=server.example.com" FQDN=server.example.com KEY=server-key.pem ISSUER-KEY=ca-key.pem ISSUER=ca-cert.pem server-cert.pem</tt>
== FireBrick Certificate Config ==
The FireBrick needs copies of the CA certificate and the server certificate and private key.
The FireBrick needs a configuration for the connection, and roaming pools and user identities. The connection can be used for any number of devices at once with the same pool of IP addresses, each would have a user name and password defined.▼
Load
X.509 certificate and key management UI page (Config Certificates).
The private key associated with the CA certificate <tt>ca-key.pem</tt> is no longer needed once it has been used to sign
the server certificate. It is a good idea to store this file in a safe place (eg on a memory stick in a secure location), and
remove it from any networked machine. It can of course be retrieved and reused if you wish to make further server
certificates using the same CA certificate.
== FireBrick IPsec config ==
▲The FireBrick needs a configuration for the connection, and roaming pools and user identities. The connection can be used for any number of devices at once with the same pool of IP addresses
The basic server config is in <tt>ipsec-ike</tt> containing a <tt>connection</tt> and <tt>roaming</tt> entry, e.g.
<tt><eap name="''fred''" full-name="''Fred Bloggs''" password="''[password]''" subsystem="IPsec" methods="MSChapV2"/></tt>
▲Load the files <tt>ca-cert.pem</tt>, <tt>server-key.pem</tt>, and <tt>server-cert.pem</tt> in to teh FireBrick certificates.
== iPhone profile ==
Each iPhone
<tt>./make-profile SERVER=''IP-of-server'' LOCALID="''Fred's iPhone''" CA=ca-cert.pem SERVERID=''server.example.com'' USERNAME=''fred'' PROFNAME="''Office VPN''" VPNNAME=FireBrick ''fred''.mobileconfig</tt>
|