55.3. Configuring Connections

  1. Display the content of the /etc/ipsec.conf file. It should contain the line include /etc/ipsec.d/*.conf. It must not begin with the # character, otherwise it will be commented out.

  2. Display the content of the /etc/ipsec.secrets file. It should contain the line include /etc/ipsec.d/*.secrets. It also should not begin with the # character.

  3. Select a name for the connection. It should not contain any special characters or spaces. In this example intra2netserver is used.

  4. Create a file called /etc/ipsec.d/intra2netserver.conf (or your connection name) and open it in a text editor (e.g. nano or vi).

  5. The configuration file starts with the line conn intra2netserver (or your connection name). It is important that all subsequent lines must be indented with spaces or tabs. Blank lines are not allowed, or with at least one (indented) # character must be used, as with comments.

  6. Enter the information for the connection as in the following example:

    conn intra2netserver
       auto=start
       keyingtries=0
       type=tunnel
       auth=esp
       authby=rsasig
       ike=aes128-sha-modp1024!
       esp=aes128-sha1!
       pfs=yes
       ikelifetime=480m
       keylife=60m
       rekey=yes
       #
       # left: our side
       left=%defaultroute
       leftid="/C=DE/S=BW/L=Tuebingen/O=Intra2net/CN=MyComputerName"
       leftrsasigkey=%cert
       leftcert=/etc/ipsec.d/cert.pem
       leftsubnet=192.168.10.0/24
       leftfirewall=yes
       #
       # right: intra2net system side
       right=mein-server.dyndns.org
       rightid="/CN=intra.net.lan"
       rightrsasigkey=%cert
       rightcert=/etc/ipsec.d/intra2netserver.pem
       rightsubnet=192.168.1.0/24
            

    The meanings of the entries are briefly explained below. Entries beginning with left represent the local side, those beginning with right represent the remote side (in this case the Intra2net system). All entries that are not explained separately should be accepted as they appear.

    auto

    With add, the connection is only loaded, with start, the connection is established automatically.

    keyingtries

    How often the connection should be attempted until it is aborted due to an error. 0 represents unlimited.

    ike

    Encryption algorithm for phase 1: The combination used must be specified in the encryption profile of the Intra2net system.

    esp

    Encryption algorithm for phase 2: The combination used must be specified in the encryption profile of the Intra2net system.

    pfs

    Enables/Disables Perfect Forward Secrecy

    ikelifetime

    Lifetime of phase 1 (IKE)

    keylife

    Lifetime of phase 2 (IPSec)

    left/right

    IP address or DNS name. For the local side %defaultroute. If there is a static IP, always enter the IP and not an available DNS name.

    leftid/rightid

    IPSec-Id of the corresponding side in quotation marks. Enter the certificate owner data as shown in the key menu of the Intra2net system.

    leftcert/rightcert

    File name of the corresponding side's certificate

    leftsubnet/rightsubnet

    Network with a netmask on the corresponding side. If only the external IP is to be connected via VPN on the Linux (left) side, omit the leftsubnet parameter and set the network on remote side to external IP on the Intra2net system.

    leftfirewall

    yes will automatically attempt to open the local firewall for the VPN connection. This only works if the firewall has not been heavily modified.

  7. Create a file called /etc/ipsec.d/intra2netserver.secrets (or your connection name) and open it in a text editor (e.g. nano or vi).

  8. The file must reference the file name of the private key:

    : RSA /etc/ipsec.d/private_key.pem
  9. In most cases, it will be necessary to tell the IPSec service to restart in order to reload the configuration files. This is typically done by using /etc/init.d/ipsec restart.

  10. If the connection is set to start automatically, it will now be established in the background. If it is to be started manually, it can be done with ipsec auto --up intra2netserver (or your connection name).

    Connection setup protocols can be found in one of the system's log files using pluto service identifier. In most cases /var/log/secure, for current versions.