Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
Prev	Chapter 25. Linux FreeS/WAN VPN	Next

25.5. Automatic or Manual Key connections

The configuration file for FreeS/WAN /etc/ipsec.conf allows you to configure your IPSEC configurations, control information and connections types. IPSEC currently supports two types of connections:

Manually keyed: Manually keyed connections use keys stored in the /etc/ipsec.conf file. This type of connection is less secure then automatically keyed.
Automatically keyed.: Automatically keyed connections use keys automatically generated by the Pluto key negotiation daemon. The key negotiation protocol, used by default and named IKE, authenticates the other system using shared secrets stored in /etc/ipsec.secrets file.

The difference is strictly in how they are keyed. For these reasons, we will use and show you the automatically keyed connection that is more secure then the manually keyed connection. Once again, it is highly recommended that you use the automatically keyed connection.

In our example configuration below, we configure a sample tunnel with a firewall-penetrating tunnel, and we assume that firewalling is being done on the left and right side. We choose to show you this configuration since we assume it is what most users and companies will use. Also, it allows us to play with more options in the configuration file ipsec.conf for automatically keyed connections. Different configurations exist and you may consult the doc/examples file under the subdirectory doc of the frees/WAN source directory for more information and other possible configurations.

SubnetDeep======Deep------Deepgate..........Mailgate-------Mail======SubnetMail
                                       Untrusted net

leftsubnet = SubnetDeep (192.168.1.0/24)
left = Deep (deep.openna.com)
leftnexthop = Deepgate (the first router in the direction or ISP router for deep.openna.com)
Internet = Untrusted net
rightnexthop = Mailgate (the first router in the direction or ISP router for mail.openna.com)
right = Mail (mail.openna.com)
rightsubnet = SubnetMail (192.168.1.0/24)

       SubnetDeep
  \ 192.168.1.0/24 /
  +--------------------+
                |

SubnetDeep is the IP network address of your private internal network on the first gateway. eth1 is attached to the internal network.
            Deep
   \ 208.164.186.1 /
   +-------------------+
                |

Deep is the IP address of your first Gateway. eth0 is attached to the Internet.
Deepgate
\ 205.151.222.250 /
+----------------------+
|

Deepgate is the IP address of the first router in the direction of your second gateway mail.openna.com or your ISP router.
I N T E R N E T
|

INTERNET is the untrusted network.
Mailgate
/ 205.151.222.251 \
+------------------------+
|

Mailgate is the IP address of the first router in the direction of your first gateway deep.openna.com or your ISP router.
             Mail
   / 208.164.186.2 \
  +---------------------+
                |

Mail is the IP address of your second Gateway. eth0 is attached to the Internet.
SubnetMail
/ 192.168.1.0/24 \
+----------------------+

SubnetMail is the IP network address of your private internal network on the second gateway. eth1 is attached to the internal network.

Prev	Home	Next
Configure to optimise	Up	The `/etc/ipsec.conf` file