www.ipfire.org - Global Configuration

The global configuration section allows to enable IPsec and configure general network settings.

Host-to-Net Settings

These settings are only required if you are planning on having host-to-net (roadwarrior) clients and can otherwise be left empty.

The Host-to-Net Endpoint will be used for clients to reach the firewall. It usually is a DynDNS hostname but can also be a static IP address. Either have to be part of the host certificate (see below) in order to make certificate connections work.

Host-to-Net Virtual Private Network (RoadWarrior) defines a new subnet, using CIDR notation, which will be used to assign IP addresses to clients.

Generation of Root and Host Certificates

Certificates are required to use certificate-based connections with IPFire for both net-to-net and host-to-net connections.

To get started, click "Generate Root/Host certificates” and fill in the following values:

Field	What goes in here?
Organisation Name ¹	Your company name - e.g. "ABC Trucking PLC"
IPFire's Hostname ¹	Enter the FQDN of your IPFire system - e.g. `ABC-Trucking.com`. ² Or enter the dynamic DNS hostname - e.g., `example.ddns.org`. ²
Your Email	The email address of the administrator
Your Department / Town/Province/Country	This should be self-explanatory
Subject Alternative Name ¹	SubjectAltName is a comma separated list of e-mail, DNS, URI, RID, or IP objects. If the IPFire system is reachable under multiple FQDNs add them here. Choices are `email:`, `DNS:`, `URI:`, `RID:`
	`email:` - an email address (e.g., ipfire@foo.org)
	`email:copy` - takes the email field from the cert to be used
	`DNS:` - a valid domain name (e.g., www.ipfire.org or example2.ddns.org)
	`URI:` - any valid uri (e.g., http://url/to/something)
	`RID:` - registered object identifier
	`IP:` - an IP address (e.g., 127.0.0.1)
	Example: `email:ipfire@foo.org, email:copy, DNS:www.ipfire.org, IP:127.0.0.1, URI:http://url/to/something`
	Note: charset is limited and case is significant.

After you filled in the form, click "Generate Root/Host certificates" to start generating the certificates. This process might take a couple of moments depending on how fast your IPFire system is.

Log Files

For debugging purposes, all log files can be viewed in WebGUI menu Logs -> System Logs -> IPsec. And are being logged to /var/log/messages. View messages via SSH and the command:

grep charon /var/log/messages

Fields marked with an asterisk are a required field ↩↩↩
This must resolve to the public IP address of your IPFire system and will become the Common Name of the host certificate ↩↩