[Openswan Users] config check/advice

Richard Pickett richard.pickett at csrtechnologies.com
Wed Jul 6 02:42:16 EDT 2011


Gentlemen (and ladies),

I'm setting up openswan to use x.509 for the first time, finally got the
time to come back to finish it up.

Do you guys w/ openswan + x.509 experience mind doing a once-over on my
config to give me your thoughts? The documentation is pretty thorough,
except there isn't a single "complete" config example given and I want to
make sure I'm not missing some config option - even if it's maybe not
necessary but would be an enhancement or optimization.

Alternately, if you have a config you feel you can share, I'd appreciate
using it as a reference.

Overall use: I'll have two types of users connecting, one is a general user,
one is administrative. The general user just needs an IPSec tunnel out of
their location to the rest of the Internet, they won't be connecting to any
private networks, we're just trying to secure their Internet traffic because
their location isn't trusted (is there a config option that says 'forward
all traffic down the tunnel'? I couldn't find it and am guessing it's the
default behavior). The administrative user will use the IPSec tunnel the
same way with the addition of access to a single private network the
openswan server is connected to.

Here's my basic layout:

/etc/ipsec.conf:

version 2.0 # conforms to second version of ipsec.conf specification
config setup
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
nhelpers=0
include /etc/ipsec.d/*.conf


/etc/ipsec.d/admin.conf
conn adminclient
right=%any
 rightca=%same
rightid="C=US, ST=Kentucky, O=<my O>, OU=Admin, CN=*"
 leftcert=03.pem
leftsubnet=10.0.1.0/24

/etc/ipsec.d/user.conf
conn userclient
right=%any
rightca=%same
 rightid="C=US, ST=Kentucky, O=<my O>, OU=User, CN=*"
leftcert=03.pem

/etc/ipsec.d/certs - holds all the certs that have been issued to the
clients in .pem format, probably not necessary since I'm matching on cert
subject

/etc/ipsec.d/private - holds the 03.pem that is the server's cert, it's
OU=Server and is signed by the same ca as all the client certs.

/etc/ipsec.d/crls - holds the crl for the ca used to sign the client keys

/etc/ipsec.d/cacerts  - holds the .pem of the ca used to sign all the client
keys.

The clients will be configured to verify the server has a matching ca and
that the OU=Server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110706/7c6cd2a3/attachment.html 


More information about the Users mailing list