12,270
edits
FireBrick Road Warrior strongSwan: Difference between revisions
FireBrick Road Warrior strongSwan (view source)
Revision as of 11:14, 25 August 2015
, 25 August 2015no edit summary
(Created page with "==Install Packages== $ sudo apt-get install strongswan libcharon-extra-plugins libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to...") |
mNo edit summary |
||
|
==Certificate==
Download your CA certificate, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.
Add your user to:
username : EAP "password"
Add your connection to /etc/ipsec.conf:
<syntaxhighlight>
conn username # Arbitrary name - doesn't have to be username
left=%defaultroute # Use your default route to the internet
rightid=@hostname.example.com # ID of FireBrick
auto=start # Try to connect immediately on startup
</syntaxhighlight>
Reload settings:
$ sudo service ipsec reload
That should be it.
==Split Tunneling==
Split tunnelling being where it uses the machine's default route for internet access, this can often can be useful - you may not want to tunnel your normal non-work browsing/streaming through your company's servers.
Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
You use leftsubnet on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need leftsubnet=0.0.0.0/0 to ensure all traffic used the tunnel, and leftsubnet=<serverLAN> for split tunnelling.
For example:
<syntaxhighlight>
leftsourceip=%config4,%config6
rightsubnet=0.0.0.0/0,::/0
</syntaxhighlight>
| |||