3 <meta http-equiv=
"Content-Type" content=
"text/html">
4 <title>Quick FreeS/WAN installation and configuration
</title>
6 content=
"Linux, IPsec, VPN, security, FreeSWAN, installation, quickstart">
9 Written by Sandy Harris for the Linux FreeS/WAN project
10 Revised by Claudia Schmeing for same
11 Freely distributable under the GNU General Public License
13 More information at www.freeswan.org
14 Feedback to users@lists.freeswan.org
16 This is a new file derived from:
17 RCS ID: $Id: quickstart-configs.html,v 1.1 2004/03/15 20:35:24 as Exp $
18 Last changed: $Date: 2004/03/15 20:35:24 $
19 Revision number: $Revision: 1.1 $
21 CVS revision numbers do not correspond to FreeS/WAN release numbers.
25 <H1><A name=
"quick_configs">FreeS/WAN quick start examples
</A></H1>
27 <A href=
"manpage.d/ipsec.conf.5.html">ipsec.conf(
5)
</A>
28 configuration files for opportunistic encryption, with comments. Much of
29 this configuration will be unnecessary with the new defaults proposed
30 for FreeS/WAN
2.x.
</P>
31 <P>Full instructions are in our
32 <A href=
"quickstart.html#quickstart">quickstart guide
</A>.
34 <H2><A name=
"qc.opp.client">Configuration for Initiate-only Opportunistic Encryption
</A></H2>
35 <P>The ipsec.conf file for an initiate-only opportunistic setup is:
</P>
36 <PRE># general IPsec setup
38 # Use the default interface
39 interfaces=%defaultroute
40 # Use auto= parameters in conn descriptions to control startup actions.
45 # defaults for subsequent connection descriptions
47 # How to authenticate gateways
50 # load connection description into Pluto's database
51 # so it can respond if another gatway initiates
52 # individual connection descriptions may override this
55 # description for opportunistic connections
57 left=%defaultroute # all connections should use default route
58 right=%opportunistic # anyone we can authenticate
59 leftrsasigkey=%dnsondemand # NEW: look up keys in DNS as-needed
60 rightrsasigkey=%dnsondemand # (not at connection load time)
61 rekey=no # let unused connections die
63 auto=route # set up for opportunistic
64 leftid=@xy.example.com # our identity for IPSec negotiations
65 # must match DNS and ipsec.secrets
</PRE>
67 <P>Normally, you need to do only two things:
</P>
69 <LI>edit
<VAR>leftid=
</VAR></LI>
70 <LI>set
<VAR>auto=route
</VAR></LI>
73 However, some people may need to customize the
<VAR>interfaces=
</VAR> line
74 in the
"config setup" section. All other sections are identical for any
75 standalone machine doing opportunistic encryption.
</P>
76 <P>The @ sign in the
<VAR>leftid=
</VAR> makes the ID go
"over the wire"
77 as a Fully Qualified Domain Name (FQDN). Without it, an IP address would
78 be used and this won't work.
</P>
79 <P>The conn is not used to supply either public key. Your private key
80 is in
<A href=
"manpage.d/ipsec.secrets.5.html">ipsec.secrets(
5)
</A>
81 and, for opportunistic encryption, the public keys for remote gateways
82 are all looked up in DNS.
</P>
83 <P>FreeS/WAN authenticates opportunistic encryption by
<A href=
"#gen_rsa">RSA
84 signature
</A> only, so
"public key" and
"private key" refer to these keys.
</P>
85 <P>While the
<VAR>left
</VAR> and
<VAR>right
</VAR> designations
86 here are arbitrary, we follow a convention of using
<VAR>left
</VAR> for
87 local and
<VAR>right
</VAR> for remote.
</P>
89 <P><A href=
"quickstart.html#config.opp.client">Continue configuring
90 initiate-only opportunism.
</A>
92 <H2><A name=
"qc.incoming.opp.conf">ipsec.conf for Incoming Opportunistic Encryption
</A></H2>
93 Use the ipsec.conf above, except that the section describing opportunistic
94 connections is now:
</P>
96 # description for opportunistic connections
98 left=%defaultroute # all connections should use default route
99 right=%opportunistic # anyone we can authenticate
100 leftrsasigkey=%dnsondemand # NEW: look up keys in DNS as-needed
101 rightrsasigkey=%dnsondemand # (not at connection load time)
102 rekey=no # let unused connections die
104 auto=route # set up for opportunistic
</PRE>
106 <P>Note that
<VAR>leftid=
</VAR> has been removed. With no explicit setting,
107 <VAR>leftid=
</VAR> defaults to the IP of your public interface.
</P>
109 <P><A href=
"quickstart.html#incoming.opp.conf">Continue configuring
110 full opportunism.
</A>
113 <H2><A name=
"qc.gate.opp.conf">ipsec.conf for Opportunistic Gateway
</A></H2>
114 Use the ipsec.conf above, plus these connections:
116 <PRE>conn subnet-to-anyone # must be above me-to-anyone
118 leftsubnet=
42.42.42.0/
24
120 conn me-to-anyone # just like for full opportunism
123 leftrsasigkey=%dnsondemand
124 rightrsasigkey=%dnsondemand
127 auto=route # be sure this is enabled
128 # Note there is NO leftid=
</PRE>
131 <P>Note that a subnet described in ipsec.conf(
5) need not correspond to a
132 physical network segment. This is discussed in more detail in our
133 <A href=
"adv_config.html">advanced configuration
</A> document.
</P>
135 <P>If required, a gateway can easily provide this service for more than one
136 subnet. You just add a connection description for each.
</P>
138 <P><A href=
"quickstart.html#config.opp.gate">Continue configuring an
139 opportunistic gateway.
</A>