Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
2.7.7. Road Warrior Access VPN Using Libreswan
Road warriors are traveling users with mobile clients with a dynamically assigned
IP
address, such as laptops. These are authenticated using certificates.
On the server:
conn roadwarriors left=1.2.3.4 # if access to the LAN is given, enable this #leftsubnet=10.10.0.0/16 leftcert=vpn-server.example.com leftid=%fromcert right=%any # trust our own Certificate Agency rightca=%same # allow clients to be behind a NAT router rightsubnet=vhost:%priv,%no authby=rsasig # load connection, don't initiate auto=add # kill vanished roadwarriors dpddelay=30 dpdtimeout=120 dpdaction=%clear
Where:
left=1.2.3.4
- The 1.2.3.4 value specifies the actual IP address or host name of your server.
leftcert=vpn-server.example.com
- This option specifies a certificate referring to its friendly name or nickname that has been used to import the certificate. Usually, the name is generated as a part of a PKCS #12 certificate bundle in the form of a
.p12
file. See thepkcs12(1)
andpk12util(1)
man pages for more information.
On the mobile client, the road warrior's device, use a slight variation of the above configuration:
conn roadwarriors # pick up our dynamic IP left=%defaultroute leftcert=myname.example.com leftid=%fromcert # right can also be a DNS hostname right=1.2.3.4 # if access to the remote LAN is required, enable this #rightsubnet=10.10.0.0/16 # trust our own Certificate Agency rightca=%same authby=rsasig # Initiate connection auto=start
Where:
auto=start
- This option enables the user to connect to the VPN whenever the
ipsec
system service is started. Replace it with theauto=add
if you want to establish the connection later.