The global configuration section allows to enable IPsec and configure general network settings.
These settings are only required if you are planning on having host-to-net (roadwarrior) clients and can otherwise be left empty.
The Host-to-Net Endpoint will be used for clients to reach the firewall. It usually is a DynDNS hostname but can also be a static IP address. Either have to be part of the host certificate (see below) in order to make certificate connections work.
Host-to-Net Virtual Private Network (RoadWarrior) defines a new subnet, using CIDR notation, which will be used to assign IP addresses to clients.
Certificates are require to use certificate-based connections with IPFire for both, net-to-net and host-to-net connections.
To get started, click "Generate Root/Host certificates” and fill in the following values:
|Field||What goes in here?|
|Organisation Name 1||Your company name - e.g. "ABC Trucking PLC"|
|IPFire's Hostname 1||Enter the FQDN of your IPFire system - e.g.
|Your Email||The email address of the administrator|
|Your Department / Town/Province/Country||This should be self-explanatory|
|Subject Alternative Name 1||If your IPFire system is reachable under multiple FQDNs, you can add them here. Choices are
After you filled in the form, click "Generate Root/Host certificates" to start generating the certificates. This process might take a couple of moments depending on how fast your IPFire system is.
For debugging purposes, all log files can be viewed in WebGUI menu Logs -> System Logs -> IPsec. And are being logged to
/var/log/messages. View messages via SSH and the command:
grep charon /var/log/messages