Configuring IPsec
Triggering conn livetest-natt |
[OK] |
Sending packets over IPsec conn livetest-natt |
[OK] |
Sending large packets over IPsec conn livetest-natt |
[OK] |
Tearing down IPsec conn livetest-natt |
[OK] |
Testing for OE record in FQDN (west.xelerance.net) |
[OK] |
Loading iOE conn livetest-ioe |
[OK] |
Starting iOE conn to oe.livetest.xelerance.net |
[OK] |
Stopping iOE conn to oe.livetest.xelerance.net |
[OK] |
Testing for OE record in reverse dns zone: 81.157.110.192.in-addr.arpa. [OK] Triggering responder OE [OK]
If livetest passes all checks, your end of the network is healthy. Of course, it could still mean the other end has problems. Worse, the connection between the two endpoints could pass through some router that breaks things. Passing the livetest command is no guarantee for success, but it does eliminate the possibility that your immediate upstream ISP is blocking IPsec traffic. For more detailed information, you can also use ipsec livetest verbose.
ipsec livetest is still under heavy development. The output in the book might be different to that of the current version of Openswan.
Configuration of Openswan
We have done all we can to prepare our machines and test our network to see that it is possible to run IPsec. Now it is time to actually configure our first IPsec tunnel. Openswan is mainly configured from two configuration files.
Openswan configuration file |
Description |
|
|
ipsec.secrets |
Contains private RSA keys and preshared secrets (PSKs) |
(usually in /etc, sometimes in /etc/ipsec/) |
|
ipsec.conf |
Contains everything else (settings, options, defaults, |
(usually in /etc, sometimes in /etc/ipsec) |
connections) |
|
|
Both of these files have very elaborate man pages explaining all the options and their syntax. For some advanced features, such as X.509, XAUTH, and Opportunistic Encryption-related IPsec connections, some additional directories are used:
Directory or file |
Description |
|
|
|
|
/etc/ipsec.d/cacerts |
X.509 |
Certificate Authority certificates ("root certificates") |
/etc/ipsec.d/certs |
X.509 client Certificates |
|
/etc/ipsec.d/private |
X.509 |
Certificate private keys |
|
|
|
80 |
|
|
Chapter 4
Directory or file |
Description |
|
|
|
|
/etc/ipsec.d/crls |
X.509 |
Certificate Revocation Lists |
/etc/ipsec.d/ocspcerts |
X.500 |
Online Certificate Status Protocol certificates |
/etc/ipsec.d/passwd |
XAUTH password file |
|
/etc/ipsec.d/policies |
The Opportunistic Encryption policy groups |
|
|
|
|
These directories are explained in their respective chapters.
The ipsec.conf File
To distinguish modern Openswan 2 configuration files from older, incompatible configuration files, the first non-empty, non-comment line needs to contain:
version 2
Old versions, such as FreeS/WAN 1.x, Super FreeS/WAN, and Openswan 1, do not support version 2 configuration files.
If you are upgrading from these old *swans to Openswan 2, you most likely can get away with adding the version 2 line at the top of your old configuration file, and removing the
plutoload= and plutostart= directives.
After the version line, there are usually three sections of the configuration file, as described in the following table:
Section |
Description |
|
|
config setup |
Global parameters and options |
conn %default |
Optionally, a default section for connection parameters for conns that don't |
|
specify certain options themselves |
conns |
The connection definitions themselves |
|
|
These sections need to be separated with a blank line. Unfortunately, there are some other peculiarities with how the ipsec.conf file is parsed. The worst part is that it is currently dependent on whitespace (such as spaces or tabs) at various places. Make sure that every conn starts at the beginning of a new line, and ensure it is separated from other sections or conns by an empty line. Ensure that all options are indented with at least one tab, and that no conn contains an empty line.
These limitations might vanish when the scripts are replaced by the starter binary. This is, however, still a work in progress.
81