HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_302
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 302 conn deep-mail         left=208.164.186.1         leftsubnet=192.168.1.0/24         leftnexthop=205.151.222.250         right=208.164.186.2         rightsubnet=192.168.1.0/24         rightnexthop=205.151.222.251         keyingtries=0         auth=ah         auto=start This tells ipsec.conf file to set itself up for this particular configuration setup with: interfaces="ipsec0=eth0" This option specifies which appropriate virtual and physical interfaces for IPSEC to use. The default setting: “interfaces=%defaultroute” will look for your default connection to the Internet, or your corporate network. Also you can name one or more specific interfaces to be used by FreeS/WAN. For example: interfaces="ipsec0=eth0" interfaces="ipsec0=eth0 ipsec1=ppp0" Both set the eth0 interface as ipsec0. The second one also supports IPSEC over PPP interface. If the default setting “interfaces=%defaultroute” is not used then the specified interfaces will be the only ones this gateway machine can use to communicate with other IPSEC gateways. klipsdebug=none This option specifies the debugging output for KLIPS (the kernel IPSEC code). The default value none, means no debugging output and the value all means full output. plutodebug=none This option specifies the debugging output for the Pluto key. The default value  none, means no debugging output and the value all means full output.       plutoload=%search This option specifies which connections (by name) to load automatically into memory when Pluto starts. The default is none and the value  %search load all connections with auto=add or auto=start.       plutostart=%search This option specifies which connections (by name) to automatically negotiate when Pluto starts. The default is none and the value %search start all connections with auto=start. conn deep-mail This option specifies the name given to identify the connection specification to be made using IPSEC. It’s a good convention to name connections by their ends to avoid mistake. For example, the link between deep.openarch.com and mail.openarch.com gateways server can be named   "deep-mail" or the link between your Montreal and Paris offices "montreal-paris". Note that the names “deep-mail” or whatever you have chosen should be the same in the “ipsec.conf” files on both gateways. In other words the only change you should make in the “/etc/ipsec.conf” file on the second gateway is changing the “interfaces=” line to match the interface the second gateway uses for IPSEC connection, if of course it’s different from the first gateway. For example, if the interface eth0 is used on the both gateways for IPSEC communication, so you don’t need to change the line “interfaces=” on the second gateway. In the