FireBrick Road Warrior strongSwan

From AAISP Support Site
Revision as of 11:11, 25 August 2015 by AA-Andrew (talk | contribs) (Created page with "==Install Packages== $ sudo apt-get install strongswan libcharon-extra-plugins libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Install Packages

$ sudo apt-get install strongswan libcharon-extra-plugins

libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf).

Certificate

Download your CA certificate, and copy to 

/etc/ipsec.d/cacerts/

on your client box. Strongswan shouldn't mind if PEM or DER.

Add your user to: /etc/ipsec.secrets:

username : EAP "password"

Add your connection to /etc/ipsec.conf:

conn username # Arbitrary name - doesn't have to be username 

       left=%defaultroute # Use your default route to the internet
       leftfirewall=yes # Yes as you may be behind firewall/NAT
       leftauth=eap-mschapv2 # Match the EAP method defined on FireBrick
       leftid=@peer-ID # Peer ID as defined in FB IPsec IKE setting
       leftsourceip=%config # Ask for an IP from the roaming pool
       eap_identity=username # Username as in ipsec.secrets & FB config
       right=hostname.example.com # Hostname/IP of FireBrick
       rightauth=pubkey # FireBrick should be set to auth-method Certificate
       rightid=@hostname.example.com # ID of FireBrick
       auto=start # Try to connect immediately on startup

Reload settings:

$ sudo service ipsec reload

That should be it

Retrieved from ‘http://support.aa.net.uk/index.php?title=FireBrick_Road_Warrior_strongSwan&oldid=10491