The global configuration section allows to enable IPsec and configure general network settings.

Host-to-Net Settings

These settings are only required if you are planning on having host-to-net (roadwarrior) clients and can otherwise be left empty.

The Host-to-Net Endpoint will be used for clients to reach the firewall. It usually is a DynDNS hostname but can also be a static IP address. Either have to be part of the host certificate (see below) in order to make certificate connections work.

Host-to-Net Virtual Private Network (RoadWarrior) defines a new subnet, using CIDR notation, which will be used to assign IP addresses to clients.

Generation of Root and Host Certificates

Certificates are required to use certificate-based connections with IPFire for both net-to-net and host-to-net connections.

To get started, click "Generate Root/Host certificates” and fill in the following values:

Field What goes in here?
Organisation Name 1 Your company name - e.g. "ABC Trucking PLC"
IPFire's Hostname 1 Enter the FQDN of your IPFire system - e.g. 2 Or enter the dynamic DNS hostname - e.g., 2
 Your Email The email address of the administrator
Your Department / Town/Province/Country This should be self-explanatory
Subject Alternative Name 1 SubjectAltName is a comma separated list of e-mail, DNS, URI, RID, or IP objects. If the IPFire system is reachable under multiple FQDNs add them here. Choices are email:*, DNS:*, URI:*, RID:*
email: - an email address (e.g.,
email:copy - takes the email field from the cert to be used
DNS: - a valid domain name (e.g., or
URI: - any valid uri (e.g., http://url/to/something)
RID: - registered object identifier
IP: - an IP address (e.g.,
Example:, email:copy,, IP:, URI:http://url/to/something
Note: charset is limited and case is significant.

After you filled in the form, click "Generate Root/Host certificates" to start generating the certificates. This process might take a couple of moments depending on how fast your IPFire system is.

Log Files

For debugging purposes, all log files can be viewed in WebGUI menu Logs -> System Logs -> IPsec. And are being logged to /var/log/messages. View messages via SSH and the command:

grep charon /var/log/messages

  1. Fields marked with an asterisk are a required field 

  2. This must resolve to the public IP address of your IPFire system and will become the Common Name of the host certificate