FireBrick Road Warrior strongSwan: Difference between revisions

← Older edit

FireBrick Road Warrior strongSwan (view source)

Revision as of 13:41, 4 July 2022

197 bytes added , 4 July 2022

m

→‎CA Certificate

AA-Andrew

autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators

12,270

edits

Revision as of 23:52, 30 June 2022 (view source) Reedy (talk \| contribs) (→‎strongSwan Config: more syntaxhighlight) ← Older edit		Latest revision as of 13:41, 4 July 2022 (view source) AA-Andrew (talk \| contribs) m (→‎CA Certificate)
(4 intermediate revisions by one other user not shown)
This example uses strongSwan on Debian, but the config would suit other flavours once you've installed the package(s). *AlsoSee ~~see~~also: [[FireBrick to Openswan Strongswan IPsec (Howto)]] ==Install Packages== ==CA Certificate== Usually you can use ACME and Letsencrypt to assign a certificate to the FireBrick, so skip the next step if you're doing this. Download your CA certificate from the FireBrick, and copy to /etc/ipsec.d/cacerts/ on your client box. Strongswan shouldn't mind if PEM or DER.▼ ▲If using a manually creates certificate, Download your CA certificate from the FireBrick, and copy to <tt>/etc/ipsec.d/cacerts/</tt> on your client box. Strongswan shouldn't mind if PEM or DER. If you're using a Let's Encrypt cert on the FireBrick (which is easy) - you'll need to symlink the system CA: ln -s /etc/ssl/certs/~~DST_Root_CA_X3~~ISRGRootX1.pem /etc/ipsec.d/cacerts/~~DST_Root_CA_X3~~ISRGRootX1.pem ==strongSwan Config== Here's some StrongSwan info on split tunnelling: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling You use <tt>leftsubnet</tt> on the strongSwan roadwarrior to determine whether to use the tunnel as default gateway - you'd need <tt>leftsubnet=0.0.0.0/0</tt> to ensure all traffic used the tunnel, and <tt>leftsubnet=<serverLAN></tt> for split tunnelling. For example: