FireBrick Road Warrior strongSwan Network Manager: Difference between revisions

Back up to the FireBrick Road Warrior Category Page
From AAISP Support Site
mNo edit summary
(Fix syntax)
 
(6 intermediate revisions by one other user not shown)
Line 2: Line 2:


'''FireBrick acting as the ipsec 'server', and configuring a strongSwan client on Fedora using Network Manager.'''
'''FireBrick acting as the ipsec 'server', and configuring a strongSwan client on Fedora using Network Manager.'''





Line 7: Line 8:
*Also see: [[FireBrick_Road_Warrior_strongSwan]] (setting up via non-network manager
*Also see: [[FireBrick_Road_Warrior_strongSwan]] (setting up via non-network manager
*Also see: [[FireBrick to Openswan Strongswan IPsec (Howto)]]
*Also see: [[FireBrick to Openswan Strongswan IPsec (Howto)]]
*Also see the official StrongSwan network manager page: https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager



===Install Packages===
===Install Packages===


Fedora:
dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome -y
dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome -y
Ubuntu:
apt install network-manager-strongswan


===Certificate Installation===
===(optional) Certificate Installation on the client===

If you're using self-signed certs, generated by the FireBrick then do the following, otherwise (eg if you are using the easily installed Let's Encrypt cert on the FireBrick then you can skip this stage)


#Go to your VPN end point FireBrick and log in.
#Go to your VPN end point FireBrick and log in.
Line 20: Line 26:
##sudo cp /home/user/brick-ca-cert.crt /etc/ssl/certs/
##sudo cp /home/user/brick-ca-cert.crt /etc/ssl/certs/


Note: When doing this with a LetsEncrypt Cert it is the DST-Root-CA-X3 cert not the Let'sEncryptAuthorityX3 cert that is needed in /etc/ssl/certs/. This only seems to be for Linux as iOS, OSX, Window 10 and Android-strongswan all work with the Let'sEncryptAuthorityX3 cert.
Note: When doing this with a LetsEncrypt Cert it is the ISRG-Root-X1.pem cert not the Let'sEncryptAuthorityX3 cert that is needed in /etc/ssl/certs/. This only seems to be for Linux as iOS, OSX, Window 10 and Android-strongswan all work with the Let'sEncryptAuthorityX3 cert. - the ISRG-Root-X1 is usually already installed by the OS.


===Set Up VPN===
===Set Up VPN===
#Open up “Settings” and then select “Network” :
#Open up “Settings” and then select “Network” (pic below)
#Click the + button to create a new VPN:
#Click the + button to create a new VPN (pic below)
#Select “Ipsec/IKEv2 (strongswan)”
#Select “Ipsec/IKEv2 (strongswan)” (pic below)
#Enter the name of VPN connection
#Enter the name of VPN connection
#Enter the address of the Firebrick the VPN is going to connect to.
#Enter the address of the Firebrick the VPN is going to connect to.
Line 32: Line 38:
#Select required “Options”.
#Select required “Options”.
#Click Add in the top right
#Click Add in the top right

<gallery>
strongswan-networkmanager-settings.png|Network settings
strongswan-networkmanager-new.png|Create a New VPN
strongswan-networkmanager-config.png|ipsec config
strongswan-networkmanager-config2.png|Split tunnel option
</gallery>



You should now be ready to connect, either click the VPN on in settings or from the network icon in the top right of your screen.
You should now be ready to connect, either click the VPN on in settings or from the network icon in the top right of your screen.


If you require split tunnelling then please select the IPv4 and IPv6 tabs and tick the box for “Use this connection only for resources on its network”
If you require split tunnelling then please select the IPv4 and IPv6 tabs and tick the box for “Use this connection only for resources on its network” (pic above)


[Category:FireBrick IPsec Road Warrior|Network Manager]]
[[Category:FireBrick IPsec Road Warrior|Network Manager]]

Latest revision as of 23:55, 30 Haziran 2022


FireBrick acting as the ipsec 'server', and configuring a strongSwan client on Fedora using Network Manager.


This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s).

Install Packages

Fedora:

dnf install NetworkManager-strongswan  NetworkManager-strongswan-gnome -y

Ubuntu:

apt install network-manager-strongswan

(optional) Certificate Installation on the client

If you're using self-signed certs, generated by the FireBrick then do the following, otherwise (eg if you are using the easily installed Let's Encrypt cert on the FireBrick then you can skip this stage)

  1. Go to your VPN end point FireBrick and log in.
  2. Download the certificate from the Firebrick in “DER” format.
  3. Copy or move the cert to /etc/ssl/certs/ :
    1. sudo cp /home/user/brick-ca-cert.crt /etc/ssl/certs/

Note: When doing this with a LetsEncrypt Cert it is the ISRG-Root-X1.pem cert not the Let'sEncryptAuthorityX3 cert that is needed in /etc/ssl/certs/. This only seems to be for Linux as iOS, OSX, Window 10 and Android-strongswan all work with the Let'sEncryptAuthorityX3 cert. - the ISRG-Root-X1 is usually already installed by the OS.

Set Up VPN

  1. Open up “Settings” and then select “Network” (pic below)
  2. Click the + button to create a new VPN (pic below)
  3. Select “Ipsec/IKEv2 (strongswan)” (pic below)
  4. Enter the name of VPN connection
  5. Enter the address of the Firebrick the VPN is going to connect to.
  6. Select “EAP” Authentication
  7. Click the icon and select password option you wish and enter password if needed.
  8. Select required “Options”.
  9. Click Add in the top right


You should now be ready to connect, either click the VPN on in settings or from the network icon in the top right of your screen.

If you require split tunnelling then please select the IPv4 and IPv6 tabs and tick the box for “Use this connection only for resources on its network” (pic above)