FireBrick Road Warrior strongSwan: Difference between revisions
Content deleted Content added
→strongSwan Config: more syntaxhighlight |
|||
| (4 intermediate revisions by one other user not shown) | |||
| Line 4: | Line 4: | ||
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s). |
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s). |
||
See also: [[FireBrick to Openswan Strongswan IPsec (Howto)]] |
|||
==Install Packages== |
==Install Packages== |
||
| Line 15: | Line 16: | ||
==CA Certificate== |
==CA Certificate== |
||
Usually you can use ACME and Letsencrypt to assign a certificate to the FireBrick, so skip the next step if you're doing this. |
|||
| ⚫ | |||
| ⚫ | |||
If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA: |
If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA: |
||
ln -s /etc/ssl/certs/ |
ln -s /etc/ssl/certs/ISRGRootX1.pem /etc/ipsec.d/cacerts/ISRGRootX1.pem |
||
==strongSwan Config== |
==strongSwan Config== |
||
| Line 59: | Line 62: | ||
Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling |
Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling |
||
You use leftsubnet on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need leftsubnet=0.0.0.0/0 to ensure all traffic used the tunnel, and leftsubnet=<serverLAN> for split tunnelling. |
You use <tt>leftsubnet</tt> on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need <tt>leftsubnet=0.0.0.0/0</tt> to ensure all traffic used the tunnel, and <tt>leftsubnet=<serverLAN></tt> for split tunnelling. |
||
For example: |
For example: |
||