Securing-Optimizing-RH-Linux-1_2_302
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
302
conn deep-mail
left=208.164.186.1
leftsubnet=192.168.1.0/24
leftnexthop=205.151.222.250
right=208.164.186.2
rightsubnet=192.168.1.0/24
rightnexthop=205.151.222.251
keyingtries=0
auth=ah
auto=start
This tells ipsec.conf file to set itself up for this particular configuration setup with:
interfaces="ipsec0=eth0"
This option specifies which appropriate virtual and physical interfaces for IPSEC to use. The
default setting: interfaces=%defaultroute will look for your default connection to the Internet, or
your corporate network. Also you can name one or more specific interfaces to be used by
FreeS/WAN. For example:
interfaces="ipsec0=eth0"
interfaces="ipsec0=eth0 ipsec1=ppp0"
Both set the eth0 interface as ipsec0. The second one also supports IPSEC over PPP interface. If
the default setting interfaces=%defaultroute is not used then the specified interfaces will be the
only ones this gateway machine can use to communicate with other IPSEC gateways.
klipsdebug=none
This option specifies the debugging output for KLIPS (the kernel IPSEC code). The default value
none, means no debugging output and the value all means full output.
plutodebug=none
This option specifies the debugging output for the Pluto key. The default value none, means no
debugging output and the value all means full output.
plutoload=%search
This option specifies which connections (by name) to load automatically into memory when Pluto
starts. The default is none and the value %search load all connections with auto=add or
auto=start.
plutostart=%search
This option specifies which connections (by name) to automatically negotiate when Pluto starts.
The default is none and the value %search start all connections with auto=start.
conn deep-mail
This option specifies the name given to identify the connection specification to be made using
IPSEC. Its a good convention to name connections by their ends to avoid mistake. For example,
the link between deep.openarch.com and mail.openarch.com gateways server can be named
"deep-mail" or the link between your Montreal and Paris offices "montreal-paris".
Note that the names deep-mail or whatever you have chosen should be the same in the
ipsec.conf files on both gateways. In other words the only change you should make in the
/etc/ipsec.conf file on the second gateway is changing the interfaces= line to match the
interface the second gateway uses for IPSEC connection, if of course its different from the first
gateway. For example, if the interface eth0 is used on the both gateways for IPSEC
communication, so you dont need to change the line interfaces= on the second gateway. In the