You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: Learn how to configure the Linux (strongSwan) VPN client solution for VPN Gateway P2S configurations that use certificate authentication. This article applies to Linux (strongSwan).
4
+
description: Learn how to configure a Linux VPN client solution for VPN Gateway P2S configurations that use certificate authentication.
# Configure point-to-site VPN clients - certificate authentication - Linux
13
13
14
-
When you connect to an Azure virtual network (VNet) using point-to-site (P2S) and certificate authentication from a Linux computer, you can use strongSwan. All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure the VPN clients Linux.
14
+
When you connect to an Azure virtual network (VNet) using point-to-site (P2S) and certificate authentication from a Linux computer, you can use strongSwan (IKEv2 tunnels) or an OpenVPN client. All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure the VPN clients Linux.
15
15
16
16
The VPN client configuration files that you generate are specific to the P2S VPN gateway configuration for the virtual network. If there are any changes to the P2S VPN configuration after you generate the files, such as changes to the VPN protocol type or authentication type, you need to generate new VPN client configuration files and apply the new configuration to all of the VPN clients that you want to connect. For more information about P2S connections, see [About point-to-site VPN](point-to-site-about.md).
17
17
18
-
## <aname="generate"></a>Before you begin
18
+
## Before you begin
19
19
20
20
Before beginning, verify that you are on the correct article. The following table shows the configuration articles available for Azure VPN Gateway P2S VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS.
A client certificate is required for authentication when using the Azure certificate authentication type. A client certificate must be installed on each client computer. The exported client certificate must be exported with the private key, and must contain all certificates in the certification path. Make sure that the client computer has the appropriate client certificate installed before proceeding to the next section.
36
-
37
-
For information about client certificates, see [Generate certificates - Linux](vpn-gateway-certificates-point-to-site-linux.md).
You can generate client configuration files using PowerShell, or by using the Azure portal. Either method returns the same zip file.
42
27
43
-
### <aname="portal"></a>Generate profile config files using the Azure portal
28
+
### Generate files using the Azure portal
44
29
45
30
1. In the Azure portal, navigate to the virtual network gateway for the virtual network that you want to connect to.
46
31
1. On the virtual network gateway page, select **Point-to-site configuration** to open the Point-to-site configuration page.
47
32
1. At the top of the Point-to-site configuration page, select **Download VPN client**. This doesn't download VPN client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for the client configuration package to generate. During this time, you may not see any indications until the packet has generated.
48
33
49
-
:::image type="content" source="./media/point-to-site-vpn-client-cert-linux/download-configuration.png" alt-text="Download the VPN client configuration." lightbox="./media/point-to-site-vpn-client-cert-linux/download-configuration.png":::
34
+
:::image type="content" source="./media/point-to-site-vpn-client-cert-mac/download-configuration.png" alt-text="Download the VPN client configuration." lightbox="./media/point-to-site-vpn-client-cert-mac/download-configuration.png":::
50
35
1. Once the configuration package has been generated, your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.
51
36
52
-
### <aname="powershell"></a>Generate profile config files using PowerShell
37
+
### Generate files using PowerShell
53
38
54
39
1. When generating VPN client configuration files, the value for '-AuthenticationMethod' is 'EapTls'. Generate the VPN client configuration files using the following command:
55
40
@@ -61,23 +46,33 @@ You can generate client configuration files using PowerShell, or by using the Az
61
46
62
47
1. Copy the URL to your browser to download the zip file.
63
48
64
-
##4. View the folder and files
49
+
###View the folder and files
65
50
66
51
Unzip the file to view the following folders:
67
52
68
53
***WindowsAmd64** and **WindowsX86**, which contain the Windows 32-bit and 64-bit installer packages, respectively. The **WindowsAmd64** installer package is for all supported 64-bit Windows clients, not just Amd.
69
54
***Generic**, which contains general information used to create your own VPN client configuration. The Generic folder is provided if IKEv2 or SSTP+IKEv2 was configured on the gateway. If only SSTP is configured, then the Generic folder isn’t present.
70
55
71
-
## 5. Select the configuration instructions
56
+
## Select the configuration instructions
72
57
73
58
The sections below contain instructions to help you configure your VPN client. Select the tunnel type that your P2S configuration uses, then select the method that you want to use to configure.
74
59
75
-
*[IKEv2 tunnel type steps](#ike)
76
-
*[OpenVPN tunnel type steps](#openvpn)
60
+
*[IKEv2 tunnel type steps](#ike) for strongSwan
61
+
*[OpenVPN tunnel type steps](#openvpn) for OpenVPN client
77
62
78
-
## <aname="ike"></a>IKEv2 tunnel type steps
63
+
## <aname="ike"></a>IKEv2 - strongSwan steps
79
64
80
-
This section helps you configure Linux clients for certificate authentication that uses the IKEv2 tunnel type. To connect to Azure, you manually configure an IKEv2 VPN client.
A client certificate is required for authentication when using the Azure certificate authentication type. A client certificate must be installed on each client computer. The exported client certificate must be exported with the private key, and must contain all certificates in the certification path. Make sure that the client computer has the appropriate client certificate installed before proceeding to the next section.
72
+
73
+
For information about client certificates, see [Generate certificates - Linux](vpn-gateway-certificates-point-to-site-linux.md).
74
+
75
+
### View VPN client profile files
81
76
82
77
Go to the downloaded VPN client profile configuration files. You can find all of the information that you need for configuration in the **Generic** folder. Azure doesn’t provide a *mobileconfig* file for this configuration.
83
78
@@ -91,9 +86,14 @@ The Generic folder contains the following files:
91
86
***VpnSettings.xml**, which contains important settings like server address and tunnel type.
92
87
***VpnServerRoot.cer**, which contains the root certificate required to validate the Azure VPN gateway during P2S connection setup.
93
88
94
-
### <aname="gui"></a>GUI instructions
89
+
After viewing the files, continue with the steps that you want to use:
90
+
91
+
*[GUI steps](#gui)
92
+
*[CLI steps](#cli)
93
+
94
+
#### <aname="gui"></a>strongSwan GUI instructions
95
95
96
-
This section walks you through the configuration using the strongSwan GUI. The following instructions were created on Ubuntu 18.0.4. Ubuntu 16.0.10 doesn’t support strongSwan GUI. If you want to use Ubuntu 16.0.10, you’ll have to use the [command line](#linuxinstallcli). The following examples may not match screens that you see, depending on your version of Linux and strongSwan.
96
+
This section walks you through the configuration using the strongSwan GUI. The following instructions were created on Ubuntu 18.0.4. Ubuntu 16.0.10 doesn’t support strongSwan GUI. If you want to use Ubuntu 16.0.10, you’ll have to use the [command line](#cli). The following examples may not match screens that you see, depending on your version of Linux and strongSwan.
97
97
98
98
1. Open the **Terminal** to install **strongSwan** and its Network Manager by running the command in the example.
99
99
@@ -126,7 +126,7 @@ This section walks you through the configuration using the strongSwan GUI. The f
This section walks you through the configuration using the strongSwan CLI.
132
132
@@ -168,13 +168,13 @@ This section walks you through the configuration using the strongSwan CLI.
168
168
169
169
## <aname="openvpn"></a>OpenVPN tunnel type steps
170
170
171
-
This section helps you configure Linux clients for certificate authentication that uses the OpenVPN tunnel type. To connect to Azure, you download the OpenVPN client and configure the connection profile.
171
+
This section helps you configure Linux clients for certificate authentication that uses the OpenVPN tunnel type. To connect to Azure, download the OpenVPN client and configure the connection profile.
172
172
173
173
[!INCLUDE [Configuration steps for OpenVPN Linux](../../includes/vpn-gateway-config-openvpn-linux.md)]
174
174
175
175
## Next steps
176
176
177
177
For additional steps, return to the original point-to-site article that you were working from.
0 commit comments