Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

25.5. Automatic or Manual Key connections

The configuration file for FreeS/WAN /etc/ipsec.conf allows you to configure your IPSEC configurations, control information and connections types. IPSEC currently supports two types of connections:

Manually keyed

Manually keyed connections use keys stored in the /etc/ipsec.conf file. This type of connection is less secure then automatically keyed.

Automatically keyed.

Automatically keyed connections use keys automatically generated by the Pluto key negotiation daemon. The key negotiation protocol, used by default and named IKE, authenticates the other system using shared secrets stored in /etc/ipsec.secrets file.

The difference is strictly in how they are keyed. For these reasons, we will use and show you the automatically keyed connection that is more secure then the manually keyed connection. Once again, it is highly recommended that you use the automatically keyed connection.

In our example configuration below, we configure a sample tunnel with a firewall-penetrating tunnel, and we assume that firewalling is being done on the left and right side. We choose to show you this configuration since we assume it is what most users and companies will use. Also, it allows us to play with more options in the configuration file ipsec.conf for automatically keyed connections. Different configurations exist and you may consult the doc/examples file under the subdirectory doc of the frees/WAN source directory for more information and other possible configurations.

SubnetDeep======Deep------Deepgate..........Mailgate-------Mail======SubnetMail
                                       Untrusted net
leftsubnet = SubnetDeep (192.168.1.0/24)
left = Deep (deep.openna.com)
leftnexthop = Deepgate (the first router in the direction or ISP router for deep.openna.com)
Internet = Untrusted net
rightnexthop = Mailgate (the first router in the direction or ISP router for mail.openna.com)
right = Mail (mail.openna.com)
rightsubnet = SubnetMail (192.168.1.0/24)


  •        SubnetDeep
      \ 192.168.1.0/24 /
      +--------------------+
                    |

    SubnetDeep is the IP network address of your private internal network on the first gateway. eth1 is attached to the internal network.


  •             Deep
       \ 208.164.186.1 /
       +-------------------+
                    |

    Deep is the IP address of your first Gateway. eth0 is attached to the Internet.


  •          Deepgate
     \ 205.151.222.250 /
     +----------------------+
                    |

    Deepgate is the IP address of the first router in the direction of your second gateway mail.openna.com or your ISP router.


  •  I  N  T  E  R  N  E  T
                    |

    INTERNET is the untrusted network.


  •           Mailgate
     / 205.151.222.251 \
    +------------------------+
                    |

    Mailgate is the IP address of the first router in the direction of your first gateway deep.openna.com or your ISP router.


  •              Mail
       / 208.164.186.2 \
      +---------------------+
                    |

    Mail is the IP address of your second Gateway. eth0 is attached to the Internet.


  •        SubnetMail
      / 192.168.1.0/24 \
     +----------------------+

    SubnetMail is the IP network address of your private internal network on the second gateway. eth1 is attached to the internal network.

 
 
  Published under the terms of the Open Publication License Design by Interspire