====== Openswan ====== ex FreeSWAN - IPSec kernel stack and userspace ipsec tools for linux see: [[http://www.openswan.org|Openswan main page]], [[http://wiki.openswan.org|Openswan's Wiki]] ===== ipsec.secrets ===== x.x.x.x x.x.x.x %any: PSK "" : RSA { # RSA 2048 bits erwin Tue Apr 1 19:54:25 2008 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQOLURatBjxUM9StRL7M0++UoZTAsbmMa5ucAb..... ===== OpenSWAN + Cisco PIX ===== version 2.0 config setup interfaces=%defaultroute klipsdebug=all #enable debugging plutodebug=all conn tunnelipsec type=tunnel #tunnel mode ipsec left=x.x.x.x #the IP address of your OpenSWAN endpoint leftnexthop=y.y.y.y #default gateway leftsubnet=10.0.0.0/8 # network behind your endpoint right=%any # Your IP, or %any for a road-warrior setup rightnexthop=%defaultroute #defaultroute for road warrior unknown rightsubnet=10.2.0.0/16 #network behind the PIX esp=3des-sha1 #esp: 3des, hmac: sha1 keyexchange=ike #use regular ike authby=secret #pre-shared secret, you can also use rsa nounces pfs=yes #use perfect forward secrecy auto=add #don't initiate tunnel, but allow incoming spi=0x0 #use base spi of 0x0 for PIX PIX setup sysopt connection permit-ipsec crypto ipsec transform-set vpnset esp-3des esp-sha-hmac crypto map vpnmap 10 ipsec-isakmp crypto map vpnmap 10 match address 108 crypto map vpnmap 10 set peer x.x.x.x crypto map vpnmap 10 set transform-set vpnset crypto map vpnmap 10 set pfs group2 crypto map vpnmap interface outside isakmp enable outside isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des isakmp policy 5 hash sha isakmp policy 5 group 2 isakmp policy 5 lifetime 3600 nat (inside) 0 access-list 108 access-list 108 permit ip 10.2.0.0 255.255.0.0 10.0.0.0 255.0.0.0