FireBrick Road Warrior strongSwan: Difference between revisions

← Older edit

FireBrick Road Warrior strongSwan (view source)

Revision as of 13:41, 4 July 2022

270 bytes added , 4 July 2022

m

→‎CA Certificate

AA-Andrew

autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators

12,270

edits

Revision as of 23:50, 30 June 2022 (view source) Reedy (talk \| contribs) (→‎Split Tunneling: more syntaxhighlight) ← Older edit		Latest revision as of 13:41, 4 July 2022 (view source) AA-Andrew (talk \| contribs) m (→‎CA Certificate)
(6 intermediate revisions by one other user not shown)
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s). *AlsoSee ~~see~~also: [[FireBrick to Openswan Strongswan IPsec (Howto)]] ==Install Packages== $ sudo apt-get install strongswan libcharon-extra-plugins ~~maybe~~You may also want <tt>libstrongswan-extra-plugins</tt> if you need the curl plugin for strongswan to fetch CA certificates (eg from ~~lets~~Let's ~~encrypt~~Encrypt). <tt>libcharon-extra-plugins</tt> is needed for the eap-identity plugin which is required to connect to the FireBrick. The plugin is loaded automatically, so you don't need to change any config files (normally you'd have to change the "load =" statement in strongswan.conf). ==CA Certificate== Usually you can use ACME and Letsencrypt to assign a certificate to the FireBrick, so skip the next step if you're doing this. Download your CA certificate from the FireBrick, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.▼ ▲If using a manually creates certificate, Download your CA certificate from the FireBrick, and copy to <tt>/etc/ipsec.d/cacerts/</tt> on your client box. Strongswan shouldn't mind if PEM or DER. If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA: ln -s /etc/ssl/certs/~~DST_Root_CA_X3~~ISRGRootX1.pem /etc/ipsec.d/cacerts/~~DST_Root_CA_X3~~ISRGRootX1.pem ==strongSwan Config== Add your connection to /etc/ipsec.conf: <syntaxhighlight lang="~~bash~~ini"> conn firebrick # Arbitrary name - doesn't have to be 'firebrick' left=%defaultroute # Use your default route to the internet If the FireBrick is configured to give an IPv6 address in the Roaming pool, then tell strongSwan to request IPv6 too: <syntaxhighlight lang="ini"> leftsourceip=%config4,%config6 </syntaxhighlight> Reload settings: Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling You use <tt>leftsubnet</tt> on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need <tt>leftsubnet=0.0.0.0/0</tt> to ensure all traffic used the tunnel, and <tt>leftsubnet=<serverLAN></tt> for split tunnelling. For example: