Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

FireBrick IPsec (Road Warrior Howto): Difference between revisions

FireBrick IPsec (Road Warrior Howto) (view source)

Revision as of 15:37, 30 July 2015

1,774 bytes removed ,  30 July 2015
m
→‎FireBrick IPsec config
In this example we are assuming you can allocate some IP addresses on you LAN. You do this by picking a range of addresses and setting up a <tt>roaming-pool</tt> (see below). You need to ensure the IP range does not clash with devices on the LAN and is not in the DHCP ranges that could allocate to the LAN. You also need to set <tt>proxy-arp</tt> on the LAN interface settings to allow communications to other devices on your LAN. Alternatively you could set private IP addresses in the pool and set the <tt>nat</tt> setting. You should probably also consider firewalling rules for traffic to/from IPsec connections.
 
= FireBrick IPsec config =
 
The FireBrick needs a configuration for the connection, and roaming pools and user identities. The connection can be used for any number of devices at once with the same pool of IP addresses; each would have a user name and password defined.
 
The basic server config is in <tt>ipsec-ike</tt> containing a <tt>connection</tt> and <tt>roaming</tt> entry, e.g.
 
<syntaxhighlight>
<ipsec-ike>
<connection name="server" roaming-pool="roam-pool" auth-method="Certificate" peer-auth-method="EAP" mode="Wait" local-ID="FQDN:server.example.com"/>
<roaming name="roam-pool" ip="[ranges of LAN IPs]" DNS="[DNS, e.g. 8.8.8.8]"/>
</ipsec-ike>
</syntaxhighlight>
 
Each roaming user then needs an <tt>eap</tt> user record.
 
<syntaxhighlight>
<eap name="fred" full-name="Fred Bloggs" password="[password]" subsystem="IPsec" methods="MSChapV2"/>
</syntaxhighlight>
 
Here is how the above three config sections look in the User Interface (UI):
<gallery widths=250px caption="FireBrick SCreenshots">
FireBrick-IPsec-IKESettings.png|IKE Settings (UI). (Config - Edit - Tunnels - IPsec - Add, IKE connection)
FireBrick-IPsec-RoamingPool.png|Roaming Pool Settings (UI). (Config - Edit - Tunnels - IPsec - Add, IKE roaming IP pools
FireBrick-EAP.png|EAP User (UI). (Config - Edit - Users - Add, User access control via EAP
</gallery>
 
===Firewall===
You will also want to look at the Firewall on the FireBrick and allow traffic where required, for example, to Allow the IPsec users to connect to the Internet via your PPPoE connections use something like:
<syntaxhighlight>
<rule-set name="FromIPSec" source-interface="ipsec" no-match-action="continue">
<rule name="AllowInternet" target-interface="pppoe" action="accept"/>
</rule-set>
</syntaxhighlight>
 
== iPhone profile ==
AA-Andrew
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,270

edits

Retrieved from ‘http://support.aa.net.uk/Special:MobileDiff/10218