2.7.7. Road Warrior Access VPN Using Libreswan
Road warriors are traveling users with mobile clients with a dynamically assigned
IP address, such as laptops. These are authenticated using certificates.
On the server:
conn roadwarriors
left=1.2.3.4
# if access to the LAN is given, enable this
#leftsubnet=10.10.0.0/16
leftcert=vpn-server.example.com
leftid=%fromcert
right=%any
# trust our own Certificate Agency
rightca=%same
# allow clients to be behind a NAT router
rightsubnet=vhost:%priv,%no
authby=rsasig
# load connection, don't initiate
auto=add
# kill vanished roadwarriors
dpddelay=30
dpdtimeout=120
dpdaction=%clear
Where:
left=1.2.3.4- The 1.2.3.4 value specifies the actual IP address or host name of your server.
leftcert=vpn-server.example.com- This option specifies a certificate referring to its friendly name or nickname that has been used to import the certificate. Usually, the name is generated as a part of a PKCS #12 certificate bundle in the form of a
.p12file. See thepkcs12(1)andpk12util(1)man pages for more information.
On the mobile client, the road warrior's device, use a slight variation of the above configuration:
conn roadwarriors
# pick up our dynamic IP
left=%defaultroute
leftcert=myname.example.com
leftid=%fromcert
# right can also be a DNS hostname
right=1.2.3.4
# if access to the remote LAN is required, enable this
#rightsubnet=10.10.0.0/16
# trust our own Certificate Agency
rightca=%same
authby=rsasig
# Initiate connection
auto=start
Where:
auto=start- This option enables the user to connect to the VPN whenever the
ipsecsystem service is started. Replace it with theauto=addif you want to establish the connection later.
