2.7.7. Road Warrior Access VPN Using Libreswan
Road warriors are traveling users with mobile clients with a dynamically assigned
IPaddress, such as laptops. These are authenticated using certificates.
On the server:
conn roadwarriors left=220.127.116.11 # if access to the LAN is given, enable this #leftsubnet=10.10.0.0/16 leftcert=vpn-server.example.com leftid=%fromcert right=%any # trust our own Certificate Agency rightca=%same # allow clients to be behind a NAT router rightsubnet=vhost:%priv,%no authby=rsasig # load connection, don't initiate auto=add # kill vanished roadwarriors dpddelay=30 dpdtimeout=120 dpdaction=%clear
- The 18.104.22.168 value specifies the actual IP address or host name of your server.
- This option specifies a certificate referring to its friendly name or nickname that has been used to import the certificate. Usually, the name is generated as a part of a PKCS #12 certificate bundle in the form of a
.p12file. See the
pk12util(1)man pages for more information.
On the mobile client, the road warrior's device, use a slight variation of the above configuration:
conn roadwarriors # pick up our dynamic IP left=%defaultroute leftcert=myname.example.com leftid=%fromcert # right can also be a DNS hostname right=22.214.171.124 # if access to the remote LAN is required, enable this #rightsubnet=10.10.0.0/16 # trust our own Certificate Agency rightca=%same authby=rsasig # Initiate connection auto=start
- This option enables the user to connect to the VPN whenever the
ipsecsystem service is started. Replace it with the
auto=addif you want to establish the connection later.