View this PageEdit this PageAttachments to this PageHistory of this PageHomeRecent ChangesSearch the SwikiHelp Guide

iPAQ FreeS/WAN VPN HOW-TO

Overview:

For an overview, see the IPSEC Section of my project summary.


Setup:

First you need to get familiar setup. Follow the #1 and make sure you use my updated familiar-v0.4-eb3.jffs2 image (it has the gmp libs and the freeswan programs in it). If you just want the freeswan tools and the gmp libraries, see my utility download page.

Here is the current iPAQ client configuration file with comments:
  # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
  # basic configuration
  config setup
	# THIS SETTING MUST BE CORRECT or almost nothing will work;
	# %defaultroute is okay for most simple cases.
	interfaces=%defaultroute
	# Debug-logging controls:  "none" for (almost) none,
        # "all" for lots.
	klipsdebug=none
	plutodebug=none
	# Use auto= parameters in conn descriptions to control
        # startup actions.
	plutoload=%search
	plutostart=%search
	# Close down old connection when new one using same ID
        # shows up.
	uniqueids=yes

  # defaults for subsequent connection descriptions
  conn %default
	# How persistent to be in (re)keying negotiations
        # (0 means very).
	keyingtries=0
	# RSA authentication with keys from DNS.
	authby=rsasig
        # use Perfec Forward Secret (see the docs)
	pfs=yes
        # use DNS for keys if they are not given
	leftrsasigkey=%dns
	rightrsasigkey=%dns

  # iPAQ connection - Group 1
  conn ipaq-net-01
	left=%defaultroute
        # use the @hostname for the id so it WILL NOT
        # try and resolve the hostname
	leftid=@tatoo
	leftrsasigkey="put iPAQ pubkey here"
	right=IP.OF.GATEWAY.PC
	rightid=@gateway
	rightrsasigkey="put gateway pubkey here"
        # sets startup options (set to start to start automatically)
	auto=add
	keyingtries=0

The default configuration values are used for all values not explicitly set in the configuration file. Some important default
valuse are listed below:
  # sets the IPSec connection type
  type=tunnel
  # content compression
  compess=no
  # sets the authentication type
  auth=esp

Also, to setup the RSA key for your iPAQ, use the following command:
ipsec rsasigkey --verbose 2048 > /etc/ipsec.secrets

The format of the keyfile generated is given below with comments. You will need to get the pubkey value and put this in as the left/rightsigkey value (and get the gateway's pubkey from the admin). See the FreeS/WAN Docs for more details.

 # RSA 2048 bits   roadrunner.buserror.org   Sun Aug 12 21:16:44 2001
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=0s...
	#IN KEY 0x4200 4 1 ...
	# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
	Modulus: 0x...
	PublicExponent: 0x03
	# everything after this point is secret
	PrivateExponent: 0x...
	Prime1: 0x...
	Prime2: 0x...
	Exponent1: 0x...
	Exponent2: 0x...
	Coefficient: 0x...



References:

Back to HOW-TO's

Links to this Page