Tutorial to Configure Openswan
This page will teach you how to configure the simplest, two host, host-to-host tunnel between two Linux machines running Openswan. You will usually be referred here if you have asked for help on IRC, and seem to be trying something too complex as your first attempt.
See also these related documents:
To configure the network-to-network connection you must have:
For each gateway, compile the following information:
It does not need to be within a domain that you own. It can be a made-up name.
On your local Linux Openswan gateway, print your IPsec public key:
# ipsec showhostkey --left
The output should look like this (with the key shortened for easy reading):
# RSA 2048 bits xy.example.com Fri Apr 26 15:01:41 2002
leftrsasigkey=0sAQOnwiBPt...
Don't have a key? Use ipsec newhostkey to create one.
Get a console on the remote side:
# ssh ab.example.com
In that window, type:
# ipsec showhostkey --right
You'll see something like:
# RSA 2192 bits ab.example.com Thu May 16 15:26:20 2002
rightrsasigkey=0sAQOqH55O...
Back on the local gateway, copy our template to /etc/ipsec.conf. (on Mandrake, /etc/openswan/ipsec.conf). Substitute the information you've gathered for our example data.
conn host-to-host
left=192.0.2.2 # Local vitals
leftid=@xy.example.com #
leftrsasigkey=0s1LgR7/oUM... #
leftnexthop=%defaultroute # correct in many situations
right=192.0.2.9 # Remote vitals
rightid=@ab.example.com #
rightrsasigkey=0sAQOqH55O... #
rightnexthop=%defaultroute # correct in many situations
auto=add # authorizes but doesn't start this
# connection at startup
"Left" and "right" should represent the machines that have Openswan installed on them.
Copy conn host-to-host to the remote-side /etc/ipsec.conf. If you've made no other modifications to either ipsec.conf, simply:
# scp ipsec.conf root@ab.example.com:/etc/ipsec.conf
Locally, type:
# ipsec auto --up host-to-host
You should see:
104 "host-to-host" #223: STATE_MAIN_I1: initiate
106 "host-to-host" #223: STATE_MAIN_I2: sent MI2, expecting MR2
108 "host-to-host" #223: STATE_MAIN_I3: sent MI3, expecting MR3
004 "host-to-host" #223: STATE_MAIN_I4: ISAKMP SA established
112 "host-to-host" #224: STATE_QUICK_I1: initiate
004 "host-to-host" #224: STATE_QUICK_I2: sent QI2, IPsec SA established
The important thing is IPsec SA established. If you're unsuccessful, see our Troubleshooting tips.
$ ping 192.0.2.9
While still pinging, go to the local gateway and snoop your outgoing interface, for example:
# tcpdump -i eth0
You want to see ESP (Encapsulating Security Payload) packets moving back and forth between the two gateways at the same frequency as your pings:
19:16:32.046220 192.0.2.2 > 192.0.2.9: ESP(spi=0x3be6c4dc,seq=0x3)
19:16:32.085630 192.0.2.9 > 192.0.2.2: ESP(spi=0x5fdd1cf8,seq=0x6)
If you see this, congratulations are in order! You have a tunnel which will protect any IP data from one host to the other. If not, go and see our Troubleshooting page.
Note: your new tunnel protects only net-net traffic, not gateway-gateway, or gateway-subnet. If you need this (for example, if machines on one net need to securely contact a fileserver on the IPsec gateway), you'll need to create extra connections.
Now that your connection works, name it something sensible, like:
conn newyork-to-washington
To have the tunnel come up on-boot, replace
auto=add
with:
auto=start
Copy these changes to the other side, for example:
# scp ipsec.conf root@ab.example.com:/etc/ipsec.conf
You will probably want to go back and see the Configuring page, to now setup the network to network tunnel, which for most people, is the real goal. In actual practice, most systems do not set up a host to host tunnel between the gateways, but instead use leftsourceip to make sure that the gateways use the network to network tunnel when communicating between each other. The reason for this is the host to host tunnel, if broken, may also interfere with your ability to SSH to the remote end.
Enjoy!
Spanish Howto - armar una VPN usando Linux Debian y Openswan
