Display the content of the
/etc/ipsec.conffile. It should contain the lineinclude /etc/ipsec.d/*.conf. It must not begin with the#character, otherwise it will be commented out.Display the content of the
/etc/ipsec.secretsfile. It should contain the lineinclude /etc/ipsec.d/*.secrets. It also should not begin with the#character.Select a name for the connection. It should not contain any special characters or spaces. In this example
intra2netserveris used.Create a file called
/etc/ipsec.d/intra2netserver.conf(or your connection name) and open it in a text editor (e.g. nano or vi).The configuration file starts with the line
conn intra2netserver(or your connection name). It is important that all subsequent lines must be indented with spaces or tabs. Blank lines are not allowed, or with at least one (indented)#character must be used, as with comments.Enter the information for the connection as in the following example:
conn intra2netserver auto=start keyingtries=0 type=tunnel auth=esp authby=rsasig ike=aes128-sha-modp1024! esp=aes128-sha1! pfs=yes ikelifetime=480m keylife=60m rekey=yes # # left: our side left=%defaultroute leftid="/C=DE/ST=BW/L=Tuebingen/O=Intra2net/CN=MeinRechnerName" leftrsasigkey=%cert leftcert=/etc/ipsec.d/cert.pem leftsubnet=192.168.10.0/24 leftfirewall=yes # # right: intra2net system side right=mein-server.dyndns.org rightid="/CN=intra.net.lan" rightrsasigkey=%cert rightcert=/etc/ipsec.d/intra2netserver.pem rightsubnet=192.168.1.0/24The meanings of the entries are briefly explained below. Entries beginning with
leftrepresent the local side, those beginning withrightrepresent the remote side (in this case the Intra2net system). All entries that are not explained separately should be accepted as they appear.autoWith
add, the connection is only loaded, withstart, the connection is established automatically.keyingtriesHow often the connection should be attempted until it is aborted due to an error.
0represents unlimited.ikeEncryption algorithm for phase 1: The combination used must be specified in the encryption profile of the Intra2net system.
espEncryption algorithm for phase 2: The combination used must be specified in the encryption profile of the Intra2net system.
pfsEnables/Disables Perfect Forward Secrecy
ikelifetimeLifetime of phase 1 (IKE)
keylifeLifetime of phase 2 (IPSec)
left/rightIP address or DNS name. For the local side
%defaultroute. If there is a static IP, always enter the IP and not an available DNS name.leftid/rightidIPSec-Id of the corresponding side in quotation marks. Enter the certificate owner data as shown in the key menu of the Intra2net system.
leftcert/rightcertFile name of the corresponding side's certificate
leftsubnet/rightsubnetNetwork with a netmask on the corresponding side. If only the external IP is to be connected via VPN on the Linux (left) side, omit the
leftsubnetparameter and set the "" to "" on the Intra2net system.leftfirewallyeswill automatically attempt to open the local firewall for the VPN connection. This only works if the firewall has not been heavily modified.Create a file called
/etc/ipsec.d/intra2netserver.secrets(or your connection name) and open it in a text editor (e.g. nano or vi).The file must reference the file name of the private key:
: RSA /etc/ipsec.d/private_key.pem
In most cases, it will be necessary to tell the IPSec service to restart in order to reload the configuration files. This is typically done by using
/etc/init.d/ipsec restart.If the connection is set to start automatically, it will now be established in the background. If it is to be started manually, it can be done with
ipsec auto --up intra2netserver(or your connection name).Connection setup protocols can be found in one of the system's log files using
plutoservice identifier. In most cases/var/log/secure, for current versions.