Before you can configure your IPSec setup, there is a little basic terminology to go through. Ready? Excellent!
Transport mode signifies host-to-host encryption. This is typically used if you have, for example, a server somewhere you would like to communicate securely with. Only the link between the two hosts is encrypted and there is typically no routing enabled on either machine. This is the mode I was using when writing this page. This is also sometimes known as "Bump in the stack" mode.
Got all that? Excellent! Now, on to the mystical ways of server authentication.
FreeS/WAN by default supports two types of authentication - Pre Shared Keys (PSK) or RSA Keys. PSK is the easiest and quickest way of setting up both hosts, but then you have all the usual problems of key distribution. If the PSK is compromised, the link is also compromised as it becomes trivial to set up a ManInTheMiddle style attack. Using RSA keys is much more secure, as the public key can be transferred over the wire without fear.
Note: While almost all IPSec implementations known to man support PSK, very few support RSA. The rest (pay attention anyone who needs to communicate with a Windows host) use X.509 certificates for authentication. FreeS/WAN does support this but requires a patch to the code and various other bits that I'm not quite sure how work. Watch this space!
Next Note: If you are wanting to interoperate with Windows 2000/XP, make sure that
Yet Another Note: Instructions on exporting x509 certs for use on 2k/xp can be found at http://www.natecarlson.com/linux/ipsec-x509.php, with a wealth of information at http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. You'll also want a free utility found at http://vpn.ebootis.de to make the necessary IPSec policy changes to win2k/xp when you want to connect.