These are sample ipsec.conf(5) configuration files for opportunistic encryption, with comments. Much of this configuration will be unnecessary with the new defaults proposed for FreeS/WAN 2.x.
Full instructions for this setup are in our quickstart guide.
The ipsec.conf file for an initiate-only opportunistic setup is:
# general IPsec setup config setup # Use the default interface interfaces=%defaultroute # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # defaults for subsequent connection descriptions conn %default # How to authenticate gateways authby=rsasig # default is # load connection description into Pluto's database # so it can respond if another gatway initiates # individual connection descriptions may override this auto=add # description for opportunistic connections conn me-to-anyone left=%defaultroute # all connections should use default route right=%opportunistic # anyone we can authenticate rightrsasigkey=%dns # look up their key in DNS auto=route # set up for opportunistic rekey=no # let unused connections die leftid=@xy.example.com # our identity for IPSec negotiations # must match DNS and ipsec.secrets
Normally, the last line above is the only one that you need to edit. However, some people may need to customize the interfaces= line in the "config setup" section. All other sections are identical for any standalone machine doing opportunistic encryption.
The @ sign in the leftid= makes the ID go "over the wire" as a Fully Qualified Domain Name (FQDN). Without it, an IP address would be used and this won't work.
The conn is not used to supply either public key. Your private key is in ipsec.secrets(5) and, for opportunistic encryption, the public keys for remote gateways are all looked up in DNS.
FreeS/WAN authenticates opportunistic encryption by RSA signature only, so "public key" and "private key" refer to these keys.
While the left and right designations here are arbitrary, we follow a convention of using left for local and right for remote.
Continue configuring initiate-only opportunism.
# description for opportunistic connections conn me-to-anyone left=%defaultroute # all connections should use default route right=%opportunistic # anyone we can authenticate rightrsasigkey=%dns # look up their key in DNS auto=route # set up for opportunistic rekey=no # let unused connections die
Note that leftid= has been removed.
Continue configuring full opportunism.
Here is our new connection, with comments:
conn us-to-office # # information obtained from office system admin # goes to the right of the = signs in these lines # values shown here are just for example # left=1.2.3.4 # gateway IP address leftsubnet=42.42.42.0/24 # the office network leftid=@gateway.example.com # real keys are much longer than shown here leftrsasigkey=0s1LgR7/oUM... # # our stuff # # all connections should use our default route # also controls the source address on IPsec packets right=%defaultroute # our identity for IPsec negotiations rightid=@xy.example.com
Everything else remains as it was when we had only opportunistic connections.
Return to our quickstart document.
Once you have more than one connection, you may want to design your ipsec.conf in a modular fashion. This will help you avoid retyping information. Use also= to include one full or partial connection description within another.
Here is a sample modular ipsec.conf file for our situation. Since the right... information is common to both our connections, we place it in the partial connection our_stuff, which looks like:
conn our_stuff # all connections should use our default route # also controls the source address on IPsec packets right=%defaultroute # our identity for IPsec negotiations # must match what is in DNS and ipsec.secrets(5) rightid=@xy.example.com
We then include this information in other conns with the line:
also=our_stuff
For this to work, conn our_stuff must come last.
The resulting modular ipsec.conf looks like:
# general IPsec setup config setup # Use the default interface interfaces=%defaultroute # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # description for opportunistic connections conn me-to-anyone also=our_stuff # our system details, stored below left=%opportunistic # anyone we can authenticate leftrsasigkey=%dns # look up their key in DNS auto=route # set up for opportunistic rekey=no # let unused connections die # pre-configured link to office network # added for this example conn us-to-office also=our_stuff # our system details, stored below # # information obtained from office system admin # goes to the right of the = signs in these lines # values shown here are just for example # left=1.2.3.4 # gateway IP address leftsubnet=42.42.42.0/24 # the office network leftid=@gateway.example.com # real keys are much longer than shown here leftrsasigkey=0s1LgR7/oUM... # description of our system # included in other connection descriptions via also= lines # must come after the lines that use it conn our_stuff # all connections should use our default route # also controls the source address on IPsec packets right=%defaultroute # our identity for IPsec negotiations # must match what is in DNS and ipsec.secrets(5) rightid=@xy.example.com
Note that you cannot put an auto=start line into an included connection like our_stuff.
Of course, if need be, you can mix modular and nonmodular elements in any ipsec.conf.
Go back to configuring a road warrior.