---

---

Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 303 other case, if the first gateway use eth0 and the second use eth1, you must change the line “interfaces=” on the second gateway to match the interface eth1. left=208.164.186.1 This option specifies the IP address of the gateway's external interface used to talk to the other gateway. leftsubnet=192.168.1.0/24 This option specifies the IP network or address of the private subnet behind the gateway. leftnexthop=205.151.222.250 This option specifies the IP address of the first router in the appropriate direction or ISP router. right=208.164.186.2 This is the same explanation as “left=” but for the right destination. rightsubnet=192.168.1.0/24 This is the same explanation as “leftsubnet=” but for the right destination. rightnexthop=205.151.222.251 This is the same explanation as “leftnexthop=” but for the right destination. keyingtries=0 This option specifies how many attempts (an integer) should be made in  (re)keying negotiations. The default value 0 (retry forever) is recommended. auth=ah This option specifies whether authentication should be done separately using AH (Authentication Header), or be included as part of the ESP (Encapsulated Security Payload) service. This is preferable where the IP headers are exposed to prevent man-in-the-middle attacks. auto=start This option specifies whether automatic startup operation should be done at IPSEC startup. NOTE: A data mismatch anywhere in this configuration “ipsec.conf” will cause FreeS/WAN to fail and to log various error messages. Configure the “/etc/ipsec.secrets” file The file “ipsec.secrets” stores the secrets used by the pluto daemon to authenticate communication between both gateways. Two different kinds of secrets can be configured in this file, which are preshared secrets and RSA private keys. You must check the modes and permissions of this file to be sure the super-user “root” own the file, and its permissions is set to block all access by others. Step 1 An example secret is supplied in the “ipsec.secrets” file by default and you should change it by creating your own. With automatic keying you may have a shared secret up to 256 bits, which is then used during the key exchanges to make sure a man in the middle attack does not occur. · To create a new shared secret, use the following commands: [root@deep /]# ipsec ranbits 256  > temp A new random keys are created with the ranbits(8) utility in the file named “temp”. The ranbits utility may pause for a few seconds if not enough entropy is available immediately.