Welcome to the house of PSK!
We are now going to attempt to set up an IPSec tunnel between two hosts using PreSharedKey? authentication.
First, some basic information. In this little page, I'm going to assume we have two machines - "green" and "orange". Green has an IP of 10.2.1.1 and Orange has an IP of 10.2.1.2. The PreSharedKey? we are using will be "Welcome to IPSec" because that seems appropriate somehow.
The configuration file stores (surprise) your configuration! The secrets file stores authentication methods (PSK in this case, but it can also store RSA keys or X.509 certificates).
All of the options used are explained in much detail in "man ipsec.conf". I suspect the (left|right)rsasigkey params are useless in this particular setup but having a secure default set never hurts.
Now, lets explain a few things about that setup. The first thing that generally confused me was this left and right business. How do you know what to call which? The answer, fortunately is simple - FreeS/WAN figures out which machine is left and right. The idea behind this is that you can cut and paste the configuration from one box to another without having to change anything at all, and it will work because it will realise which of left/right that machine it is on, is. Magic, eh?
auto=start is an option that means that FreeS/WAN will attempt to initiate this connection as soon as it is started. This means that when the box is rebooted, it will immediately attempt to establish this tunnel, ready for data.
authby=secret here is the important one for this page - selecting "secret" as our authby option means that we are authenticating this connection using a PreSharedKey?. The alternative option here is rsasig - see IPSecConfigurationRSA.
Make sure those config files are the same on both servers, else you will have problems. Also, if you are actually on one of them and SSHing to the other, I strongly suggest you start IPSec on the remote box first. Once you start one, you see, the other one won't talk to it until it too has IPSec up and running. This might seem a little dumb at first, but on the flip side it means that if you can talk to that machine, you are guaranteed that the connection is encrypted. Probably. Unless someone turned off IPSec at both ends.
You will notice that you now have an ipsec0 interface. This is the virtual interface that all IPSec tunnels communicate through. There is one ipsec interface per physical interface it uses - many tunnels, however, can all use the same interface. I hope that made sense.
Now! At this point, you should be able to ping between the boxes and notice that the data transferred over the ipsec0 interface (ifconfig is your friend here) increases. If you run something nice like gkrellm, you will notice a new interface popped up under eth0 and it will start showing you the activity as you ping. According to that, a constant once-per-second ping generates 234 bytes of data per second.
I'm going to start keeping some benchmarks over at IPSecBenchmarks so people can compare performance of tunnels.
lib/main.php:944: Notice: PageInfo: Cannot find action page