FireBrick Road Warrior strongSwan: Difference between revisions
m (→Certificate) |
m (→Certificate) |
||
| Line 14: | Line 14: | ||
Add your connection to /etc/ipsec.conf: |
Add your connection to /etc/ipsec.conf: |
||
<syntaxhighlight lang=" |
<syntaxhighlight lang="bash"> |
||
conn username # Arbitrary name - doesn't have to be username |
conn username # Arbitrary name - doesn't have to be username |
||
left=%defaultroute # Use your default route to the internet |
left=%defaultroute # Use your default route to the internet |
||
Revision as of 11:16, 25 August 2015
Install Packages
$ sudo apt-get install strongswan libcharon-extra-plugins
libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf).
Certificate
Download your CA certificate, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.
Add your user to: /etc/ipsec.secrets:
username : EAP "password"
Add your connection to /etc/ipsec.conf:
conn username # Arbitrary name - doesn't have to be username
left=%defaultroute # Use your default route to the internet
leftfirewall=yes # Yes as you may be behind firewall/NAT
leftauth=eap-mschapv2 # Match the EAP method defined on FireBrick
leftid=@peer-ID # Peer ID as defined in FB IPsec IKE setting
leftsourceip=%config # Ask for an IP from the roaming pool
eap_identity=username # Username as in ipsec.secrets and FB config
right=hostname.example.com # Hostname/IP of FireBrick
rightauth=pubkey # FireBrick should be set to auth-method Certificate
rightid=@hostname.example.com # ID of FireBrick
auto=start # Try to connect immediately on startup
Reload settings:
$ sudo service ipsec reload
That should be it.
Split Tunneling
Split tunnelling being where it uses the machine's default route for internet access, this can often can be useful - you may not want to tunnel your normal non-work browsing/streaming through your company's servers.
Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
You use leftsubnet on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need leftsubnet=0.0.0.0/0 to ensure all traffic used the tunnel, and leftsubnet=<serverLAN> for split tunnelling.
For example:
leftsourceip=%config4,%config6
rightsubnet=0.0.0.0/0,::/0