Server Configuration II

IPSEC Configuration

There are only a few changes from the default configuration. As with the client, the following lines are the changes of importance. Note the style of configuration file is the same as for the client. The main configuration file, /etc/ipsec.conf contains the overall configuration, and the /etc/ipsec directory contains the per connection data. Specifically, in this context, each file contains the specifications for each client connection.

The configuration file significant bits are 

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        # Only want IPSEC on the wireless segment, eth0 here.
        interfaces="ipsec0=eth0"


#  Specify client security is held in a subdirectory.
include /etc/ipsec/remote.*.conn


# sample VPN connection
conn wireless
        #  Only 1 try, since we are the passive end, awaiting connections.
        keyingtries=1
        #  Limit keylife, just to make it harder.
        keylife=1h
        # Left security gateway, subnet behind it, next hop toward right.
        # Left is the wireless machine
        # Right security gateway, subnet behind it, next hop toward left.
        # Right is US.
        right=192.168.3.1
        rightsubnet=0.0.0.0/0
        rightnexthop=%direct
        # Need to identify ourselves
        rightid=@jackie.bluegum.com
        #  And our public key.
        rightrsasigkey=<our public key, from /etc/ipsec.secrets>

The points of interest are the interfaces="ipsec0=eth0" line, which is used here because IPSEC is only to operate on that specific interface, which is not the default route to anywhere.

The conn section contains a number of new entries. The keyingtries=1 line limits operations to just one attempt to establish an IPSEC channel. This is reasonable here, as normally the connections are established from the wireless device. It would be quite reasonable to have a limit of 0, except that means unlimited tries - definitely not appropriate here.

It's also necessary to set the keylife parameter to the same value as that used on the laptop end. Otherwise, the entries are pretty much regular, and should match the corresponding entry from the laptop.

The included file contents are: 

# Connections from 'sporty' to jackie over the wireless link
conn jackie-sporty
        # Left security gateway, subnet behind it, next hop toward right.
        # Left is the wireless machine, whose IP address will change from
        # time to time, so the '%any' means accept whatever
        left=%any
        leftnexthop=%direct
        #
        # Defined in the main config file.
        also=wireless
        #
        #  Right security information is bought in by the above 'include'
        #  An identity string for sporty.
        leftid=@sporty.bluegum.com
        #  Sporty's public key
        leftrsasigkey=<laptop public key>
        # Authorize this connection, but don't actually start it, at startup.
        auto=start

The left=%any entry specifies to accept any address of the left hand (i.e. laptop) end. This is the standard road warrior configuration. The leftnexthop=%direct line tells IPSEC how to set the global routing table, namely that packets destined for the connecting machine will go directly to its IP address, not via some gateway.

Still Not Done

The above operations should get you a working IPSEC tunnel on a DHCP configured laptop connected via a wireless link. However, the connection will fail when the DHCP client renews its lease, or rather attempts to renew its lease. To resolve this problem, policy routing needs to be setup. This is, in its own way, a very useful thing to discover and use!


Server Configuration I
Server Configuration III

Version: $Revision: 1.4 $; Updated at 15:47 EST on Tue Apr 11, 2006
Copyright (C) 2002 - 2006, Lindsay Harris