For some strange reason, there appears to be extremely limited information on how to achieve this on the internet. It took me a while to figure out, but this setup works for me. This setup will allow access to *everything* on your internal LAN, so it is imperative that you set strong passwords on it, and consider using RSA keys, etc.
A massive thanks has to go to the author of this post, for making things far easier to understand.
This is the easy part, and is very straightforward. Simply follow the directions here, ensuring that under Phase 1 the DH KEY Group is set to 1024bit (2). Under Phase 2, again ensure it is set to 1024bit (2). Once you've applied the settings, thats it. If you've configured PPTP under a m0n0wall before, you might recall having to set up a world of rules and assigning a whole new subnet ; no need to do that here.
I'm using ARCH linux ; the location of you files as provided by your Linux distrubution may be slightly different. I'm sure you can work it out.
The first file to edit is for me /etc/ipsec.conf - The contents of this file are simply this.
# /etc/ipsec/ipsec.conf - Openswan IPsec configuration file version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces=%defaultroute klipsdebug=none plutodebug=none uniqueids=yes protostack=netkey nat_traversal=yes conn %default # How persistent to be in (re)keying negotiations (0 means very) keyingtries=0 # Add connections here conn tomonowall aggrmode=yes ike=3des-sha1-modp1024 esp=3des-sha1 authby=secret left=%defaultroute leftid=@firstname.lastname@example.org right=hostname_or_ip_of_remote_server rightsubnet=10.0.0.1/8 # the remote subnets in use you wish to connect to rightid=hostname_or_ip_of_remote_server auto=start #Disable Opportunistic Encryption # suggested by others, but this file doesn't exist on my system. it seems to work without though #include /etc/ipsec/ipsec.d/examples/no_oe.conf
The next thing to set up is the /etc/ipsec.secrets file. You may need to create this, I did. Ensure that the file has the permissions octal 600 to stop other users on a system being able to read the file, and that it is owned by root.
cp /dev/null /etc/ipsec.secrets chmod 0600 /etc/ipsec.secrets chown root /etc/ipsec.secrets
And the contents of the file should be similar to:
@email@example.com hostname_or_ip_address_of_remote_server: PSK "mysecretpassword"
You should be good to go now. On my machine, the init script is installed as /etc/rc.d/openswan, so I can bring up the tunnel with:
The script seems to finish remarkably quickly, and almost immediately I can ping remote hosts on the other side of the tunnel.
$Id: monowall_openswan.html,v 1.5 2010/04/07 09:51:21 simonb Exp $