Gentlemen (and ladies),
<div><br></div><div>I'm setting up openswan to use x.509 for the first time, finally got the time to come back to finish it up.</div><div><br></div><div>Do you guys w/ openswan + x.509 experience mind doing a once-over on my config to give me your thoughts? The documentation is pretty thorough, except there isn't a single "complete" config example given and I want to make sure I'm not missing some config option - even if it's maybe not necessary but would be an enhancement or optimization.</div>
<div><br></div><div>Alternately, if you have a config you feel you can share, I'd appreciate using it as a reference.</div><div><br></div><div>Overall use: I'll have two types of users connecting, one is a general user, one is administrative. The general user just needs an IPSec tunnel out of their location to the rest of the Internet, they won't be connecting to any private networks, we're just trying to secure their Internet traffic because their location isn't trusted (is there a config option that says 'forward all traffic down the tunnel'? I couldn't find it and am guessing it's the default behavior). The administrative user will use the IPSec tunnel the same way with the addition of access to a single private network the openswan server is connected to.</div>
<div><br></div><div>Here's my basic layout:</div><div><br></div><div>/etc/ipsec.conf:</div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><div>version<span class="Apple-tab-span" style="white-space:pre"> </span>2.0<span class="Apple-tab-span" style="white-space:pre"> </span># conforms to second version of ipsec.conf specification</div>
</div><div><div>config setup</div></div><div><div>protostack=netkey</div></div><div><div>nat_traversal=yes</div></div><div><div>virtual_private=</div></div><div><div>oe=off</div></div><div><div>nhelpers=0</div></div><div>
<div>include /etc/ipsec.d/*.conf</div></div></blockquote><div><br></div><div>/etc/ipsec.d/admin.conf</div><div><div>conn adminclient</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>right=%any</div>
<div>
<span class="Apple-tab-span" style="white-space:pre"> </span>rightca=%same</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>rightid="C=US, ST=Kentucky, O=<my O>, OU=Admin, CN=*"</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>leftcert=03.pem</div></div><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><span class="Apple-tab-span" style="white-space: pre; "> </span>leftsubnet=<a href="http://10.0.1.0/24">10.0.1.0/24</a></div>
<div><br></div><div>/etc/ipsec.d/user.conf</div><div><div>conn userclient</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>right=%any</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>rightca=%same</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>rightid="C=US, ST=Kentucky, O=<my O>, OU=User, CN=*"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>leftcert=03.pem</div>
</div><div><br></div><div>/etc/ipsec.d/certs - holds all the certs that have been issued to the clients in .pem format, probably not necessary since I'm matching on cert subject</div><div><br></div><div><meta http-equiv="content-type" content="text/html; charset=utf-8">/etc/ipsec.d/private - holds the 03.pem that is the server's cert, it's OU=Server and is signed by the same ca as all the client certs.</div>
<div><br></div><div><meta http-equiv="content-type" content="text/html; charset=utf-8">/etc/ipsec.d/crls - holds the crl for the ca used to sign the client keys</div><div><br></div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>
/etc/ipsec.d/cacerts - holds the .pem of the ca used to sign all the client keys.</div><div><br></div><div>The clients will be configured to verify the server has a matching ca and that the OU=Server.</div>