Openswan

ex FreeSWAN - IPSec kernel stack and userspace ipsec tools for linux

see: Openswan main page, Openswan's Wiki

x.x.x.x
	x.x.x.x	%any:	PSK "<secretkeygoeshere>"
: RSA	{
        # RSA 2048 bits   erwin   Tue Apr  1 19:54:25 2008
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=0sAQOLURatBjxUM9StRL7M0++UoZTAsbmMa5ucAb.....

 version 2.0
 
 config setup
        interfaces=%defaultroute
        klipsdebug=all #enable debugging
        plutodebug=all
 
 conn tunnelipsec
        type=tunnel     #tunnel mode ipsec
        left=x.x.x.x   #the IP address of your OpenSWAN endpoint
        leftnexthop=y.y.y.y   #default gateway
        leftsubnet=10.0.0.0/8   # network behind your endpoint
        right=%any   # Your IP, or %any for a road-warrior setup
        rightnexthop=%defaultroute    #defaultroute for road warrior unknown
        rightsubnet=10.2.0.0/16    #network behind the PIX
        esp=3des-sha1    #esp: 3des, hmac: sha1
        keyexchange=ike    #use regular ike
        authby=secret    #pre-shared secret,  you can also use rsa nounces
        pfs=yes    #use perfect forward secrecy
        auto=add     #don't initiate tunnel, but allow incoming
       spi=0x0    #use base spi of 0x0 for PIX

PIX setup

 sysopt connection permit-ipsec
 crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
 crypto map vpnmap 10 ipsec-isakmp
 crypto map vpnmap 10 match address 108
 crypto map vpnmap 10 set peer x.x.x.x 
 crypto map vpnmap 10 set transform-set vpnset
 crypto map vpnmap 10 set pfs group2
 crypto map vpnmap interface outside
 isakmp enable outside
 isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
 isakmp identity address
 isakmp policy 5 authentication pre-share
 isakmp policy 5 encryption 3des
 isakmp policy 5 hash sha
 isakmp policy 5 group 2
 isakmp policy 5 lifetime 3600
 nat (inside) 0 access-list 108
 access-list 108 permit ip 10.2.0.0 255.255.0.0 10.0.0.0 255.0.0.0