Before you can configure your IPSec setup, there is a little basic terminology to go through. Ready? Excellent!
There are two major types of IPSec configurations. You will need to decide which one you will be using.
Transport mode signifies host-to-host encryption. This is typically used if you have, for example, a server somewhere you would like to communicate securely with. Only the link between the two hosts is encrypted and there is typically no routing enabled on either machine. This is the mode I was using when writing this page. This is also sometimes known as "Bump in the stack" mode.
Tunnel mode generally signifies net-to-net encryption, and is what is known as a classic VPN. Here, you have two disparate networks wanting to communicate with each other over an insecure medium (normally the internet). Essentially, the two gateways to either network want to encrypt all communications between them, and route any traffic from their local network across that link to the other network. This mode is also normally used for "road warrior" type communications where a single mobile computer (the road warrior) needs to connect to and access a corporate network, again over an insecure medium. This is also sometimes known as "Bump in the wire".
Got all that? Excellent! Now, on to the mystical ways of server authentication.
FreeS/WAN by default supports two types of authentication - Pre Shared Keys (PSK) or RSA Keys. PSK is the easiest and quickest way of setting up both hosts, but then you have all the usual problems of key distribution. If the PSK is compromised, the link is also compromised as it becomes trivial to set up a ManInTheMiddle style attack. Using RSA keys is much more secure, as the public key can be transferred over the wire without fear.
Note: While almost all IPSec implementations known to man support PSK, very few support RSA. The rest (pay attention anyone who needs to communicate with a Windows host) use X.509 certificates for authentication. FreeS/WAN does support this but requires a patch to the code and various other bits that I'm not quite sure how work. Watch this space!
Next Note: If you are wanting to interoperate with Windows 2000/XP, make sure that
auth.log.0:Nov 13 15:26:08 peer pluto[21342?: "remote-win2k-2"[2? 166.179.32.102 #2: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
iptables -A INPUT -p esp -j ACCEPT
Yet Another Note: Instructions on exporting x509 certs for use on 2k/xp can be found at http://www.natecarlson.com/linux/ipsec-x509.php, with a wealth of information at http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. You'll also want a free utility found at http://vpn.ebootis.de to make the necessary IPSec policy changes to win2k/xp when you want to connect.
For an example PSK setup, head over to IPSecConfigurationPSK.
For an example RSA setup, head over to IPSecConfigurationRSA.
2 pages link to IPSecConfiguration: