The configuration file significant bits are
# basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. # Only want IPSEC on the wireless segment, eth0 here. interfaces="ipsec0=eth0"
# Specify client security is held in a subdirectory. include /etc/ipsec/remote.*.conn
# sample VPN connection conn wireless # Only 1 try, since we are the passive end, awaiting connections. keyingtries=1 # Limit keylife, just to make it harder. keylife=1h # Left security gateway, subnet behind it, next hop toward right. # Left is the wireless machine # Right security gateway, subnet behind it, next hop toward left. # Right is US. right=192.168.3.1 rightsubnet=0.0.0.0/0 rightnexthop=%direct # Need to identify ourselves email@example.com # And our public key. rightrsasigkey=<our public key, from /etc/ipsec.secrets>
The points of interest are the interfaces="ipsec0=eth0" line, which is used here because IPSEC is only to operate on that specific interface, which is not the default route to anywhere.
The conn section contains a number of new entries. The keyingtries=1 line limits operations to just one attempt to establish an IPSEC channel. This is reasonable here, as normally the connections are established from the wireless device. It would be quite reasonable to have a limit of 0, except that means unlimited tries - definitely not appropriate here.
It's also necessary to set the keylife parameter to the same value as that used on the laptop end. Otherwise, the entries are pretty much regular, and should match the corresponding entry from the laptop.
The included file contents are:
# Connections from 'sporty' to jackie over the wireless link conn jackie-sporty # Left security gateway, subnet behind it, next hop toward right. # Left is the wireless machine, whose IP address will change from # time to time, so the '%any' means accept whatever left=%any leftnexthop=%direct # # Defined in the main config file. also=wireless # # Right security information is bought in by the above 'include' # An identity string for sporty. firstname.lastname@example.org # Sporty's public key leftrsasigkey=<laptop public key> # Authorize this connection, but don't actually start it, at startup. auto=start
The left=%any entry specifies to accept any address of the left hand (i.e. laptop) end. This is the standard road warrior configuration. The leftnexthop=%direct line tells IPSEC how to set the global routing table, namely that packets destined for the connecting machine will go directly to its IP address, not via some gateway.
Server Configuration I
Server Configuration III