These are sample ipsec.conf(5) configuration files for opportunistic encryption, with comments. Much of this configuration will be unnecessary with the new defaults proposed for FreeS/WAN 2.x.
Full instructions are in our quickstart guide.
The ipsec.conf file for an initiate-only opportunistic setup is:
# general IPsec setup
config setup
# Use the default interface
interfaces=%defaultroute
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How to authenticate gateways
authby=rsasig
# default is
# load connection description into Pluto's database
# so it can respond if another gatway initiates
# individual connection descriptions may override this
auto=add
# description for opportunistic connections
conn me-to-anyone
left=%defaultroute # all connections should use default route
right=%opportunistic # anyone we can authenticate
leftrsasigkey=%dnsondemand # NEW: look up keys in DNS as-needed
rightrsasigkey=%dnsondemand # (not at connection load time)
rekey=no # let unused connections die
keylife=1h # short
auto=route # set up for opportunistic
leftid=@xy.example.com # our identity for IPSec negotiations
# must match DNS and ipsec.secrets
Normally, you need to do only two things:
However, some people may need to customize the interfaces= line in the "config setup" section. All other sections are identical for any standalone machine doing opportunistic encryption.
The @ sign in the leftid= makes the ID go "over the wire" as a Fully Qualified Domain Name (FQDN). Without it, an IP address would be used and this won't work.
The conn is not used to supply either public key. Your private key is in ipsec.secrets(5) and, for opportunistic encryption, the public keys for remote gateways are all looked up in DNS.
FreeS/WAN authenticates opportunistic encryption by RSA signature only, so "public key" and "private key" refer to these keys.
While the left and right designations here are arbitrary, we follow a convention of using left for local and right for remote.
Continue configuring initiate-only opportunism.
# description for opportunistic connections
conn me-to-anyone
left=%defaultroute # all connections should use default route
right=%opportunistic # anyone we can authenticate
leftrsasigkey=%dnsondemand # NEW: look up keys in DNS as-needed
rightrsasigkey=%dnsondemand # (not at connection load time)
rekey=no # let unused connections die
keylife=1h # short
auto=route # set up for opportunistic
Note that leftid= has been removed. With no explicit setting, leftid= defaults to the IP of your public interface.
Continue configuring full opportunism.
conn subnet-to-anyone # must be above me-to-anyone
also=me-to-anyone
leftsubnet=42.42.42.0/24
conn me-to-anyone # just like for full opportunism
left=%defaultroute
right=%opportunistic
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
keylife=1h
rekey=no
auto=route # be sure this is enabled
# Note there is NO leftid=
Note that a subnet described in ipsec.conf(5) need not correspond to a physical network segment. This is discussed in more detail in our advanced configuration document.
If required, a gateway can easily provide this service for more than one subnet. You just add a connection description for each.