25.6. The /etc/ipsec.conf file

We must edit the ipsec.conf file vi /etc/ipsec.conf and change the default values to fit our specifications for IPSEC configuration and communication. Currently there are two types of section in this file /etc/ipsec.conf:

  1. A config section which specifies general configuration information for IPSEC,

  2. A conn section which specifies an IPSEC connection. Its contents are not security-sensitive unless manual keying is being done, recall, manual keying is not recommended for security reasons.


# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file

# More elaborate and more varied sample configurations can be found
# in doc/examples.

# basic configuration
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search

# sample connection
conn deep-mail
        left=208.164.186.1
        leftsubnet=192.168.1.0/24
        leftnexthop=205.151.222.250
        right=208.164.186.2
        rightsubnet=192.168.1.0/24
        rightnexthop=205.151.222.251
        keyingtries=0
        auth=ah
        auto=start
        

This tells ipsec.conf file to set itself up for this particular configuration setup with:

interfaces="ipsec0=eth0"

This option specifies which appropriate virtual and physical interfaces for IPSEC to use. The default setting, interfaces=%defaultroute, will look for your default connection to the Internet, or your corporate network. Also, you can name one or more specific interfaces to be used by FreeS/WAN. For example:

interfaces="ipsec0=eth0" interfaces="ipsec0=eth0 ipsec1=ppp0"

Both set the eth0 interface as ipsec0. The second one, however, also supports IPSEC over a PPP interface. If the default setting interfaces=%defaultroute is not used, then the specified interfaces will be the only ones this gateway machine can use to communicate with other IPSEC gateways.

klipsdebug=none

This option specifies the debugging output for KLIPS -the kernel IPSEC code. The default value none, means no debugging output and the value all means full output.

plutodebug=none

This option specifies the debugging output for the Pluto key. The default value, none, means no debugging output, and the value all means full output.

plutoload=%search

This option specifies which connections (by name) to load automatically into memory when Pluto starts. The default is none and the value %search loads all connections with auto=add or auto=start.

plutostart=%search

This option specifies which connections (by name) to automatically negotiate when Pluto starts. The default is none and the value %search starts all connections with auto=start.

conn deep-mail

This option specifies the name given to identify the connection specification to be made using IPSEC. It's a good convention to name connections by their ends to avoid mistakes. For example, the link between deep.openna.com and mail.openna.com gateways server can be named deep-mail, or the link between your Montreal and Paris offices, montreal-paris.

Note: Note that the names deep-mail or whatever you have chosen should be the same in the ipsec.conf file on both gateways. In other words, the only change you should make in the /etc/ipsec.conf file on the second gateway is changing the interfaces= line to match the interface the second gateway uses for IPSEC connection, if, of course, it's different from the first gateway. For example, if the interface eth0 is used on the both gateways for IPSEC communication, you don't need to change the line interfaces= on the second gateway. On the other hand, if the first gateway use eth0 and the second use eth1, you must change the line interfaces= on the second gateway to match the interface eth1.

left=208.164.186.1

This option specifies the IP address of the gateway's external interface used to talk to the other gateway.

leftsubnet=192.168.1.0/24

This option specifies the IP network or address of the private subnet behind the gateway.

leftnexthop=205.151.222.250

This option specifies the IP address of the first router in the appropriate direction or ISP router.

right=208.164.186.2

This is the same explanation as left= but for the right destination.

rightsubnet=192.168.1.0/24

This is the same explanation as leftsubnet= but for the right destination.

rightnexthop=205.151.222.251

This is the same explanation as leftnexthop= but for the right destination.

keyingtries=0

This option specifies how many attempts (an integer) should be made in (re)keying negotiations. The default value 0 (retry forever) is recommended.

auth=ah

This option specifies whether authentication should be done separately using AH (Authentication Header), or be included as part of the ESP -Encapsulated Security Payload service. This is preferable when the IP headers are exposed to prevent man-in-the-middle attacks.

auto=start

This option specifies whether automatic startup operations should be done at IPSEC startup.

Caution

A data mismatch anywhere in this configuration ipsec.conf will cause FreeS/WAN to fail and to log various error messages.