Host-to-Net connections are being used to connect a host which could be a laptop, smartphone or any other device with an IPsec client to one or more networks.

They are very handy for working from home, remote administration and backup jobs. They transfer your device on the local network using a secure channel as if you were actually in the office or data center.

Pre-requirements

On your device, you will need an IPsec client. Many operating systems bring a built-in one which are:

  • Microsoft Windows 7-11
  • Apple Mac OS X and iOS
  • Linux systems with NetworkManager

Third-party clients are also supported.

Creating a New Connection

To start creating a new connection, click the "Add" button and select "Host-to-Net Virtual Private Network (Roadwarrior)".

Then click "Add". On the next page, begin by choosing name for the connection.

Fill in the following values:

Field What goes in here?
Name Name for the connection
Local IP Address Select the IP address the client should be connecting to1
Remote host/IP Limit the IP address this client can connect from. For roadwarrior networks this information is unknown and can be left empty.
Local subnet The network this client can connect to. Specify multiple networks separated by comma if the client supports this. To route all traffic from the client through the VPN, enter 0.0.0.0/0.
DNS Servers Specify IP addresses of DNS servers to be pushed to the client. This is helpful if running a local DNS zone (or split horizon) for a Windows domain. The IP address should be part of the "Local subnet"
Local ID: See requirement for client
Remote ID: See requirement for client

Certificates or PSK?

Unfortunately it is only possible to have exactly one roadwarrior connection that is using pre-shared-key authentication. The system cannot identify the client and therefore cannot select from a list of multiple PSKs.

Certificates are a much better solution as they provide stronger authentication and cannot be easily brute-forced and can be revoked when lost.

Certificates

IPFire can generate a certificate for each connection which will be imported into the client for strong authentication. For that, you will simply have to select "Generate a certificate" and fill out the form at the bottom and provide some details.

Field What goes in here?
User's full name or system hostname For laptops, smartphone and similar devices it is best to use the full name of the owner (e.g. "John Doe"). For any IoT equipment the hostname should be used. This will become the Common Name of the certificate.
Organization Name Named by Root/Host Certificate. No need to change or update
SubjectAlternativeName This field might need certain settings depending on the client. See below for any special requirements for certain clients.
PKCS12 File Password Provide a password that is being used to protect the private key of the certificate. It will be needed to import the connection and, depending on the client, start it.

The other fields should explain themselves.

PSK

Select "Use a pre-shared key", and generate a secure pre-shared-key and enter it into the field. It is recommended to at least use a 32 character long key. The key must not contain the characters a comma or a single quotation mark.
From Core Update 190 onwards base64encoding has been applied to the PSK and so any ASCII character, except for the single quotation mark, can be used.

Finally, click "Save" to create the connection.

Importing the connection into the client

Depending on the client and operating system you are using, this process can be different.


  1. Only possible with RED being configured as static and aliases