FreeS/WAN networks should be considered in terms of left and right
nodes, not as local and remote.
Using local and remote will lead to confusion as the labels can change according to your location.
The configuration file etc/ipsec.conf is identical for each FreeS/WAN node.
FreeS/WAN v2 has opportunistic encryption" which allows authentication by
obtaining keys from DNS records - this allows nodes to connect even if they don't
know each others keys. Full control of the domains DNS records is required for OE.
/etc/ipsec.secrets holds the ipsec authentication keys - created with ipsec newrsakey --output /etc/ipsec.secrets
The public key used for authentication is labelled pubkey in /etc/ipsec.secrets.
The configuration file /etc/ipsec.conf contains several directives that define the VPN connection(s):-
conn $CONNECTION: the label for this tunnel. Each tunnel has only two endpoints and a unique label, $CONNECTION.
leftid: either the public address of the lefthand ipsec router or "@fdqn" of the router. e.g @bsl-left.blueskylinux.net.
leftsubnet: the network address of the leftmost subnet with a /netmask. eg 192.168.1.0/24
left: the external address of the lefthand ipsec machine.
leftnexthop: the internal address of the lefthand router (if there is one).
leftrsasigkey: the ipsec key for the lefthand - created with ipsec showhost --left or
copying the pubkey from /etc/ipsec.secrets.
rightrsasigkey: the ipsec key for the right - created with ipsec showhost --right or
copying the pubkey from /etc/ipsec.secrets.
rightnexthop: the internal address of the righthand router (if there is one).
right: the external address of the righthand ipsec machine.
rightsubnet: the network address of the righthand subnet with a /netmask. eg 102.0.0.0/8
rightid: either the public address of the righthand ipsec router or "@fdqn" of the router. e.g @bsl-right.blueskylinux.net.
auto=start||add:- defines how this connection should be activated.
start will bring up the connection when ipsec is started,
add requires ipsec auto --up $CONNECTION from a script or manually.
# start /etc/ipsec.conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces="ipsec0=eth1" # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=all # plutodebug=dns # the next six connections are for opportunistic authentication: conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore # Our BSL-router-router-BSL connaction: conn bsl-evpn auto=start leftrsasigkey=0sAQPRqU0ZjrGRcFeZCx7aoRhAjMINIjyiE1QbVJTM7JQO2rOlos66rw2w8UMTl4Nx OlC1LbRDGG6gq72r8eOc38AiYMiqlYAzunytHkDULuc1czqijOLwrZ9FgKBz09evXPJ0GYJi7o8BfMKV5kfLXpyTwK8zQG6/ 4Jbqz145WJDRyuZaspYGsU2zanG4xy7ItJdP99klGy6MXSiI35l9i4YpjU3BXA6kDaAWnAsqm1LyoF/KUb9FwsaZTOvV59C9 9nvdtvSwQ3nA0io72qItOzyJMUmpNnaJ/Do0qgfuF1xhCUegM2NhZmD+QiH+5p/8F+6Gyc9BM+zYcqk/GASzACu/DUKzu/Vy l0Oxr7bDWGlZkiaEZCaEHR4DVqxsDav/ObWFrQUetODQEW/UriJ1nnnJIXzRlIGeSoRFmtob8tGiPdFF+6tccwkyMyxVSXS+ iBzOPtHyS9LqXZlBqg+B7lOyJq5Oq8GsyjzcCL/ljghOneZv3cNLDivRGrQKsKSJxeAKup49x0E2X1gTRnJXHKcT4Vyt795F d8QIOFtB+ZSCc9n7R9v0v6vQKAdZZVgIbfEU= left=68.21.3.33 leftnexthop=68.21.3.32 leftsubnet=192.168.1.0/24 right=217.210.16.250 rightrsasigkey=0sAQOYAU049hEDfeK6bpbaiUdDHoD90q/KuLzoZDmRcetHJTbB2zHhKLQcWe8d8bD F3TjvHkJeqw9d8ouri55wpq0xMLSAEMgQYAS/gOTCuOYciIRa354REmj45/STnv6jJa3omH7QzC2faQX5Ow7Hz6Q3vHdOCk+ +XnaU3VwJvsunYA5VP02pGDsHEJNYes8CgfG9OggvZMI0in16KM/SZU/54jcAHupPDRRTOgHsG7YqPk84xVJuN8267CGgFcu kWDbtHnt0FjKaUjfy9At2JOHzasSBVMH1h9bHS0dd1Uo6ksQVAzA2Ai5ylcNeKB4RwM3wMbSJabpJFhzPS5uo9uutLufA6Tc 0B8wgmfBy6/Dr0T6M2/Zk+RYNnKD+rXKRIsuoFcVe4T3PZk52dYRxMFwhKZlN1x9TIE0g1kQaNd10WKvJw+ZG+5lktXhzHP3 w== rightnexthop=217.210.16.254 rightsubnet=10.0.1.0/24 # end /etc/ipsec.conf
# start /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
# plutodebug=dns
# the next six connections are for opportunistic authentication:
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
# Our BSL-BSL connection:
conn bsl-ivpn
auto=start
leftrsasigkey=0sAQPRqU0ZjrGRcFeZCx7aoRhAjMINIjyiE1QbVJTM7JQO2rOlos66rw2w8UMTl4Nx
OlC1LbRDGG6gq72r8eOc38AiYMiqlYAzunytHkDULuc1czqijOLwrZ9FgKBz09evXPJ0GYJi7o8BfMKV5kfLXpyTwK8zQG6/
4Jbqz145WJDRyuZaspYGsU2zanG4xy7ItJdP99klGy6MXSiI35l9i4YpjU3BXA6kDaAWnAsqm1LyoF/KUb9FwsaZTOvV59C9
9nvdtvSwQ3nA0io72qItOzyJMUmpNnaJ/Do0qgfuF1xhCUegM2NhZmD+QiH+5p/8F+6Gyc9BM+zYcqk/GASzACu/DUKzu/Vy
l0Oxr7bDWGlZkiaEZCaEHR4DVqxsDav/ObWFrQUetODQEW/UriJ1nnnJIXzRlIGeSoRFmtob8tGiPdFF+6tccwkyMyxVSXS+
iBzOPtHyS9LqXZlBqg+B7lOyJq5Oq8GsyjzcCL/ljghOneZv3cNLDivRGrQKsKSJxeAKup49x0E2X1gTRnJXHKcT4Vyt795F
d8QIOFtB+ZSCc9n7R9v0v6vQKAdZZVgIbfEU=
left=102.0.1.254
leftsubnet=192.168.1.0/24
rightrsasigkey=0sAQOYAU049hEDfeK6bpbaiUdDHoD90q/KuLzoZDmRcetHJTbB2zHhKLQcWe8d8bD
F3TjvHkJeqw9d8ouri55wpq0xMLSAEMgQYAS/gOTCuOYciIRa354REmj45/STnv6jJa3omH7QzC2faQX5Ow7Hz6Q3vHdOCk+
+XnaU3VwJvsunYA5VP02pGDsHEJNYes8CgfG9OggvZMI0in16KM/SZU/54jcAHupPDRRTOgHsG7YqPk84xVJuN8267CGgFcu
kWDbtHnt0FjKaUjfy9At2JOHzasSBVMH1h9bHS0dd1Uo6ksQVAzA2Ai5ylcNeKB4RwM3wMbSJabpJFhzPS5uo9uutLufA6Tc
0B8wgmfBy6/Dr0T6M2/Zk+RYNnKD+rXKRIsuoFcVe4T3PZk52dYRxMFwhKZlN1x9TIE0g1kQaNd10WKvJw+ZG+5lktXhzHP3
w==
right=102.0.2.254
rightsubnet=192.168.2.0/24
# end /etc/ipsec.conf
FreeS/WAN IPSEC home page
particularly
FreeS/WAN IPSEC configuration documentation