editor
698
edits
This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!
mNo edit summary |
(fix syntax) |
||
(11 intermediate revisions by 2 users not shown) | |||
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:
'''FireBrick acting as the ipsec 'server', and configuring a strongSwan/Debian client.'''
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s).
*Also see: [[
==Install Packages==
$ sudo apt-get install strongswan libcharon-extra-plugins
maybe also libstrongswan-extra-plugins if you need the curl plugin for strongswan to fetch CA certificates (eg from lets encrypt)
libcharon-extra-plugins is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf).
==CA Certificate==
Download your CA certificate from the FireBrick, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.
If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA:
ln -s /etc/ssl/certs/DST_Root_CA_X3.pem /etc/ipsec.d/cacerts/DST_Root_CA_X3.pem
==strongSwan Config==
<syntaxhighlight lang="bash">
conn
left=%defaultroute # Use your default route to the internet
leftfirewall=yes # Yes as you may be behind firewall/NAT
rightauth=pubkey # FireBrick should be set to auth-method Certificate
rightid=@hostname.example.com # ID of FireBrick
auto=
</syntaxhighlight>
If the FireBrick is configured to give an IPv6 address in the Roaming pool, then tell strongSwan to request IPv6 too:
leftsourceip=%config4,%config6
Reload settings:
For example:
<syntaxhighlight lang="ini">
leftsourceip=%config4,%config6
rightsubnet=0.0.0.0/0,::/0
</syntaxhighlight>
If you want to route additional blocks via the tunnel, use rightsubnet, eg:
[[Category:FireBrick_IPsec_Road_Warrior|Debian]]▼
rightsubnet=10.1.0.0/24,10.2.0.0/24,fd00:1::/64,fd00:1::/64 # IPs to route down tunnel
== Further help==
ipsec up <username> # manually attempt to bring up the connection - look for errors
ipsec listcacerts # check if your cert is loaded
ipsec statusall
|