For some strange reason, there appears to be extremely limited information on how to achieve this on the internet. It took me a while to figure out, but this setup works for me. This setup will allow access to *everything* on your internal LAN, so it is imperative that you set strong passwords on it, and consider using RSA keys, etc.
A massive thanks has to go to the author of this post, for making things far easier to understand.
This is the easy part, and is very straightforward. Simply follow the directions here, ensuring that under Phase 1 the DH KEY Group is set to 1024bit (2). Under Phase 2, again ensure it is set to 1024bit (2). Once you've applied the settings, thats it. If you've configured PPTP under a m0n0wall before, you might recall having to set up a world of rules and assigning a whole new subnet ; no need to do that here.
I'm using ARCH linux ; the location of you files as provided by your Linux distrubution may be slightly different. I'm sure you can work it out.
The first file to edit is for me /etc/ipsec.conf - The contents of this file are simply this.
# /etc/ipsec/ipsec.conf - Openswan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
protostack=netkey
nat_traversal=yes
conn %default
# How persistent to be in (re)keying negotiations (0 means very)
keyingtries=0
# Add connections here
conn tomonowall
aggrmode=yes
ike=3des-sha1-modp1024
esp=3des-sha1
authby=secret
left=%defaultroute
leftid=@you@youremail.com
right=hostname_or_ip_of_remote_server
rightsubnet=10.0.0.1/8 # the remote subnets in use you wish to connect to
rightid=hostname_or_ip_of_remote_server
auto=start
#Disable Opportunistic Encryption
# suggested by others, but this file doesn't exist on my system. it seems to work without though
#include /etc/ipsec/ipsec.d/examples/no_oe.conf
The next thing to set up is the /etc/ipsec.secrets file. You may need to create this, I did. Ensure that the file has the permissions octal 600 to stop other users on a system being able to read the file, and that it is owned by root.
cp /dev/null /etc/ipsec.secrets chmod 0600 /etc/ipsec.secrets chown root /etc/ipsec.secrets
And the contents of the file should be similar to:
@you@youremailaddress.com hostname_or_ip_address_of_remote_server: PSK "mysecretpassword"
You should be good to go now. On my machine, the init script is installed as /etc/rc.d/openswan, so I can bring up the tunnel with:
/etc/rc.d/openswan start
The script seems to finish remarkably quickly, and almost immediately I can ping remote hosts on the other side of the tunnel.
$Id: monowall_openswan.html,v 1.5 2010/04/07 09:51:21 simonb Exp $