FireBrick Road Warrior strongSwan: Difference between revisions

FireBrick Road Warrior strongSwan (view source)

Revision as of 13:29, 4 January 2019

1,119 bytes added , 4 January 2019

m

→‎strongSwan Config

AA-Andrew

autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators

12,270

edits

Revision as of 11:20, 25 August 2015 (view source) AA-Andrew (talk \| contribs) m (AA-Andrew moved page FireBrick to Debian strongSwan to FireBrick Road Warrior strongSwan) ← Older edit		Revision as of 13:29, 4 January 2019 (view source) AA-Andrew (talk \| contribs) m (→‎strongSwan Config) Newer edit →
(14 intermediate revisions by 3 users not shown)
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg\|link=:Category:~~FireBrick_IPsec_Road_Warrior~~FireBrick IPsec Road Warrior\|30px\|Back up to the FireBrick Road Warrior Category Page]]</indicator> '''FireBrick acting as the ipsec 'server', and configuring a strongSwan/Debian client.''' This example uses strongSwan on Debian, but the config would suit other flavors once you've installed the package(s).▼ ▲This example uses strongSwan on Debian, but the config would suit other ~~flavors~~flavours once you've installed the package(s). *Also see: [[FireBrick to Openswan Strongswan IPsec (Howto)]] ==Install Packages== $ sudo apt-get install strongswan libcharon-extra-plugins maybe also libstrongswan-extra-plugins if you need the curl plugin for strongswan to fetch CA certificates (eg from lets encrypt) libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf). ==CA Certificate== Download your CA certificate from the FireBrick, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER. If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA: ln -s /etc/ssl/certs/DST_Root_CA_X3.pem /etc/ipsec.d/cacerts/DST_Root_CA_X3.pem ==strongSwan Config== <syntaxhighlight lang="bash"> conn ~~username~~firebrick # Arbitrary name - doesn't have to be ~~username~~'firebrick' left=%defaultroute # Use your default route to the internet leftfirewall=yes # Yes as you may be behind firewall/NAT leftauth=eap-mschapv2 # Match the EAP method defined on FireBrick leftid=@peer-ID # Peer ID as defined in FB IPsec IKE setting leftsourceip=%config # Ask for an IP from the roaming pool eap_identity=username # Username as in ipsec.secrets and FB config right=hostname.example.com # Hostname/IP of FireBrick rightauth=pubkey # FireBrick should be set to auth-method Certificate rightid=@hostname.example.com # ID of FireBrick auto=~~start~~route # Try to connect ~~immediately~~ on startup </syntaxhighlight> If the FireBrick is configured to give an IPv6 address in the Roaming pool, then tell strongSwan to request IPv6 too: leftsourceip=%config4,%config6 Reload settings: </syntaxhighlight> If you want to route additional blocks via the tunnel, use rightsubnet, eg: [[Category:FireBrick_IPsec_Road_Warrior\|Debian]]▼ rightsubnet=10.1.0.0/24,10.2.0.0/24,fd00:1::/64,fd00:1::/64 # IPs to route down tunnel ▲[[Category:~~FireBrick_IPsec_Road_Warrior~~FireBrick IPsec Road Warrior\|Debian]] == Further help== ipsec up <username> # manually attempt to bring up the connection - look for errors ipsec listcacerts # check if your cert is loaded ipsec statusall