Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

FireBrick Road Warrior strongSwan: Difference between revisions

Newer edit →
Content deleted Content added
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,659 edits
Created page with "==Install Packages== $ sudo apt-get install strongswan libcharon-extra-plugins libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to..."
 
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,659 edits
mNo edit summary
Line 6: Line 6:
==Certificate==
==Certificate==


Download your CA certificate, and copy to
Download your CA certificate, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.
/etc/ipsec.d/cacerts/
on your client box. Strongswan shouldn't mind if PEM or DER.


Add your user to: <syntaxhighlight inline>/etc/ipsec.secrets</syntaxhighlight>:
Add your user to: /etc/ipsec.secrets:


username : EAP "password"
username : EAP "password"


Add your connection to /etc/ipsec.conf:
Add your connection to /etc/ipsec.conf:


<syntaxhighlight>
conn username # Arbitrary name - doesn't have to be username
conn username # Arbitrary name - doesn't have to be username
left=%defaultroute # Use your default route to the internet
left=%defaultroute # Use your default route to the internet
Line 27: Line 26:
rightid=@hostname.example.com # ID of FireBrick
rightid=@hostname.example.com # ID of FireBrick
auto=start # Try to connect immediately on startup
auto=start # Try to connect immediately on startup
</syntaxhighlight>


Reload settings:
Reload settings:


$ sudo service ipsec reload
$ sudo service ipsec reload


That should be it
That should be it.


==Split Tunneling==

Split tunnelling being where it uses the machine's default route for internet access, this can often can be useful - you may not want to tunnel your normal non-work browsing/streaming through your company's servers.

Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

You use leftsubnet on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need leftsubnet=0.0.0.0/0 to ensure all traffic used the tunnel, and leftsubnet=<serverLAN> for split tunnelling.

For example:

<syntaxhighlight>
leftsourceip=%config4,%config6
rightsubnet=0.0.0.0/0,::/0
</syntaxhighlight>
Retrieved from "http://support.aa.net.uk/FireBrick_Road_Warrior_strongSwan"