These are sample ipsec.conf(5) configuration files for opportunistic encryption, with comments. Much of this configuration will be unnecessary with the new defaults proposed for FreeS/WAN 2.x.
Full instructions for this setup are in our quickstart guide.
The ipsec.conf file for an initiate-only opportunistic setup is:
# general IPsec setup
config setup
# Use the default interface
interfaces=%defaultroute
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# defaults for subsequent connection descriptions
conn %default
# How to authenticate gateways
authby=rsasig
# default is
# load connection description into Pluto's database
# so it can respond if another gatway initiates
# individual connection descriptions may override this
auto=add
# description for opportunistic connections
conn me-to-anyone
left=%defaultroute # all connections should use default route
right=%opportunistic # anyone we can authenticate
rightrsasigkey=%dns # look up their key in DNS
auto=route # set up for opportunistic
rekey=no # let unused connections die
leftid=@xy.example.com # our identity for IPSec negotiations
# must match DNS and ipsec.secrets
Normally, the last line above is the only one that you need to edit. However, some people may need to customize the interfaces= line in the "config setup" section. All other sections are identical for any standalone machine doing opportunistic encryption.
The @ sign in the leftid= makes the ID go "over the wire" as a Fully Qualified Domain Name (FQDN). Without it, an IP address would be used and this won't work.
The conn is not used to supply either public key. Your private key is in ipsec.secrets(5) and, for opportunistic encryption, the public keys for remote gateways are all looked up in DNS.
FreeS/WAN authenticates opportunistic encryption by RSA signature only, so "public key" and "private key" refer to these keys.
While the left and right designations here are arbitrary, we follow a convention of using left for local and right for remote.
Continue configuring initiate-only opportunism.
# description for opportunistic connections
conn me-to-anyone
left=%defaultroute # all connections should use default route
right=%opportunistic # anyone we can authenticate
rightrsasigkey=%dns # look up their key in DNS
auto=route # set up for opportunistic
rekey=no # let unused connections die
Note that leftid= has been removed.
Continue configuring full opportunism.
Here is our new connection, with comments:
conn us-to-office
#
# information obtained from office system admin
# goes to the right of the = signs in these lines
# values shown here are just for example
#
left=1.2.3.4 # gateway IP address
leftsubnet=42.42.42.0/24 # the office network
leftid=@gateway.example.com
# real keys are much longer than shown here
leftrsasigkey=0s1LgR7/oUM...
#
# our stuff
#
# all connections should use our default route
# also controls the source address on IPsec packets
right=%defaultroute
# our identity for IPsec negotiations
rightid=@xy.example.com
Everything else remains as it was when we had only opportunistic connections.
Return to our quickstart document.
Once you have more than one connection, you may want to design your ipsec.conf in a modular fashion. This will help you avoid retyping information. Use also= to include one full or partial connection description within another.
Here is a sample modular ipsec.conf file for our situation. Since the right... information is common to both our connections, we place it in the partial connection our_stuff, which looks like:
conn our_stuff
# all connections should use our default route
# also controls the source address on IPsec packets
right=%defaultroute
# our identity for IPsec negotiations
# must match what is in DNS and ipsec.secrets(5)
rightid=@xy.example.com
We then include this information in other conns with the line:
also=our_stuff
For this to work, conn our_stuff must come last.
The resulting modular ipsec.conf looks like:
# general IPsec setup
config setup
# Use the default interface
interfaces=%defaultroute
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# description for opportunistic connections
conn me-to-anyone
also=our_stuff # our system details, stored below
left=%opportunistic # anyone we can authenticate
leftrsasigkey=%dns # look up their key in DNS
auto=route # set up for opportunistic
rekey=no # let unused connections die
# pre-configured link to office network
# added for this example
conn us-to-office
also=our_stuff # our system details, stored below
#
# information obtained from office system admin
# goes to the right of the = signs in these lines
# values shown here are just for example
#
left=1.2.3.4 # gateway IP address
leftsubnet=42.42.42.0/24 # the office network
leftid=@gateway.example.com
# real keys are much longer than shown here
leftrsasigkey=0s1LgR7/oUM...
# description of our system
# included in other connection descriptions via also= lines
# must come after the lines that use it
conn our_stuff
# all connections should use our default route
# also controls the source address on IPsec packets
right=%defaultroute
# our identity for IPsec negotiations
# must match what is in DNS and ipsec.secrets(5)
rightid=@xy.example.com
Note that you cannot put an auto=start line into an included connection like our_stuff.
Of course, if need be, you can mix modular and nonmodular elements in any ipsec.conf.
Go back to configuring a road warrior.