Documente Academic
Documente Profesional
Documente Cultură
Requirements
To configure a network-to-network (host-to-host) connection it is necessary to have:
Two Linux gateways;
Openswan and ipsec-tools installed on both gateways;
The two machines should either be behind the "same" NAT or have public routable IP
addresses, with no firewalls.
Gather information
For each gateway, it is necessary to compile the following information:
Gateway IP;
A name by which gateway can identify itself for IPsec negotiations. Its form is a Fully Qualified
Domain Name preceded by an @ sign, i.e. @example.com.
NOTE: It does not need to be within a domain that is owned. It can be a made-up name.
Installation/Configuration Step-by-Step
Install Openswan
To install Openswan it is necessary to run on the terminal of each machine the following command:
Start Openswan
To start the IPsec session it is necessary to perform, on both machines, the following command:
saulparada 1
Get the leftrsasigkey
On the local Linux Openswan gateway, print the IPsec public key:
Edit /etc/ipsec.conf
Back on the local gateway, it is necessary to edit the template "/etc/ipsec.conf" and substitute the
information for the gathered data.
saulparada 2
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg: plutodebug="control parsing"
#
# ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
nhelpers=0
conn host-to-host
left=158.196.81.208 # Local IP address
leftsubnet=158.196.81.0/24 # Local netmask
leftid=@server.com #
leftrsasigkey=0sAQPGl/wJ+AMpDehHdRjs0vZRWRig5Gu4nPrfh9OLkojJwznGRlO/qCWVK32Oy5CnyMG5t
z1knruOW8FSff4utWoYGc+tmnQM15h593M2/BU3ubNlV/kIOHhs4eGNzDNODxxCYCIv4w4HBHrfQLodqG
9EOrGmb02AfuTrmxjgSQM/ci2G91k5QVdSWDvFyl+UB/U2LRohTLtZi9nbDCYf7eud9BXJHxi2BTqjLM61as+
871tT04vMbDr4NaFX83NuxOtUYgFsxw7jy5aHRiYD+3z4UCdZeG6p2pPibHx4TqfluiT582TIEfh69JCPc8JUtz
kkjt0TtHrsuTGbFsn/n1wl
leftnexthop=%defaultroute # Correct in many situations
right=147.32.201.116 # Remote IP address
rightsubnet=147.32.201.0/24 # Local netmask
rightid=@clientPrague.com #
rightrsasigkey=0sAQPpWAI3RsIGnpnjshI2HGq46iN0htpEl5YQ3BsM/rfUUnQuCi1LruE2wmDzDGpGxzwsW
q7gkhgWsT7G7I75uxxk4MfBAHPIhrUsxYTmTOU+YKnPiWXPFYnllysYqyQsoqav/6s07kkCBzgRmgkSjqv1eV
CwmJaLD8vj7jQkxocFa8dRT8lRItnwEIjBBwp7j8KiBgRU6ivNdDrYxAuU0Mq5LW+hkCEbaUP0CMOj0TNcVu
qRDCKHqO+HkNVCOPPg+TaDWE8Eb26j8FvNCu/ero4vTYK57aHq/8g/3LMcqqzsZH2bneyjVe6+gsOJLyzV7
ktAXPgFh+ObkdacxtNdlcIL
rightnexthop=%defaultroute # Correct in many situations
ike=aes128 # IKE algorithms (AES cipher)
esp=aes128 # ESP algorithns (AES cipher)
#ike=3des # IKE algorithms (3DES cipher)
saulparada 3
#esp=3des # ESP algorithns (3DES cipher)
auto=start # enables the connection at startup
auth=ah #
Must be copied the "conn host-to-host" to the remote-side "/etc/ipsec.conf". It can be done with a
flash disk or by other ways.
Define Gateways:
# /etc/init.d/ipsec restart
It should be seen:
saulparada 4
Commands
Openswan can be started, stopped or restarted after booting using the following ipsec initialization
scripts:
Sources:
http://wiki.openswan.org/index.php/Openswan/Configure
Openswan: Building and Integrating Virtual Private Networks: Learn from the developers of
Openswan how to build industry standard, military grade VPNs ... with Windows, MacOSX,
and other VPN vendors by Paul Wouters
saulparada 5