FireBrick Road Warrior strongSwan: Difference between revisions
Content deleted Content added
→Split Tunneling: more syntaxhighlight |
|||
| (6 intermediate revisions by one other user not shown) | |||
| Line 4: | Line 4: | ||
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s). |
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s). |
||
See also: [[FireBrick to Openswan Strongswan IPsec (Howto)]] |
|||
==Install Packages== |
==Install Packages== |
||
$ sudo apt-get install strongswan libcharon-extra-plugins |
$ sudo apt-get install strongswan libcharon-extra-plugins |
||
You may also want <tt>libstrongswan-extra-plugins</tt> if you need the curl plugin for strongswan to fetch CA certificates (eg from Let's Encrypt). |
|||
libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf). |
<tt>libcharon-extra-plugins</tt> is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf). |
||
==CA Certificate== |
==CA Certificate== |
||
Usually you can use ACME and Letsencrypt to assign a certificate to the FireBrick, so skip the next step if you're doing this. |
|||
| ⚫ | |||
| ⚫ | |||
If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA: |
If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA: |
||
ln -s /etc/ssl/certs/ |
ln -s /etc/ssl/certs/ISRGRootX1.pem /etc/ipsec.d/cacerts/ISRGRootX1.pem |
||
==strongSwan Config== |
==strongSwan Config== |
||
| Line 28: | Line 31: | ||
Add your connection to /etc/ipsec.conf: |
Add your connection to /etc/ipsec.conf: |
||
<syntaxhighlight lang=" |
<syntaxhighlight lang="ini"> |
||
conn firebrick # Arbitrary name - doesn't have to be 'firebrick' |
conn firebrick # Arbitrary name - doesn't have to be 'firebrick' |
||
left=%defaultroute # Use your default route to the internet |
left=%defaultroute # Use your default route to the internet |
||
| Line 43: | Line 46: | ||
If the FireBrick is configured to give an IPv6 address in the Roaming pool, then tell strongSwan to request IPv6 too: |
If the FireBrick is configured to give an IPv6 address in the Roaming pool, then tell strongSwan to request IPv6 too: |
||
<syntaxhighlight lang="ini"> |
|||
leftsourceip=%config4,%config6 |
leftsourceip=%config4,%config6 |
||
</syntaxhighlight> |
|||
Reload settings: |
Reload settings: |
||
| Line 57: | Line 62: | ||
Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling |
Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling |
||
You use leftsubnet on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need leftsubnet=0.0.0.0/0 to ensure all traffic used the tunnel, and leftsubnet=<serverLAN> for split tunnelling. |
You use <tt>leftsubnet</tt> on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need <tt>leftsubnet=0.0.0.0/0</tt> to ensure all traffic used the tunnel, and <tt>leftsubnet=<serverLAN></tt> for split tunnelling. |
||
For example: |
For example: |
||