Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Example Configuration - Roadwarrior with MacOS

  • This configuration should work with MacOS 10.12 (Sierra) or newer, perhaps "El Capitan" as well. Older versions do not support strong cryptography and should be avoided as insecure. Using a third-party VPN client may resolve this issue.

The server's host certificate must have a Subject Alt Name that is the same as the server's hostname. If you previously created your server's certificates and did not add a Subject Alt Name when you created them, then you will need to delete them (and any connections using them) and re-create them.

Step 1 - Global IPSec Settings

  • Go to "Services > IPSec"
  • Edit the "Global Settings"
    • "Public IP or FQDN":
    • If you have a static IP: Enter your public domain name or IP.
    • If you have a dynamic IP: Enter "%defaultroute".
    • "Host-to-Net Virtual Private Network (RoadWarrior)"
    • Enter the IP range that clients from which clients should receive an IP.
    • Make sure that this range does not conflict with your LAN DHCP scope.
    • I generally use a subset of the Green network, such as This includes the addresses
    • Check "Enabled"
    • Click "Save"

Step 2 - Generate Server Certificates

  • Click "Generate root/host certificates"
    • Fill in the form to generate the certificates
    • "Organization Name": Choose a name
    • "IPFire's Hostname": DNS-Name of the IPFire device
    • Complete "Your e-Mail Address", "Your Department", "City", "State", and "Country" with your information.
    • "Subject Alt Name": Enter "DNS:" and the IPFire hostname. i.e.: "DNS:myhost.mydomain.dom"
    • Click "Generate root/host certificate"

Step 3 - Create the Connection on IPFire

  • "Connection Status and -Control"
    • Click "Add" and choose "Host-to-Net Virtual Private Network (RoadWarrior)"
    • "Name": Enter a descriptive name for this connection (no spaces allowed).
    • "Local Subnet": enter ""
    • "Local ID": Enter the hostname of the IPFire host. This must match what you entered when generating the root/host certificates above. You can use the IP Address, too, but this must match the certificate.
    • "Remote ID": Enter an e-mail address for the user. You will use this below when creating the certificate, and it does not need to be a valid e-mail address.
    • Check the "Edit advanced settings when done." checkbox.
    • Choose "Generate a certificate"
    • "User's full name or system hostname": Enter the name you chose above for the connection name.
    • "User's E-mail address": Enter the e-mail address you used for "Remote ID", above.
    • Provide your information for Department, Organization, City, State, and Country.
    • "Subject Alt Name": enter "email:" followed by the e-mail address you used above and as the remoteID.
    • Enter an export password. You will need this when importing the certificate on the client.
    • Click "Save"
  • Edit the connection's advanced settings

* "Keyexchange": Select "IKEv2"
* "Encryption": Select "256 bit AES-CBC"
* "Integrity": Select "SHA2 384 bit" and "SHA2 256 bit"
* "Grouptype": Select "ECP-384 (NIST)" and "ECP-256 (NIST)"; for MacOSX Sierra (10.12.x) ESP Grouptype should be set to "none", otherwise when the client will try to rekey after 8 min, the connection will drop: see http://www.openradar.appspot.com/29821241

  • In the "Connection Status and -Control" click the "Download PKCS12 file" (diskette) icon and download the certificates to your local PC. You will need to copy that file to the client PC.

Step 4 - Modify the Configuration created by IPFire

  • Connect to the IPFire via SSH (Putty) or the local console
  • Add the following to /etc/ipsec.user.conf ("leftsendcert" is required for Macs, "leftallowany" will allow the client to also access the Internet when connected (This needs to be confirmed, it does not seem accurate); Setting "rekey" and "reauth" to no prevents problems where the IPsec-daemon would try to connect to the client (which would probably fail as most roadwarriors are behind NAT))
  • "CONNECTION_NAME" should be replaced with the name you chose for the connection above.


  • Restart the ipsec daemon, type ipsec restart - !! This will drop any active connections !!

Step 5 - Install the certificate on the Mac

  • Import the certificates
    • Open Applications:Utilities:Keychain Access
    • Select the "System" keychain.
    • From the File menu, select "Import Items..."
    • Browse to the downloaded PKCS12 file and click "Open".
    • Enter your MacOS password when prompted.
    • Enter the password for the PKCS12 certificate file (the one you input when creating the tunnel).
  • Trust the CA Certificate
    • Locate the CA Certificate in the list, right-click, and choose "Get Info"
    • Expand the "Trust" section (above "Details")
    • Change the setting for "When using this certificate:" to "Always Trust".
    • Enter your MacOS password when prompted.
  • Allow access to the private key
    • Locate the private key in the list, right-click, and choose "Get Info".
    • Select "Access Control" at the top.
    • Enter your MacOS password when prompted.
    • Select the "Allow all applications to access this item:"
    • This step is optional, but it avoids your having to type your MacOS username and password every time you connect the VPN.

Step 6 - Create the connection on the Mac

* Open System Preferences:Network.
* Click the "+" icon to add a new connection.
  * Interface: "VPN"
  * VPN Type: "IKEv2
  * Service Name: Choose a descriptive name for this connection
* Configure the connection settings.
  * Server Address: Enter the IP Address or Hostname of the IPFire host.
  * Remote ID: Enter the hostname of the IPFire host. This must match what you entered when creating the root/host certificates, and also the "Local ID" field you entered in IPFire when you configured the tunnel.
  * Local ID: Enter the e-mail you used as the "Remote ID" when configuring the tunnel on IPFire.
  * Click on "Authentication Settings".
    * Choose "None" from the first drop-down menu.
    * Select the "Certificate" radio button.
    * Click "Select" and choose the certificate you imported earlier. The name should be the same as what you specified when creating the certificate/tunnel.
    * Click "OK" and then "Apply"
Edit Page ‐ Yes, you can edit!

Older Revisions • October 30 at 6:25 pm • cfusco