Connecting to a m0n0wall IPSec VPN using Linux and OpenSWAN

For some strange reason, there appears to be extremely limited information on how to achieve this on the internet. It took me a while to figure out, but this setup works for me. This setup will allow access to *everything* on your internal LAN, so it is imperative that you set strong passwords on it, and consider using RSA keys, etc.

A massive thanks has to go to the author of this post, for making things far easier to understand.

m0n0wall Configuration

This is the easy part, and is very straightforward. Simply follow the directions here, ensuring that under Phase 1 the DH KEY Group is set to 1024bit (2). Under Phase 2, again ensure it is set to 1024bit (2). Once you've applied the settings, thats it. If you've configured PPTP under a m0n0wall before, you might recall having to set up a world of rules and assigning a whole new subnet ; no need to do that here.

Linux Configuration

I'm using ARCH linux ; the location of you files as provided by your Linux distrubution may be slightly different. I'm sure you can work it out.

The first file to edit is for me /etc/ipsec.conf - The contents of this file are simply this.

# /etc/ipsec/ipsec.conf - Openswan IPsec configuration file

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup

conn %default
        # How persistent to be in (re)keying negotiations (0 means very)

# Add connections here
conn tomonowall
        rightsubnet=   # the remote subnets in use you wish to connect to

#Disable Opportunistic Encryption
#   suggested by others, but this file doesn't exist on my system.  it seems to work without though
#include /etc/ipsec/ipsec.d/examples/no_oe.conf

The next thing to set up is the /etc/ipsec.secrets file. You may need to create this, I did. Ensure that the file has the permissions octal 600 to stop other users on a system being able to read the file, and that it is owned by root.

cp /dev/null /etc/ipsec.secrets
chmod 0600 /etc/ipsec.secrets
chown root /etc/ipsec.secrets

And the contents of the file should be similar to: hostname_or_ip_address_of_remote_server: PSK "mysecretpassword"

You should be good to go now. On my machine, the init script is installed as /etc/rc.d/openswan, so I can bring up the tunnel with:

/etc/rc.d/openswan start

The script seems to finish remarkably quickly, and almost immediately I can ping remote hosts on the other side of the tunnel.

$Id: monowall_openswan.html,v 1.5 2010/04/07 09:51:21 simonb Exp $