FireBrick Road Warrior strongSwan: Difference between revisions
(Created page with "==Install Packages== $ sudo apt-get install strongswan libcharon-extra-plugins libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to...") |
m (→CA Certificate) |
||
(32 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick IPsec Road Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator> |
|||
'''FireBrick acting as the ipsec 'server', and configuring a strongSwan/Debian client.''' |
|||
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s). |
|||
See also: [[FireBrick to Openswan Strongswan IPsec (Howto)]] |
|||
==Install Packages== |
==Install Packages== |
||
$ sudo apt-get install strongswan libcharon-extra-plugins |
$ sudo apt-get install strongswan libcharon-extra-plugins |
||
You may also want <tt>libstrongswan-extra-plugins</tt> if you need the curl plugin for strongswan to fetch CA certificates (eg from Let's Encrypt). |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
Download your CA certificate, and copy to |
|||
/etc/ipsec.d/cacerts/ |
|||
on your client box. Strongswan shouldn't mind if PEM or DER. |
|||
Usually you can use ACME and Letsencrypt to assign a certificate to the FireBrick, so skip the next step if you're doing this. |
|||
⚫ | |||
If using a manually creates certificate, Download your CA certificate from the FireBrick, and copy to <tt>/etc/ipsec.d/cacerts/</tt> on your client box. Strongswan shouldn't mind if PEM or DER. |
|||
⚫ | |||
If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA: |
|||
ln -s /etc/ssl/certs/ISRGRootX1.pem /etc/ipsec.d/cacerts/ISRGRootX1.pem |
|||
==strongSwan Config== |
|||
⚫ | |||
⚫ | |||
Add your connection to /etc/ipsec.conf: |
Add your connection to /etc/ipsec.conf: |
||
<syntaxhighlight lang="ini"> |
|||
conn |
conn firebrick # Arbitrary name - doesn't have to be 'firebrick' |
||
left=%defaultroute # Use your default route to the internet |
left=%defaultroute # Use your default route to the internet |
||
leftfirewall=yes # Yes as you may be behind firewall/NAT |
|||
leftfirewall=yes # Yes as you may be behind firewall/NAT |
|||
leftauth=eap-mschapv2 # Match the EAP method defined on FireBrick |
|||
leftid=@peer-ID # Peer ID as defined in FB IPsec IKE setting |
leftid=@peer-ID # Peer ID as defined in FB IPsec IKE setting |
||
leftsourceip=%config # Ask for an IP from the roaming pool |
leftsourceip=%config # Ask for an IP from the roaming pool |
||
eap_identity=username # Username as in ipsec.secrets |
eap_identity=username # Username as in ipsec.secrets and FB config |
||
right=hostname.example.com # Hostname/IP of FireBrick |
right=hostname.example.com # Hostname/IP of FireBrick |
||
rightauth=pubkey # FireBrick should be set to auth-method Certificate |
rightauth=pubkey # FireBrick should be set to auth-method Certificate |
||
rightid=@hostname.example.com # ID of FireBrick |
rightid=@hostname.example.com # ID of FireBrick |
||
auto= |
auto=route # Try to connect on startup |
||
</syntaxhighlight> |
|||
If the FireBrick is configured to give an IPv6 address in the Roaming pool, then tell strongSwan to request IPv6 too: |
|||
<syntaxhighlight lang="ini"> |
|||
leftsourceip=%config4,%config6 |
|||
</syntaxhighlight> |
|||
Reload settings: |
Reload settings: |
||
$ sudo service ipsec reload |
$ sudo service ipsec reload |
||
⚫ | |||
==Split Tunneling== |
|||
Split tunnelling being where it uses the machine's default route for internet access, this can often can be useful - you may not want to tunnel your normal non-work browsing/streaming through your company's servers. |
|||
Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling |
|||
You use <tt>leftsubnet</tt> on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need <tt>leftsubnet=0.0.0.0/0</tt> to ensure all traffic used the tunnel, and <tt>leftsubnet=<serverLAN></tt> for split tunnelling. |
|||
For example: |
|||
<syntaxhighlight lang="ini"> |
|||
leftsourceip=%config4,%config6 |
|||
rightsubnet=0.0.0.0/0,::/0 |
|||
</syntaxhighlight> |
|||
If you want to route additional blocks via the tunnel, use rightsubnet, eg: |
|||
<syntaxhighlight lang="ini"> |
|||
rightsubnet=10.1.0.0/24,10.2.0.0/24,fd00:1::/64,fd00:1::/64 # IPs to route down tunnel |
|||
</syntaxhighlight> |
|||
== Further help== |
|||
ipsec up <username> # manually attempt to bring up the connection - look for errors |
|||
ipsec listcacerts # check if your cert is loaded |
|||
ipsec statusall |
|||
[[Category:FireBrick IPsec Road Warrior|Debian]] |
|||
⚫ |
Latest revision as of 13:41, 4 July 2022
FireBrick acting as the ipsec 'server', and configuring a strongSwan/Debian client.
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s).
See also: FireBrick to Openswan Strongswan IPsec (Howto)
Install Packages
$ sudo apt-get install strongswan libcharon-extra-plugins
You may also want libstrongswan-extra-plugins if you need the curl plugin for strongswan to fetch CA certificates (eg from Let's Encrypt).
libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf).
CA Certificate
Usually you can use ACME and Letsencrypt to assign a certificate to the FireBrick, so skip the next step if you're doing this.
If using a manually creates certificate, Download your CA certificate from the FireBrick, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.
If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA:
ln -s /etc/ssl/certs/ISRGRootX1.pem /etc/ipsec.d/cacerts/ISRGRootX1.pem
strongSwan Config
Add your user to: /etc/ipsec.secrets:
username : EAP "password"
Add your connection to /etc/ipsec.conf:
conn firebrick # Arbitrary name - doesn't have to be 'firebrick'
left=%defaultroute # Use your default route to the internet
leftfirewall=yes # Yes as you may be behind firewall/NAT
leftauth=eap-mschapv2 # Match the EAP method defined on FireBrick
leftid=@peer-ID # Peer ID as defined in FB IPsec IKE setting
leftsourceip=%config # Ask for an IP from the roaming pool
eap_identity=username # Username as in ipsec.secrets and FB config
right=hostname.example.com # Hostname/IP of FireBrick
rightauth=pubkey # FireBrick should be set to auth-method Certificate
rightid=@hostname.example.com # ID of FireBrick
auto=route # Try to connect on startup
If the FireBrick is configured to give an IPv6 address in the Roaming pool, then tell strongSwan to request IPv6 too:
leftsourceip=%config4,%config6
Reload settings:
$ sudo service ipsec reload
That should be it.
Split Tunneling
Split tunnelling being where it uses the machine's default route for internet access, this can often can be useful - you may not want to tunnel your normal non-work browsing/streaming through your company's servers.
Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
You use leftsubnet on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need leftsubnet=0.0.0.0/0 to ensure all traffic used the tunnel, and leftsubnet=<serverLAN> for split tunnelling.
For example:
leftsourceip=%config4,%config6
rightsubnet=0.0.0.0/0,::/0
If you want to route additional blocks via the tunnel, use rightsubnet, eg:
rightsubnet=10.1.0.0/24,10.2.0.0/24,fd00:1::/64,fd00:1::/64 # IPs to route down tunnel
Further help
ipsec up <username> # manually attempt to bring up the connection - look for errors ipsec listcacerts # check if your cert is loaded ipsec statusall