FireBrick Road Warrior FireBrick Config: Difference between revisions

← Older edit Newer edit →

Content deleted Content added

Inline

@@ Line 6: / Line 6: @@
 The FireBrick needs a configuration for the connection, and roaming pools and user identities. The connection can be used for any number of devices at once with the same pool of IP addresses; each would have a user name and password defined.
+===A note on IP Allocations===
+There are two common ways to use the IPsec roaming pools:
+'''Separate pool:'''
+Choose an IP range not used anywhere else in your FB config
+    (and to avoid confusion choose something non-routable eg from 10...)
+    Set the NAT flag on the ipsec roaming pool definition.
+    In this scenario all traffic arriving at the FB from the remote
+    device will be NATed (with FB source address) before being routed
+    onwards.  This provides what most people would expect - remote
+    device has a non-routable NATed address.  Sessions originating
+    on the device can talk to anywhere the FB can - but other
+    devices cannot initiate sessions to the remote device.
+'''IPs from the existing LAN'''
+Choose a "real" range of IP addresses already known to the FB.
+    Typically this would be a subset of one of the FB's LAN subnets.
+    [Take care if doing this to not have an overlap with any DHCP
+    allocations which the FB may do on that subnet.]  In this case
+    the roaming pool NAT setting should not be set.  Normally you
+    will want your FB LAN devices to be able to communicate with the
+    remote client, so you should set "proxy-arp" on the FB subnet
+    definition.
+    In this scenario, the remote device behaves just like a device
+    connected on the LAN, and, if the LAN subnet is routable, the
+    remote device will also be able to communicate externally.
 ==Proxy ARP==