Refactoring the IPsec documentation


the other day, I wanted to add some information about how to setup IPsec RW with Apple macOS & iOS. And I didn’t know where to start. The whole IPsec section was practically one laaaaarge page with lots and lots of stuff that didn’t have to be there and lots and lots of stuff that was repeating itself. In there was also a lot of information that I considered to be plain wrong.

So I decided to bring some structure into it and I split the long page into multiple sub-pages. One for net-to-net connections and one for host-to-net connections.

I summarised those pages and removed a lot of excess stuff which I do not like (we do not need to explain to people how to save a file) and added some more content. Especially about the difference of PSK vs. certificate (that section is probably not very good) and ciphers.

I wanted to ask for a little review and about what is good or bad about this.

1 Like

Excellent! I had always wanted to give IPsec a try. Thank you!

Yesterday I started to add an image and I got stuck at the Host-to-Net Endpoint. I saw the info on the Global Configuration wiki page but it did not click for me

What info is added to this field?

I’ll read through the wiki and give IPsec a try.

1 Like

A post was merged into an existing topic: One-click VPNs for Apple iOS

The FQDN is going in here. So usually that is the “DynDNS hostname”. Looks like this needs some more explanation in the documentation.

In OpenVPN it is known as a different name/description: Local VPN Hostname/IP:

Screen Shot 2021-07-22 at 4.28.26 PM


I think you may show the DNS page in iPfire. As my understanding is one must add the service here as well, or ?

The explanation you gave me earlier that you must be able to ping your iPfire with the DNS name was very helpful to me.

As an example, create a user at, and then create a name xxxx. So will be the “public” name of your firewall. Your ISP can change your public ip, but the will always point to your home address.

on this page:
Under Create a new Roadwarrior connection I am stuck at:

  • The IPFire system should have a FQDN which resolves from the public Internet
  • The CA certificate must contain a subjectAlternativeName with the system’s FQDN which must be used for IPsec, too.

How is the first bullet different from the second bullet? Is the second bullet a local FQDN? (e.g. ipfire.localdomain)

1 Like

3 posts were merged into an existing topic: One-click IPsec VPNs for Apple iOS

7 posts were merged into an existing topic: One-click VPNs for Apple iOS

Michael - I added a few items to the Global Config page.

If I over-stepped or made an error please let me know. (I seem to remember you are not shy!)

LOL, no I am not shy to point out any technical errors, because we can all learn from that. You definitely didn’t overreach. This is a wiki and it should be edited. It is never done :slight_smile:

I have a couple of remarks/ideas though. There is a part of the page that now reads like this:

To me this reads like there are two examples now which is probably more confusing.

Should we generally make up a company that we constantly use throughout the wiki so that examples are consistent across all pages of the wiki? I sometimes use “ABC Trucking PLC”, but this could be of course anything that is generic.

I changed that star to actual footnotes, just because they disappear at the end of the page and clicking on the little number takes you straight there.

Yes - two examples.
To me the two examples made it less confusing. The company example made perfect sense.

  • as a VERY picky item I’d stick with the company theme and make the FQDN something like I’d removed the ipfire-at-home reference. Like I said ‘very picky’!

The second example is for the Home user that doesn’t have a static IP and has (or needs) a dynamic DNS hostname.

If OK with two examples, I’ll re-word that paragraph and hopefully it will be less confusing!

Looks good!