Step 4: configure ipsec.conf

Step 4: configure ipsec.conf
Prev	Chapter 17. IPSec configuration	Next

An ipsec.conf file, you'll find, is a very personal thing. A very vanilla setup using preshared keys would look like the following:

config setup
	interfaces=%defaultroute
	klipsdebug=none
	plutodebug=none
	plutoload=%search
	plutostart=%search
	uniqueids=yes

conn %default
	keyingtries=0
	authby=secret
	left=<router ip address>
	leftsubnet=<internal subnet>
	leftfirewall=yes
	pfs=yes
	auto=add

conn w2k-road-warriors
	right=%any

There is really no substitute for reading the man page, however.

With certificates, the same setup would look like this:

config setup
	interfaces=%defaultroute
	klipsdebug=none
	plutodebug=none
	plutoload=%search
	plutostart=%search
	uniqueids=yes

conn %default
	keyingtries=0
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert
	left=<router ip address>
	leftsubnet=<internal subnet>
	leftid="C=US, ST=CA, O=ipsecgw, CN=me, Email=you@yourdomain"
	pfs=yes
	auto=add

conn w2k-road-warriors
	right=%any

A couple of things to watch out for. 1) Do not put apostrophes or single quotes in any of your distinguished name fields! It causes blindness and other very bad things to happen. 2) Make sure that the date on your router is between the notBefore and notAfter dates on all your certificates!

Prev	Up	Next
Step 3: boot Bering and move certificates into place	Home	Step 5: configure ipsec.secrets