FireBrick IPsec (Road Warrior Howto): Difference between revisions

From AAISP Support Site
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
#REDIRECT [[:Category:FireBrick_IPsec_Road_Warrior]]
<indicator name="Tunnels">[[File:FBimgtunnel.svg|link=:Category:FireBrick_Tunnels|30px|Back up to the FireBrick Tunnels Category Page]]</indicator>
= FireBrick Road Warrior IPsec =

The FireBrick manual goes into some detail on configuring IPsec. This page contains specific examples for a simple scenario where you have one or more clients devices - iPhones iPads, Android phones/tablets or Windows machines, and a FireBrick in your home or office, and you would like to VPN (using IPsec) to the FireBrick and have an IP address on your LAN.

In this example we are assuming you can allocate some IP addresses on you LAN. You do this by picking a range of addresses and setting up a <tt>roaming-pool</tt> (see below). You need to ensure the IP range does not clash with devices on the LAN and is not in the DHCP ranges that could allocate to the LAN. You also need to set <tt>proxy-arp</tt> on the LAN interface settings to allow communications to other devices on your LAN. Alternatively you could set private IP addresses in the pool and set the <tt>nat</tt> setting. You should probably also consider firewalling rules for traffic to/from IPsec connections.

= Creating Certificates =

There are three tools to help with setting up Road Warrior connections on the FireBrick web site. You can download these
by viewing with a browser and saving the source, or using curl or wget. [http://www.firebrick.co.uk/tools/make-key make-key] creates a private key. [http://www.firebrick.co.uk/tools/make-cert make-cert] makes a certificate (signed with a key). [http://www.firebrick.co.uk/tools/make-profile make-profile] makes an iPhone profile file that allows the VPN to be configured on the iPhone. For security reasons, all of these need you to run them locally (e.g. on a linux box, or windows under Cygwin).

== Certificate Authority ==

Let's start by making a Certificate Authority (CA). This signs certificates, such as the one we load in to the FireBrick end of the link. The CA ends up as being two files - one is the private ''key'' file, which you keep secret. This is what you need to sign things with the CA. The other is the actual certificate file, signed by the key.

First make the private ''key'' file for the CA. We'll call it <tt>ca-key.pem</tt>. This file should be kept secret.

./make-key ca-key.pem

Then make a certificate file, and sign it using the ''key'' file. We'll call it <tt>ca-cert.pem</tt>. This involves several attributes in the DN (Distinguished name) which mostly don't matter much for your own certificate (/C=Country, /ST=State, /L=Locality, /O=OrganisationName, /CN=CommonName). Typically you would set just the CommonName, using your home or company name
(eg /CN=Acme Widget CA).

./make-cert CA DN="/C=GB/O=My Office/CN=example.com" KEY=ca-key.pem ca-cert.pem

== FireBrick (server) certificate ==

Next we make a certificate file for the FireBrick itself. This is how the FireBrick proves itself to the client device. Again, there is a ''key'' and a ''cert'' file for this, with both being loaded in to the FireBrick. The ''key'' is what allows the FireBrick to prove itself. The ''cert'' is signed by the CA key, which is how the remote devices know to trust the FireBrick. Note the extra <tt>FQDN=</tt> which sets the SubjectAltName. The <tt>FQDN</tt> entry is just a name used to get the right certificate, and should match the <tt>local-id</tt> (prefixed <tt>FQDN:</tt>) in the config so that the FireBrick can work our which certificate to use when negotiating, and the client can check the certificate matches the server.

First make a private key, e.g. <tt>server-key.pem</tt>

./make-key server-key.pem

Then make a certificate, e.g. <tt>server-cert.pem</tt>

./make-cert DN="/C=GB/O=Server/CN=server.example.com" FQDN=server.example.com KEY=server-key.pem ISSUER-KEY=ca-key.pem ISSUER=ca-cert.pem server-cert.pem

== FireBrick Certificate Config ==

The FireBrick needs copies of the CA certificate and the server certificate and private key.

Load these files - <tt>ca-cert.pem</tt>, <tt>server-key.pem</tt>, and <tt>server-cert.pem</tt> - using the FireBrick
X.509 certificate and key management UI page (Config Certificates).

The private key associated with the CA certificate <tt>ca-key.pem</tt> is no longer needed once it has been used to sign
the server certificate. It is a good idea to store this file in a safe place (eg on a memory stick in a secure location), and
remove it from any networked machine. It can of course be retrieved and reused if you wish to make further server
certificates using the same CA certificate.

==Summary of Certificates==
Once you've run the commands above to create the certificates, you'll end up with five files as follows:

{| class="wikitable"
|+Summary of what to do with the Certificate files
|-
! File !! Description !! Where to place
|-
| ca-key.pem || Private 'Company' Certificate Authority (CA) key, This signs other certificates || Store in a safe place off net
|-
| ca-cert.pem || 'Company' Certificate Authority Certificate file, signed by the Private key above || Upload to FireBrick
|-
| ca-cert.srl || ||
|-
| server-cert.pem || FireBrick 'Server' Certificate, signed by the CA key which means devices know to trust the FireBrick.|| Upload to FireBrick
|-
| server-key.pem || FireBrick 'Server' Key, allows the FireBrick to prove itself to devices. || Upload to FireBrick
|}

On the FireBrick, you should have a set of certificates such as:

[[File:FireBrick-IPsec-Certificates.png|frame|none|Certificates on the FireBrick]]

= FireBrick IPsec config =

The FireBrick needs a configuration for the connection, and roaming pools and user identities. The connection can be used for any number of devices at once with the same pool of IP addresses; each would have a user name and password defined.

The basic server config is in <tt>ipsec-ike</tt> containing a <tt>connection</tt> and <tt>roaming</tt> entry, e.g.

<syntaxhighlight>
<ipsec-ike>
<connection name="server" roaming-pool="roam-pool" auth-method="Certificate" peer-auth-method="EAP" mode="Wait" local-ID="FQDN:server.example.com"/>
<roaming name="roam-pool" ip="[ranges of LAN IPs]" DNS="[DNS, e.g. 8.8.8.8]"/>
</ipsec-ike>
</syntaxhighlight>

Each roaming user then needs an <tt>eap</tt> user record.

<syntaxhighlight>
<eap name="fred" full-name="Fred Bloggs" password="[password]" subsystem="IPsec" methods="MSChapV2"/>
</syntaxhighlight>

Here is how the above three config sections look in the User Interface (UI):
<gallery widths=250px caption="FireBrick SCreenshots">
FireBrick-IPsec-IKESettings.png|IKE Settings (UI). (Config - Edit - Tunnels - IPsec - Add, IKE connection)
FireBrick-IPsec-RoamingPool.png|Roaming Pool Settings (UI). (Config - Edit - Tunnels - IPsec - Add, IKE roaming IP pools
FireBrick-EAP.png|EAP User (UI). (Config - Edit - Users - Add, User access control via EAP
</gallery>

===Firewall===
You will also want to look at the Firewall on the FireBrick and allow traffic where required, for example, to Allow the IPsec users to connect to the Internet via your PPPoE connections use something like:
<syntaxhighlight>
<rule-set name="FromIPSec" source-interface="ipsec" no-match-action="continue">
<rule name="AllowInternet" target-interface="pppoe" action="accept"/>
</rule-set>
</syntaxhighlight>

== iPhone profile ==

Each iPhone needs a profile file specific to that user. Once created you can email this, or make a web link to it, and the iPhone will recognise it and allow it to be installed. Let's call it <tt>fred.mobileconfig</tt> for our user called ''fred'' as in the above example config.

<tt>./make-profile SERVER=''IP-of-server'' LOCALID="''Fred's iPhone''" CA=ca-cert.pem SERVERID=''server.example.com'' USERNAME=''fred'' PROFNAME="''Office VPN''" VPNNAME=FireBrick ''fred''.mobileconfig</tt>

Note that the SERVERID must match the FQDN entry used when making the server certificate, and hence the local-ID in the config for the connection.

[[File:Ipsec-iphione.png|none|frame|VPN up on an iPhone]]

== Android setup ==

We recommend you use the [https://play.google.com/store/apps/details?id=org.strongswan.android&hl=en_GB StrongSwan app on Android]. The app then needs the CA certificate which you can email yourself and install, and the settings for the host name, user name, password.

===Install StrongSwan VPN Client===
Via the Google Play store

===Install CA Certificate===
#From the Android device, log in to the FireBrick
##Go to Config - Certificates
##Download the CA certificate in PEM format
#Open StrongSwan, go to (Menu) CA Certificates - (Menu) Import
##Choose the Certificate, in our example the File is ca-cert.pem is found in the Downloads folder, select it.
#Review the certificate, then click Import
(We have had reports that the downloaded .pem file, when downloaded using default browser 'Internet' is not visible to Strongswan even though the file is in the Download folder. Using an alternative Browser, such as Firefox, and re-downloading the pem file from the FireBrick works.)

===Configure Strongswan===
#Open Strongswan
#Tap on 'ADD VPN PROFILE' (top/right)
#Add the details:
##Profile Name: eg FireBrick
##Gateway: IP or hostname of the FireBrick
##Type: EAPv2 EAP (Username/Password)
##Username: this is the one as set up in the EAP Identity on the FireBrick (in this example, we had set up a user of fred with a password
##Password: Optionally add it here if you (really) want is saved

== Windows setup ==

The following instructions were tested on a Windows 7 system. Setup on other versions of Windows will be similar, but the
dialogs and messages seen may not be exactly as shown here.

The CA certificate needs to be installed on the Windows machine using an account with administrator privileges.

First, download the CA certificate in DER format to the Windows machine. The easiest way to do this is to
use a browser to visit your FireBrick certificate management page, and click on the Download DER link corresponding
to the CA certificate. Save it in a suitable location on the Windows machine. Do not attempt to execute it or
install it just yet. Note that you must download the certificate in DER format - windows machines do not
recognize PEM format. The file will be given the <tt>.crt</tt> extension.

===Start the Windows Certificate Manager===
The Windows certificate manager should now be started up as follows:

# Using a command window, or the Start|Run box, execute the command <tt>mmc</tt> (and answer Yes when asked if you want to allow changes).
# Select Add/Remove Snap-in from the File menu, choose the Certificates snap-in and add it to selected snap-ins.
# A dialog will ask if you want to manage certificates for the user account, a service account or computer account. You must select <tt>Computer Account</tt> here in order to manage the system certificates. If you do not select this, or you start up the certificate manager in some other way (eg using <tt>certmgr.msc</tt>, you will not be able to install the certificate system-wide, and the Windows IPsec subsystem will not find it.
# Another dialog will ask which computer to manage. Choose <tt>Local computer</tt>.
# Finally click on <tt>OK</tt> to start the certificate manger snap-in.

===Install the CA certificate===
To install the certificate:
# Double-click on <tt>Certificates (Local Computer)</tt> in the left pane, to open the certificate store names, and then right-click on <tt>Trusted Root Certification Authorities</tt> in the centre pane.
# Select <tt>All Tasks</tt> and then <tt>Import...</tt>
# Click <tt>Next</tt> and browse to where you saved the CA .crt file.
# Click <tt>Next</tt> and check that the certificate will be placed in the trusted root store.
# Click <tt>Next</tt> again, and then <tt>Finish</tt>.

There - wasn't that easy! Thank you Microsoft.

===Set up the VPN Network Connection===
Now you need to set up the IPsec network connection details.

# Go to Control Panel and select <tt>Set up a new connection or network</tt>.
# Select <tt>Connect to a Network</tt> and choose <tt>Connect to a Workplace</tt>.
# Click <tt>Next</tt>, select <tt>No, create a new connecton</tt>, <tt>Next</tt>
# Choose <tt>Use my Internet connection</tt>
# Insert the server name (eg <tt>server.example.com</tt>), and choose whatever you like to name the connection (Destination name).
# Select <tt>Don't connect now; ...</tt>
# You don't need to enter User name and password as it will ask again later
# Click on <tt>Create</tt> and then <tt>Close</tt> (Don't connect yet!)
# Back at the Network and Sharing Center dialog, select <tt>Connect to a network</tt>
# Right-click the connection you have just created in the pop-up box and select <tt>Properties</tt>
# Select the <tt>Security</tt> tab, and change the Type of VPN to IKEv2.
# EAP-MSCHAPv2 should already be selected.
#Click <tt>OK</tt>

You should now be ready to connect - select <tt>Connect to a network</tt> again, click
on the connection and choose <tt>Connect</tt>. If not already saved, you'll use the username and password as set up in the EAP Identity on the FireBrick (in this example, we had set up a user of fred with a password)

You probably want to change the type of network to <tt>Work Network</tt> after the
connection establishes.

[[Category:FireBrick IPsec]]

Latest revision as of 15:39, 30 July 2015