FireBrick Road Warrior strongSwan: Difference between revisions

Back up to the FireBrick Road Warrior Category Page
From AAISP Support Site
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick IPsec Road Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick IPsec Road Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>

'''FireBrick acting as the ipsec 'server', and configuring a strongSwan/Debian client.'''


This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s).
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s).
Line 6: Line 8:
==Install Packages==
==Install Packages==
$ sudo apt-get install strongswan libcharon-extra-plugins
$ sudo apt-get install strongswan libcharon-extra-plugins

maybe also libstrongswan-extra-plugins if you need the curl plugin for strongswan to fetch CA certificates (eg from lets encrypt)


libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf).
libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf).


==Certificate==
==CA Certificate==


Download your CA certificate from the FireBrick, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.
Download your CA certificate from the FireBrick, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.

If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA:
ln -s /etc/ssl/certs/DST_Root_CA_X3.pem /etc/ipsec.d/cacerts/DST_Root_CA_X3.pem


==strongSwan Config==
==strongSwan Config==
Line 22: Line 29:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
conn username # Arbitrary name - doesn't have to be username
conn firebrick # Arbitrary name - doesn't have to be 'firebrick'
left=%defaultroute # Use your default route to the internet
left=%defaultroute # Use your default route to the internet
leftfirewall=yes # Yes as you may be behind firewall/NAT
leftfirewall=yes # Yes as you may be behind firewall/NAT
Line 32: Line 39:
rightauth=pubkey # FireBrick should be set to auth-method Certificate
rightauth=pubkey # FireBrick should be set to auth-method Certificate
rightid=@hostname.example.com # ID of FireBrick
rightid=@hostname.example.com # ID of FireBrick
auto=start # Try to connect immediately on startup
auto=route # Try to connect on startup
</syntaxhighlight>
</syntaxhighlight>

If the FireBrick is configured to give an IPv6 address in the Roaming pool, then tell strongSwan to request IPv6 too:
leftsourceip=%config4,%config6


Reload settings:
Reload settings:
Line 56: Line 66:
</syntaxhighlight>
</syntaxhighlight>


If you want to route additional blocks via the tunnel, use rightsubnet, eg:
[[Category:FireBrick IPsec Road Warrior|Debian]]


rightsubnet=10.1.0.0/24,10.2.0.0/24,fd00:1::/64,fd00:1::/64 # IPs to route down tunnel


[[Category:FireBrick IPsec Road Warrior|Debian]]


== Further help==
== Further help==
Line 63: Line 77:
ipsec up <username> # manually attempt to bring up the connection - look for errors
ipsec up <username> # manually attempt to bring up the connection - look for errors
ipsec listcacerts # check if your cert is loaded
ipsec listcacerts # check if your cert is loaded
ipsec statusall

Revision as of 13:29, 4 January 2019


FireBrick acting as the ipsec 'server', and configuring a strongSwan/Debian client.

This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s).

Install Packages

$ sudo apt-get install strongswan libcharon-extra-plugins

maybe also libstrongswan-extra-plugins if you need the curl plugin for strongswan to fetch CA certificates (eg from lets encrypt)

libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf).

CA Certificate

Download your CA certificate from the FireBrick, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.

If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA:

ln -s /etc/ssl/certs/DST_Root_CA_X3.pem /etc/ipsec.d/cacerts/DST_Root_CA_X3.pem

strongSwan Config

Add your user to: /etc/ipsec.secrets:

username : EAP "password"

Add your connection to /etc/ipsec.conf:

conn firebrick                        # Arbitrary name - doesn't have to be 'firebrick'
        left=%defaultroute            # Use your default route to the internet
        leftfirewall=yes              # Yes as you may be behind firewall/NAT
        leftauth=eap-mschapv2         # Match the EAP method defined on FireBrick
        leftid=@peer-ID               # Peer ID as defined in FB IPsec IKE setting
        leftsourceip=%config          # Ask for an IP from the roaming pool
        eap_identity=username         # Username as in ipsec.secrets and FB config
        right=hostname.example.com    # Hostname/IP of FireBrick
        rightauth=pubkey              # FireBrick should be set to auth-method Certificate
        rightid=@hostname.example.com # ID of FireBrick
        auto=route                    # Try to connect on startup

If the FireBrick is configured to give an IPv6 address in the Roaming pool, then tell strongSwan to request IPv6 too:

leftsourceip=%config4,%config6 

Reload settings:

$ sudo service ipsec reload

That should be it.

Split Tunneling

Split tunnelling being where it uses the machine's default route for internet access, this can often can be useful - you may not want to tunnel your normal non-work browsing/streaming through your company's servers.

Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

You use leftsubnet on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need leftsubnet=0.0.0.0/0 to ensure all traffic used the tunnel, and leftsubnet=<serverLAN> for split tunnelling.

For example:

        leftsourceip=%config4,%config6
        rightsubnet=0.0.0.0/0,::/0

If you want to route additional blocks via the tunnel, use rightsubnet, eg:

       rightsubnet=10.1.0.0/24,10.2.0.0/24,fd00:1::/64,fd00:1::/64      # IPs to route down tunnel

Further help

ipsec up <username>  # manually attempt to bring up the connection - look for errors
ipsec listcacerts   # check if your cert is loaded
ipsec statusall