12,441
edits
This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!
(→CA Certificate: ISRGRootX1 seems to be the current cert...) |
m (→CA Certificate) |
||
(3 intermediate revisions by one other user not shown) | |||
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s).
==Install Packages==
==CA Certificate==
Usually you can use ACME and Letsencrypt to assign a certificate to the FireBrick, so skip the next step if you're doing this.
Download your CA certificate from the FireBrick, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.▼
▲If using a manually creates certificate, Download your CA certificate from the FireBrick, and copy to <tt>/etc/ipsec.d/cacerts/</tt> on your client box. Strongswan shouldn't mind if PEM or DER.
If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA:
Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
You use <tt>leftsubnet</tt> on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need <tt>leftsubnet=0.0.0.0/0</tt> to ensure all traffic used the tunnel, and <tt>leftsubnet=<serverLAN></tt> for split tunnelling.
For example:
|
edits