Contents Previous Next

FreeS/WAN quick start examples

These are sample ipsec.conf(5) configuration files for opportunistic encryption, with comments. Much of this configuration will be unnecessary with the new defaults proposed for FreeS/WAN 2.x.

config for initiate-only opportunistic encryption

Full instructions for this setup are in our quickstart guide.

The ipsec.conf file for an initiate-only opportunistic setup is:

# general IPsec setup
config setup
        # Use the default interface
        interfaces=%defaultroute
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search

# defaults for subsequent connection descriptions
conn %default
        # How to authenticate gateways
        authby=rsasig
        # default is
        # load connection description into Pluto's database
        # so it can respond if another gatway initiates
        # individual connection descriptions may override this
        auto=add

# description for opportunistic connections
conn me-to-anyone
        left=%defaultroute         # all connections should use default route
        right=%opportunistic       # anyone we can authenticate
        rightrsasigkey=%dns        # look up their key in DNS
        auto=route                 # set up for opportunistic
        rekey=no                   # let unused connections die
        leftid=@xy.example.com     # our identity for IPSec negotiations
                                   # must match DNS and ipsec.secrets

Normally, the last line above is the only one that you need to edit. However, some people may need to customize the interfaces= line in the "config setup" section. All other sections are identical for any standalone machine doing opportunistic encryption.

The @ sign in the leftid= makes the ID go "over the wire" as a Fully Qualified Domain Name (FQDN). Without it, an IP address would be used and this won't work.

The conn is not used to supply either public key. Your private key is in ipsec.secrets(5) and, for opportunistic encryption, the public keys for remote gateways are all looked up in DNS.

FreeS/WAN authenticates opportunistic encryption by RSA signature only, so "public key" and "private key" refer to these keys.

While the left and right designations here are arbitrary, we follow a convention of using left for local and right for remote.

Continue configuring initiate-only opportunism.

ipsec.conf for incoming opportunistic encryption

Use the ipsec.conf above, except that the section describing opportunistic connections is now:
# description for opportunistic connections
conn me-to-anyone
        left=%defaultroute         # all connections should use default route
        right=%opportunistic       # anyone we can authenticate
        rightrsasigkey=%dns        # look up their key in DNS
        auto=route                 # set up for opportunistic
        rekey=no                   # let unused connections die

Note that leftid= has been removed.

Continue configuring full opportunism.

ipsec.conf for road warrior client

Here is our new connection, with comments:

conn us-to-office
        #
        # information obtained from office system admin
        # goes to the right of the = signs in these lines
        # values shown here are just for example
        #
        left=1.2.3.4                # gateway IP address
        leftsubnet=42.42.42.0/24   # the office network
        leftid=@gateway.example.com
        # real keys are much longer than shown here
        leftrsasigkey=0s1LgR7/oUM...
        #
        # our stuff
        #
        # all connections should use our default route
        # also controls the source address on IPsec packets
        right=%defaultroute
        # our identity for IPsec negotiations
        rightid=@xy.example.com

Everything else remains as it was when we had only opportunistic connections.

Return to our quickstart document.

A modular ipsec.conf

Once you have more than one connection, you may want to design your ipsec.conf in a modular fashion. This will help you avoid retyping information. Use also= to include one full or partial connection description within another.

Here is a sample modular ipsec.conf file for our situation. Since the right... information is common to both our connections, we place it in the partial connection our_stuff, which looks like:

conn our_stuff
        # all connections should use our default route
        # also controls the source address on IPsec packets
        right=%defaultroute
        # our identity for IPsec negotiations
        # must match what is in DNS and ipsec.secrets(5)
        rightid=@xy.example.com

We then include this information in other conns with the line:

	also=our_stuff

For this to work, conn our_stuff must come last.

The resulting modular ipsec.conf looks like:

# general IPsec setup
config setup
        # Use the default interface
        interfaces=%defaultroute
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search

# description for opportunistic connections
conn me-to-anyone
        also=our_stuff             # our system details, stored below
        left=%opportunistic        # anyone we can authenticate
        leftrsasigkey=%dns         # look up their key in DNS
        auto=route                 # set up for opportunistic
        rekey=no                   # let unused connections die

# pre-configured link to office network
# added for this example
conn us-to-office
        also=our_stuff             # our system details, stored below
        #
        # information obtained from office system admin
        # goes to the right of the = signs in these lines
        # values shown here are just for example
        #
        left=1.2.3.4                # gateway IP address
        leftsubnet=42.42.42.0/24   # the office network
        leftid=@gateway.example.com
        # real keys are much longer than shown here
        leftrsasigkey=0s1LgR7/oUM...

# description of our system
# included in other connection descriptions via also= lines
# must come after the lines that use it
conn our_stuff
        # all connections should use our default route
        # also controls the source address on IPsec packets
        right=%defaultroute
        # our identity for IPsec negotiations
        # must match what is in DNS and ipsec.secrets(5)
        rightid=@xy.example.com

Note that you cannot put an auto=start line into an included connection like our_stuff.

Of course, if need be, you can mix modular and nonmodular elements in any ipsec.conf.

Go back to configuring a road warrior.


Contents Previous Next