Openswan defaults If you have started Openswan for the first time, this normally generates a default RSA keypair to use. The public key of that pair needs to be (securely!) communicated to the other end before communication can start. You will find the key in /etc/ipsec.secrets. If you don't see any key in that file, you can generate one by issuing: ipsec newhostkey --output /etc/ipsec.secrets There are two general sections on the /etc/ipsec.conf file. One is the "config setup" section and the other is the "conn default" section. Any tunnels you want to configure go after these two sections, in their own "conn tunnel-name" section. Be aware that the indentation and white space in th configuration files is important. Always follow the layout that you see in the file, and always keep an empty line between different connection definitions. You only need to make changes to these two sections if Openswan cannot determine certain settings automatically. The most common case is that the machine has no single default route, so we cannot determine over which physical interface the encrypted packets need to go. If you know that you will want to send encrypted packets over eth0 and ppp0, you can change the interfaces line accordingly: interfaces="ipsec0=eth0,ipsec1=ppp0" Do not enable the plutodebug or klipsdebug lines unless you are investigating a problem in the Openswan code. To find out why your configuration doesn't work, one only needs to look at the syslog messages, often collected in the file /var/log/secure. In the default section you can put any parameter that stays the same for most of your tunnel connections, so you don't have to keep copying that option into all your connection definitions. You can override these options in the actual tunnel connection. Openswan supports a mode called "opportunistic encryption", which often gets in the way of simple static tunnels. If you are just configuring a dedicated VPN server using Openswan, add the following conns to disable OE. conn OEself auto=ignore conn clear auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn block auto=ignore conn packetdefault auto=ignore
