FireBrick IPsec (Road Warrior Howto)
FireBrick Road Warrior IPsec
The FireBrick manual goes into some detail on configuring IPsec. This page contains specific examples for a simple scenario where you have one or more clients devices - iPhones iPads, Android phones/tablets or Windows machines, and a FireBrick in your home or office, and you would like to VPN (using IPsec) to the FireBrick and have an IP address on your LAN.
In this example we are assuming you can allocate some IP addresses on you LAN. You do this by picking a range of addresses and setting up a roaming-pool (see below). You need to ensure the IP range does not clash with devices on the LAN and is not in the DHCP ranges that could allocate to the LAN. You also need to set proxy-arp on the LAN interface settings to allow communications to other devices on your LAN. Alternatively you could set private IP addresses in the pool and set the nat setting. You should probably also consider firewalling rules for traffic to/from IPsec connections.
iPhone profile
Each iPhone needs a profile file specific to that user. Once created you can email this, or make a web link to it, and the iPhone will recognise it and allow it to be installed. Let's call it fred.mobileconfig for our user called fred as in the above example config.
./make-profile SERVER=IP-of-server LOCALID="Fred's iPhone" CA=ca-cert.pem SERVERID=server.example.com USERNAME=fred PROFNAME="Office VPN" VPNNAME=FireBrick fred.mobileconfig
Note that the SERVERID must match the FQDN entry used when making the server certificate, and hence the local-ID in the config for the connection.
Android setup
We recommend you use the StrongSwan app on Android. The app then needs the CA certificate which you can email yourself and install, and the settings for the host name, user name, password.
Install StrongSwan VPN Client
Via the Google Play store
Install CA Certificate
- From the Android device, log in to the FireBrick
- Go to Config - Certificates
- Download the CA certificate in PEM format
- Open StrongSwan, go to (Menu) CA Certificates - (Menu) Import
- Choose the Certificate, in our example the File is ca-cert.pem is found in the Downloads folder, select it.
- Review the certificate, then click Import
(We have had reports that the downloaded .pem file, when downloaded using default browser 'Internet' is not visible to Strongswan even though the file is in the Download folder. Using an alternative Browser, such as Firefox, and re-downloading the pem file from the FireBrick works.)
Configure Strongswan
- Open the Strongswan App
- Tap on 'ADD VPN PROFILE' (top/right)
- Add the details:
- Profile Name: eg FireBrick
- Gateway: IP or hostname of the FireBrick
- Type: EAPv2 EAP (Username/Password)
- Username: this is the one as set up in the EAP Identity on the FireBrick (in this example, we had set up a user of fred with a password
- Password: Optionally add it here if you (really) want is saved
Connect!
- Open Strongswan
- Tap on the profile
You can also create a 'Widget' for the connection in the 'usual' way for adding widgets to your launcher.
Windows setup
The following instructions were tested on a Windows 7 system. Setup on other versions of Windows will be similar, but the dialogs and messages seen may not be exactly as shown here.
The CA certificate needs to be installed on the Windows machine using an account with administrator privileges.
First, download the CA certificate in DER format to the Windows machine. The easiest way to do this is to use a browser to visit your FireBrick certificate management page, and click on the Download DER link corresponding to the CA certificate. Save it in a suitable location on the Windows machine. Do not attempt to execute it or install it just yet. Note that you must download the certificate in DER format - windows machines do not recognize PEM format. The file will be given the .crt extension.
Start the Windows Certificate Manager
The Windows certificate manager should now be started up as follows:
- Using a command window, or the Start|Run box, execute the command mmc (and answer Yes when asked if you want to allow changes).
- Select Add/Remove Snap-in from the File menu, choose the Certificates snap-in and add it to selected snap-ins.
- A dialog will ask if you want to manage certificates for the user account, a service account or computer account. You must select Computer Account here in order to manage the system certificates. If you do not select this, or you start up the certificate manager in some other way (eg using certmgr.msc, you will not be able to install the certificate system-wide, and the Windows IPsec subsystem will not find it.
- Another dialog will ask which computer to manage. Choose Local computer.
- Finally click on OK to start the certificate manger snap-in.
Install the CA certificate
To install the certificate:
- Double-click on Certificates (Local Computer) in the left pane, to open the certificate store names, and then right-click on Trusted Root Certification Authorities in the centre pane.
- Select All Tasks and then Import...
- Click Next and browse to where you saved the CA .crt file.
- Click Next and check that the certificate will be placed in the trusted root store.
- Click Next again, and then Finish.
There - wasn't that easy! Thank you Microsoft.
Set up the VPN Network Connection
Now you need to set up the IPsec network connection details.
- Go to Control Panel and select Set up a new connection or network.
- Select Connect to a Network and choose Connect to a Workplace.
- Click Next, select No, create a new connecton, Next
- Choose Use my Internet connection
- Insert the server name (eg server.example.com), and choose whatever you like to name the connection (Destination name).
- Select Don't connect now; ...
- You don't need to enter User name and password as it will ask again later
- Click on Create and then Close (Don't connect yet!)
- Back at the Network and Sharing Center dialog, select Connect to a network
- Right-click the connection you have just created in the pop-up box and select Properties
- Select the Security tab, and change the Type of VPN to IKEv2.
- EAP-MSCHAPv2 should already be selected.
- Click OK
You should now be ready to connect - select Connect to a network again, click on the connection and choose Connect. If not already saved, you'll use the username and password as set up in the EAP Identity on the FireBrick (in this example, we had set up a user of fred with a password)
You probably want to change the type of network to Work Network after the connection establishes.