Table of Contents
Openswan has recently emerged from Free/SWAN and looks highly promising. In the current transition, there is a lot of documentation, not all of which applies to the current state of affairs. This document sets out how to get up and running with Openswan on a recent Linux 2.6 kernel.
No previous experience with Free/SWAN is assumed, as the author has none either. We will only focus on Openswan 2.2 and onwards.
Go to the Openswan download page and get the newest version, at least 2.2dr2.
The dependencies are well described in the README file inside the distribution.
Untar, and run make programs install.
Then run: ipsec verify, which should print something like:
$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0dr2/K2.6.7-mm7 (native) (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: deef [MISSING]
Does the machine have at least one non-private address? [FAILED]
It is ok if pluto is not yet running. You should fix IP forwarding to be on if it is off by executing: sysctl -w net.ipv4.ip_forward=1. The Opportunistic Encryption stuff can be ignored for now.
On all computers we want to use Openswan on, we should make keys. Be careful not to overwrite any keys you might already be using!
Commandline: sudo ipsec newhostkey --output /etc/ipsec.secrets
Table of Contents
A road-warrior travels with his laptop a lot, but has a server somewhere to which he wants to connect safely. Below I will assume that this server is located at his home, and it will be called 'the base station'. Unique to this situation is that the road-warrior does not know his IP address when on the road.
On the laptop, put this in /etc/ipsec.conf:
version 2 include /etc/ipsec.d/examples/no_oe.conf conn road left=120.130.140.150 leftid=@road.example.com right=150.160.170.180 rightsubnet=192.168.100.0/24 rightid=@home.example.com auto=add
Be careful, you cannot add whitespace in a section!
Ok, what does this say? According to the Openswan convention, 'left' is local, 'right' is remote. The above configures our local IP address to be 120.130.140.150 and gives us the 'id' @road.example.com. Turning to the 'right' side, our homebase is configured to be at 150.160.170.180.
As the public IP address of the laptop generally won't be known, Openswan has a facility to figure it out automatically. For the author of this document, this did not work, but you can try adding %defaultroute.
Going on, our home network has addresses 192.168.100.0/24, and has been assigned the id @home.example.com. Finally, auto=add authorizes the connection, but does not bring it up automatically.
Now we need to add the keys. To do so, run ipsec showhostkey --left on your laptop and ipsec showhostkey --right on your base station.
Add the output of both literally to /etc/ipsec.conf.
The configuration here looks a lot like the above, except in reverse:
version 2
include /etc/ipsec.d/examples/no_oe.conf
conn road
left=150.160.170.180
leftid=@home.example.com
leftsubnet=192.168.100.0/24
rightnexthop=%defaultroute
right=%any
rightid=@road.example.com
auto=add
Ok, now again run the showhostkey commands, but this time run: ipsec showhostkey --right on your laptop and ipsec showhostkey --left on your base station.
Add the verbatim output of these commands to /etc/ipsec.conf on your base station.
On the base station and laptop issue: ipsec setup start
And only on the laptop: ipsec auto --add road, followed by ipsec auto --up road. Now you should be able to ping your home network, presumed to be at 192.168.100.0/24 here, securely!
If you see lines like: ipsec_setup: FATAL: Module ah4 not found., this need not be an error. You might simply have these modules compiled into your kernel