diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-07-23 18:31:10 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-07-23 18:31:10 +0000 |
commit | df2cac106cc19e3b8961545a73b1967420cfb860 (patch) | |
tree | 348a9e0af795d4fd8369ed73053a5eb57527ca26 | |
parent | 28b1253a360f2615e5818eb6fa7d2019ab17d2b5 (diff) | |
download | vyos-strongswan-df2cac106cc19e3b8961545a73b1967420cfb860.tar.gz vyos-strongswan-df2cac106cc19e3b8961545a73b1967420cfb860.zip |
- Document some example configurations.
-rw-r--r-- | debian/README.Debian | 89 |
1 files changed, 88 insertions, 1 deletions
diff --git a/debian/README.Debian b/debian/README.Debian index cde9f038e..2dc3a5831 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -34,4 +34,91 @@ shipped with openswan, both for 2.4 and 2.6 series kernels. Please install either the linux-patch-openswan or the openswan-modules-source packages and follow their respective README.Debian files when you want to use KLIPS. - -- Rene Mayrhofer <rmayr@debian.org>, Sun, Jul 09 12:31:00 2006 +3) Getting Started + +For connecting two Debian boxes using this strongswan package, the +simplest connection block on each side would look something like this: + +On host A, use + +conn to_hostb + left=%defaultroute + right=hostb.example.com + leftcert=hosta.pem + rightcert=hostb.pem + keyexchange=ikev2 + type=transport + auto=add + +On host B, use +conn to_hosta + left=%defaultroute + right=hosta.example.com + leftcert=hostb.pem + rightcert=hosta.pem + keyexchange=ikev2 + type=transport + auto=add + +This assumes that the respective hostnames hosta.example.com and +hostb.example.com can be resolved and that the internal hostnames are hosta +and hostb (and thus installing the strongswan package created the certificates +hosta.pem and hostb.pem, respectively). +Then the certificates (and not the private keys!) need to be exchanged between +the hosts, e.g. with + scp /etc/ipsec.d/certs/hosta.pem hostb.example.com:/etc/ipsec.d/certs/ + scp hostb.example.com:/etc/ipsec.d/certs/hostb.com /etc/ipsec.d/certs/ +from host A. The IPSec transport connection (that is, no subnets behind these +hosts that should be tunneled) can be started from either side using +"ipsec up to_hostb" (e.g. from host A). +Note that this example explicitly uses IKEv2 due to its nicer error messages. + +A more complicated example is to connect a "roadwarrior" (e.g. laptop) +to an internal network wbile it is behind another NAT. On the gateway +side, i.e. for the internal network the roadwarrior should connect to, +the configuration block could look something like this: + +conn roadwwarrior + left=%defaultroute + leftcert=gatewayCert.pem + rightcert=laptopCert.pem + rightrsasigkey=%cert + leftrsasigkey=%cert + auto=add + leftsubnet=10.0.0.0/24 + rightsubnetwithin=0.0.0.0/0 + right=%any + compress=yes + type=tunnel + dpddelay=30 + dpdtimeout=120 + dpdaction=clear + +On the laptop side, you could use something along the lines: + +conn %default + rightrsasigkey=%cert + leftrsasigkey=%cert + authby=rsasig + leftcert=laptopCert.pem + leftsendcert=always + leftsubnet= + dpddelay=30 + dpdtimeout=120 + dpdaction=clear + esp=aes128-sha1 + ike=aes128-sha1-modp2048 + +conn esys + left=%defaultroute + right=gateway.example.com + rightsubnet=10.0.0.0/24 + rightcert=gatewayCert.pem + auto=add + +Then load these new configuration blocks on both sides using "ipsec reload" +and, on the laptop, start the tunnel with "ipsec up mynetwork". +These configuration blocks assume host names "gateway" and "laptop" and an +inner subnet of 10.0.0.0/24. + +-- Rene Mayrhofer <rmayr@debian.org>, Sun, Jul 09 12:31:00 2006 |