FireBrick IPsec (Road Warrior Howto): Difference between revisions

No edit summary
No edit summary
 
We recommend you use the StrongSwan app on Android. The app then needs the CA certificate which you can email yourself and install, and the settings for the host name, user name, password.
 
== Windows setup ==
 
The following instructions were tested on a Windows 7 system. Setup on other versions of Windows will be similar, but the
dialogs and messages seen may not be exactly as shown here.
 
The CA certificate needs to be installed on the Windows machine using an account with administrator privileges.
 
First, download the CA certificate in DER format to the Windows machine. The easiest way to do this is to
use a browser to visit your FireBrick certificate management page, and click on the Download DER link corresponding
to the CA certificate. Save it in a suitable location on the Windows machine. Do not attempt to execute it or
install it just yet. Note that you must download the certificate in DER format - windows machines do not
recognize PEM format. The file will be given the <tt>.crt</tt> extension.
 
The Windows certificate manager should now be started up as follows:
 
. Using a command window, or the Start|Run box, execute the command <tt>mmc</tt> (and answer Yes when asked if you
want to allow changes).
. Select Add/Remove Snap-in from the File menu, choose the Certificates snap-in and add it to selected snap-ins.
. A dialog will ask if you want to manage certificates for the user account, a service account or computer account.
You *must* select <tt>Computer Account</tt> here in order to manage the system certificates. If you do not select
this, or you start up the certificate manager in some other way (eg using <tt>certmgr.msc</tt>, you will not be able
to install the certificate system-wide, and the Windows IPsec subsystem will not find it.
. Another dialog will ask which computer to manage. Choose <tt>Local computer</tt>.
. Finally click on <tt>OK</tt> to start the certificate manger snap-in.
 
To install the certificate:
. Double-click on <tt>Certificates (Local Computer)</tt> in the left pane, to open the certificate store names, and
then right-click on <tt>Trusted Root Certification Authorities</tt> in the centre pane.
. Select <tt>All Tasks</tt> and then<tt>Import...</tt>
. Click <tt>Next</tt> and browse to where you saved the CA .crt file.
. Click <tt>Next</tt> and check that the certificate will be placed in the trusted root store.
. Click <tt>Next</tt> again, and then <tt>Finish</tt>.
 
There - wasn't that easy! Thank you Microsoft.
 
Now you need to set up the IPsec network connection details.
 
. Go to Control Panel and select <tt>Set up a new connection or network</tt>.
. Select <tt>Connect to a Network</tt> and choose <tt>Connect to a Workplace</tt>.
. Click <tt>Next</tt>, select <tt>No, create a new connecton</tt>, <tt>Next</tt>
. Choose <tt>Use my Internet connection</tt>
. Insert the server name (eg <tt>server.example.com</tt>), and choose whatever you like
to name the connection (Destination name).
. Select <tt>Don't connect now; ...</tt>
. You don't need to enter User name and password as it will ask again later
. Click on <tt>Create</tt> and then <tt>Close</tt> (Don't connect yet!)
. Back at the Network and Sharing Center dialog, select <tt>Connect to a network</tt>
. Right-click the connection you have just created in the pop-up box and select <tt>Properties</tt>
. Select the <tt>Security</tt> tab, and change the Type of VPN to IKEv2.
. EAP-MSCHAPv2 should already be selected.
. Click <tt>OK</tt>
 
You should now be ready to connect - select <tt>Connect to a network</tt> again, click
on the connection and choose <tt>Connect</tt>
 
You probably want to change the type of network to <tt>Work Network</tt> after the
connection establishes.
 
[[Category:FireBrick_Tunnels|IPsec]]