From aaa0331ecf95ced1e913ac9be50168cf0e7cbb82 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Tue, 30 Jan 2007 12:21:07 +0000 Subject: [svn-upgrade] Integrating new upstream version, strongswan (2.8.2) --- doc/src/quickstart-configs.html | 144 ---------------------------------------- 1 file changed, 144 deletions(-) delete mode 100644 doc/src/quickstart-configs.html (limited to 'doc/src/quickstart-configs.html') diff --git a/doc/src/quickstart-configs.html b/doc/src/quickstart-configs.html deleted file mode 100644 index b2ad21bcc..000000000 --- a/doc/src/quickstart-configs.html +++ /dev/null @@ -1,144 +0,0 @@ - - - - Quick FreeS/WAN installation and configuration - - - - -

FreeS/WAN quick start examples

These are sample -ipsec.conf(5) -configuration files for opportunistic encryption, with comments. Much of -this configuration will be unnecessary with the new defaults proposed -for FreeS/WAN 2.x.

Full instructions are in our -quickstart guide. - -

Configuration for Initiate-only Opportunistic Encryption

The ipsec.conf file for an initiate-only opportunistic setup is:

# general IPsec setup
-config setup
-        # Use the default interface
-        interfaces=%defaultroute
-        # Use auto= parameters in conn descriptions to control startup actions.
-        plutoload=%search
-        plutostart=%search
-        uniqueids=yes
-
-# defaults for subsequent connection descriptions
-conn %default
-        # How to authenticate gateways
-        authby=rsasig
-        # default is
-        # load connection description into Pluto's database
-        # so it can respond if another gatway initiates
-        # individual connection descriptions may override this
-        auto=add
-
-# description for opportunistic connections
-conn me-to-anyone
-        left=%defaultroute         # all connections should use default route
-        right=%opportunistic       # anyone we can authenticate
-        leftrsasigkey=%dnsondemand  # NEW: look up keys in DNS as-needed
-        rightrsasigkey=%dnsondemand # (not at connection load time)
-        rekey=no                   # let unused connections die
-        keylife=1h                 # short
-        auto=route                 # set up for opportunistic
-        leftid=@xy.example.com     # our identity for IPSec negotiations
-                                   # must match DNS and ipsec.secrets

- -

Normally, you need to do only two things:

edit leftid=
set auto=route

- However, some people may need to customize the interfaces= line - in the "config setup" section. All other sections are identical for any - standalone machine doing opportunistic encryption.

The @ sign in the leftid= makes the ID go "over the wire" - as a Fully Qualified Domain Name (FQDN). Without it, an IP address would - be used and this won't work.

The conn is not used to supply either public key. Your private key - is in ipsec.secrets(5) - and, for opportunistic encryption, the public keys for remote gateways - are all looked up in DNS.

FreeS/WAN authenticates opportunistic encryption by RSA - signature only, so "public key" and "private key" refer to these keys.

While the left and right designations - here are arbitrary, we follow a convention of using left for - local and right for remote.

- -

Continue configuring -initiate-only opportunism. - -

ipsec.conf for Incoming Opportunistic Encryption

-Use the ipsec.conf above, except that the section describing opportunistic -connections is now:

-# description for opportunistic connections
-conn me-to-anyone
-        left=%defaultroute         # all connections should use default route
-        right=%opportunistic       # anyone we can authenticate
-        leftrsasigkey=%dnsondemand  # NEW: look up keys in DNS as-needed
-        rightrsasigkey=%dnsondemand # (not at connection load time)
-        rekey=no                   # let unused connections die
-        keylife=1h                 # short
-        auto=route                 # set up for opportunistic

- -

Note that leftid= has been removed. With no explicit setting, -leftid= defaults to the IP of your public interface.

- -

Continue configuring -full opportunism. - - -

ipsec.conf for Opportunistic Gateway

-Use the ipsec.conf above, plus these connections: - -

conn subnet-to-anyone            # must be above me-to-anyone
-       also=me-to-anyone
-       leftsubnet=42.42.42.0/24
-
-conn me-to-anyone                # just like for full opportunism
-        left=%defaultroute
-        right=%opportunistic
-        leftrsasigkey=%dnsondemand
-        rightrsasigkey=%dnsondemand
-        keylife=1h
-        rekey=no
-        auto=route               # be sure this is enabled
-                                 # Note there is NO leftid=

- - -

Note that a subnet described in ipsec.conf(5) need not correspond to a - physical network segment. This is discussed in more detail in our -advanced configuration document.

- -

If required, a gateway can easily provide this service for more than one - subnet. You just add a connection description for each.

- -

Continue configuring an -opportunistic gateway. - - - - - -- cgit v1.2.3