Global Configuration

The global configuration section allows to enable IPsec and configure general network settings.

Host-to-Net Settings

These settings are only required if you are planning on having host-to-net (roadwarrior) clients and can otherwise be left empty.

The Host-to-Net Endpoint will be used for clients to reach the firewall. It usually is a DynDNS hostname but can also be a static IP address. Either have to be part of the host certificate (see below) in order to make certificate connections work.

Host-to-Net Virtual Private Network (RoadWarrior) defines a new subnet, using CIDR notation, which will be used to assign IP addresses to clients.

example of Global Settings
example of Global Settings

Generation of Root and Host Certificates

Certificates are require to use certificate-based connections with IPFire for both, net-to-net and host-to-net connections.

Generate root/host certificates
Generate root/host certificates

To get started, click "Generate Root/Host certificates” and fill in the following values:

Field What goes in here?
Organisation Name 1 Your company name - e.g. "ABC Trucking PLC"
IPFire's Hostname 1 Enter the FQDN of your IPFire system - e.g. 2 Or enter the dynamic DNS hostname - e.g., 2
 Your Email The email address of the administrator
Your Department / Town/Province/Country This should be self-explanatory
Subject Alternative Name 1 SubjectAltName is a comma separated list of e-mail, DNS, URI, RID, or IP objects. If the IPFire system is reachable under multiple FQDNs add them here. Choices are email:*, DNS:*, URI:*, RID:*
email: - an email address (e.g.,
email:copy - takes the email field from the cert to be used
DNS: - a valid domain name (e.g., or
URI: - any valid uri (e.g., http://url/to/something)
RID: - registered object identifier
IP: - an IP address (e.g.,
Example:, email:copy,, IP:, URI:http://url/to/something
Note: charset is limited and case is significant.

After you filled in the form, click "Generate Root/Host certificates" to start generating the certificates. This process might take a couple of moments depending on how fast your IPFire system is.

Log Files

For debugging purposes, all log files can be viewed in WebGUI menu Logs -> System Logs -> IPsec. And are being logged to /var/log/messages. View messages via SSH and the command:

grep charon /var/log/messages

  1. Fields marked with an asterisk are a required field 

  2. This must resolve to the public IP address of your IPFire system and will become the Common Name of the host certificate 

Edit Page ‐ Yes, you can edit!

Older Revisions • November 26 at 1:46 pm • iptom