Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire.

Please join in and help us improving it!

Example Configuration - Roadwarrior with MacOS

  • This configuration should work with MacOS 10.12 (Sierra) or newer, perhaps "El Capitan" as well. Older versions do not support strong cryptography and should be avoided as insecure. Using a third-party VPN client may resolve this issue.

The server's host certificate must have a Subject Alt Name that is the same as the server's hostname. If you previously created your server's certificates and did not add a Subject Alt Name when you created them, then you will need to delete them (and any connections using them) and re-create them.

Step 1 - Global IPSec Settings

  • Go to "Services > IPSec"
  • Edit the "Global Settings"
    • "Public IP or FQDN":
    • If you have a static IP: Enter your public domain name or IP.
    • If you have a dynamic IP: Enter "%defaultroute".
    • "Host-to-Net Virtual Private Network (RoadWarrior)"
    • Enter the IP range that clients from which clients should receive an IP.
    • Make sure that this range does not conflict with your LAN DHCP scope.
    • I generally use a subset of the Green network, such as 192.168.0.0/28. This includes the addresses 192.168.0.240-254.
    • Check "Enabled"
    • Click "Save"

Step 2 - Generate Server Certificates

  • Click "Generate root/host certificates"
    • Fill in the form to generate the certificates
    • "Organization Name": Choose a name
    • "IPFire's Hostname": DNS-Name of the IPFire device
    • Complete "Your e-Mail Address", "Your Department", "City", "State", and "Country" with your information.
    • "Subject Alt Name": Enter "DNS:" and the IPFire hostname. i.e.: "DNS:myhost.mydomain.dom"
    • Click "Generate root/host certificate"

Step 3 - Create the Connection on IPFire

  • "Connection Status and -Control"
    • Click "Add" and choose "Host-to-Net Virtual Private Network (RoadWarrior)"
    • "Name": Enter a descriptive name for this connection (no spaces allowed).
    • "Local Subnet": enter "0.0.0.0/0"
    • "Local ID": Enter the hostname of the IPFire host. This must match what you entered when generating the root/host certificates above. You can use the IP Address, too, but this must match the certificate.
    • "Remote ID": Enter an e-mail address for the user. You will use this below when creating the certificate, and it does not need to be a valid e-mail address.
    • Check the "Edit advanced settings when done." checkbox.
    • Choose "Generate a certificate"
    • "User's full name or system hostname": Enter the name you chose above for the connection name.
    • "User's E-mail address": Enter the e-mail address you used for "Remote ID", above.
    • Provide your information for Department, Organization, City, State, and Country.
    • "Subject Alt Name": enter "email:" followed by the e-mail address you used above and as the remoteID.
    • Enter an export password. You will need this when importing the certificate on the client.
    • Click "Save"
  • Edit the connection's advanced settings


* "Keyexchange": Select "IKEv2"
* "Encryption": Select "256 bit AES-CBC"
* "Integrity": Select "SHA2 384 bit" and "SHA2 256 bit"
* "Grouptype": Select "ECP-384 (NIST)" and "ECP-256 (NIST)"; for MacOSX Sierra (10.12.x) ESP Grouptype should be set to "none", otherwise when the client will try to rekey after 8 min, the connection will drop: see http://www.openradar.appspot.com/29821241|

  • In the "Connection Status and -Control" click the "Download PKCS12 file" (diskette) icon and download the certificates to your local PC. You will need to copy that file to the client PC.

Step 4 - Modify the Configuration created by IPFire

  • Connect to the IPFire via SSH (Putty) or the local console
  • Add the following to /etc/ipsec.user.conf ("leftsendcert" is required for Macs, "leftallowany" will allow the client to also access the Internet when connected (This needs to be confirmed, it does not seem accurate); Setting "rekey" and "reauth" to no prevents problems where the IPsec-daemon would try to connect to the client (which would probably fail as most roadwarriors are behind NAT))
  • "CONNECTION_NAME" should be replaced with the name you chose for the connection above.

conn CONNECTION_NAME
leftsendcert=always
leftallowany=yes
rightdns=10.100.2.1
rekey=no
reauth=no

  • Restart the ipsec daemon, type ipsec restart - !! This will drop any active connections !!

Step 5 - Install the certificate on the Mac

  • Import the certificates
    • Open Applications:Utilities:Keychain Access
    • Select the "System" keychain.
    • From the File menu, select "Import Items..."
    • Browse to the downloaded PKCS12 file and click "Open".
    • Enter your MacOS password when prompted.
    • Enter the password for the PKCS12 certificate file (the one you input when creating the tunnel).
  • Trust the CA Certificate
    • Locate the CA Certificate in the list, right-click, and choose "Get Info"
    • Expand the "Trust" section (above "Details")
    • Change the setting for "When using this certificate:" to "Always Trust".
    • Enter your MacOS password when prompted.
  • Allow access to the private key
    • Locate the private key in the list, right-click, and choose "Get Info".
    • Select "Access Control" at the top.
    • Enter your MacOS password when prompted.
    • Select the "Allow all applications to access this item:"
    • This step is optional, but it avoids your having to type your MacOS username and password every time you connect the VPN.

Step 6 - Create the connection on the Mac

* Open System Preferences:Network.
* Click the "+" icon to add a new connection.
  * Interface: "VPN"
  * VPN Type: "IKEv2
  * Service Name: Choose a descriptive name for this connection
* Configure the connection settings.
  * Server Address: Enter the IP Address or Hostname of the IPFire host.
  * Remote ID: Enter the hostname of the IPFire host. This must match what you entered when creating the root/host certificates, and also the "Local ID" field you entered in IPFire when you configured the tunnel.
  * Local ID: Enter the e-mail you used as the "Remote ID" when configuring the tunnel on IPFire.
  * Click on "Authentication Settings".
    * Choose "None" from the first drop-down menu.
    * Select the "Certificate" radio button.
    * Click "Select" and choose the certificate you imported earlier. The name should be the same as what you specified when creating the certificate/tunnel.
    * Click "OK" and then "Apply"
Edit Page ‐ Yes, you can edit!

Older Revisions • April 4 at 4:07 pm