Difference between revisions of "IPsec"
imported>Mutantmonkey (Created page with "<!-- The rest of this page uses a template from the Uniluug project; please see https://uniluug.org/wiki/Template:IPsec if you wish to edit it. --> <!-- Note that the curl ext...") |
|||
| Line 1: | Line 1: | ||
| − | + | ==Network-to-Network== | |
| − | + | For purposes of this tutorial, we are setting up two endpoints, '''vpn1''' and '''vpn2''', both using IPv6 with the subnets '''2001:db8:1::/64''' and '''2001:db8:2::/64''', respectively. | |
| − | + | ||
| + | ===Linux with OpenSWAN=== | ||
| + | Tested with OpenSWAN 2.6.28 on Debian Squeeze (updated on 2012-02-25). | ||
| + | |||
| + | * Generate a new host key on both endpoints: | ||
| + | sudo ipsec newhostkey --output /etc/ipsec.secrets | ||
| + | |||
| + | * Configure '''/etc/ipsec.conf''' on '''vpn1''': | ||
| + | config setup | ||
| + | protostack=netkey | ||
| + | nat_traversal=off | ||
| + | |||
| + | conn vpn2 | ||
| + | authby=rsasig | ||
| + | connaddrfamily=ipv6 | ||
| + | type=tunnel | ||
| + | left=vpn1.example.com | ||
| + | leftid=@vpn1.example.com | ||
| + | leftsubnet=2001:db8:1::/64 | ||
| + | leftrsasigkey=0s... | ||
| + | right=vpn2.example.com | ||
| + | rightid=@vpn2.example.com | ||
| + | rightsubnet=2001:db8:2::/64 | ||
| + | rightrsasigkey=0s... | ||
| + | ike=aes256-sha1-modp2048 | ||
| + | forceencaps=yes | ||
| + | auto=start | ||
| + | Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location. | ||
| + | |||
| + | * Configure '''/etc/ipsec.conf''' on '''vpn2''': | ||
| + | config setup | ||
| + | protostack=netkey | ||
| + | nat_traversal=off | ||
| + | |||
| + | conn vpn1 | ||
| + | authby=rsasig | ||
| + | connaddrfamily=ipv6 | ||
| + | type=tunnel | ||
| + | left=vpn2.example.com | ||
| + | leftid=@vpn2.example.com | ||
| + | leftsubnet=2001:db8:2::/64 | ||
| + | leftrsasigkey=0s... | ||
| + | right=vpn1.example.com | ||
| + | rightid=@vpn1.example.com | ||
| + | rightsubnet=2001:db8:1::/64 | ||
| + | rightrsasigkey=0s... | ||
| + | ike=aes256-sha1-modp2048 | ||
| + | forceencaps=yes | ||
| + | auto=start | ||
| + | Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location. | ||
| + | |||
| + | * After configuring OpenSWAN, restart the daemon on each endpoint and your tunnels should be established after a minute or two. | ||
| + | |||
| + | ===OpenBSD=== | ||
| + | Tested on [[OpenBSD]] 5.0 (updated on 2012-02-25). | ||
| + | |||
| + | * Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''': | ||
| + | <pre>isakmpd_flags="-K" | ||
| + | ipsec=YES</pre> | ||
| + | |||
| + | * Configure '''/etc/ipsec.conf''' on '''vpn1''': | ||
| + | ike esp from 2001:db8:1::/64 to 2001:db8:2::/64 \ | ||
| + | peer vpn2.example.com \ | ||
| + | main auth hmac-sha2-256 enc aes-256 group modp2048 \ | ||
| + | quick auth hmac-sha2-256 enc aes-256 group modp2048 \ | ||
| + | srcid vpn1.example.com tag ipsec-vpn1 | ||
| + | |||
| + | * Configure '''/etc/ipsec.conf''' on '''vpn2''': | ||
| + | ike esp from 2001:db8:2::/64 to 2001:db8:1::/64 \ | ||
| + | peer vpn1.example.com \ | ||
| + | main auth hmac-sha2-256 enc aes-256 group modp2048 \ | ||
| + | quick auth hmac-sha2-256 enc aes-256 group modp2048 \ | ||
| + | srcid vpn2.example.com tag ipsec-vpn1 | ||
| + | |||
| + | * We will be using RSA public key authentication, similar to what is commonly done with SSH, here. When you installed OpenBSD, the file '''/etc/isakmpd/local.pub''' was generated. This file will need to be copied to the other endpoint and vice versa. To set this up on vpn1, simply copy '''/etc/isakmpd/local.pub''' on '''vpn1''' to '''/etc/isakmpd/pubkeys/fqdn/vpn1.example.com''' on '''vpn2'''. Next do this process in reverse for '''vpn2'''. | ||
| + | |||
| + | * After you make the necessary changes, starting IPsec is simply a matter of running the following command on each endpoint to start your tunnels: | ||
| + | sudo /etc/rc.d/isakmpd start | ||
| + | sudo ipsecctl -f /etc/ipsec.conf | ||
| + | |||
| + | The changes we made to rc.conf above ensure that your IPsec tunnels will be reestablished on boot. | ||
| + | |||
| + | ==Roadwarrior== | ||
| + | ===Linux with OpenSWAN=== | ||
| + | Tested with OpenSWAN 2.6.37 on Arch Linux (updated on 2012-06-27). | ||
| + | |||
| + | * Generate a new host key on both endpoints: | ||
| + | sudo ipsec newhostkey --output /etc/ipsec.secrets | ||
| + | |||
| + | * Configure '''/etc/ipsec.conf''' on your VPN server: | ||
| + | config setup | ||
| + | protostack=netkey | ||
| + | nat_traversal=on | ||
| + | |||
| + | conn myvpn | ||
| + | authby=rsasig | ||
| + | connaddrfamily=ipv6 | ||
| + | type=tunnel | ||
| + | left=vpn1.example.com | ||
| + | leftid=@vpn1.example.com | ||
| + | leftsubnet=2001:db8:1::/64 | ||
| + | leftrsasigkey=0s... | ||
| + | right=%any | ||
| + | rightid=@vpn2.example.com | ||
| + | rightsubnet=2001:db8:2::/64 | ||
| + | rightrsasigkey=0s... | ||
| + | ike=aes256-sha1-modp2048 | ||
| + | forceencaps=yes | ||
| + | auto=start | ||
| + | Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location. | ||
| + | |||
| + | * Configure '''/etc/ipsec.conf''' on the machine that will connect to your VPN: | ||
| + | config setup | ||
| + | protostack=netkey | ||
| + | nat_traversal=on | ||
| + | |||
| + | conn vpn1 | ||
| + | authby=rsasig | ||
| + | connaddrfamily=ipv6 | ||
| + | type=tunnel | ||
| + | left=%defaultroute | ||
| + | leftid=@vpn2.example.com | ||
| + | leftsubnet=2001:db8:2::1/128 | ||
| + | leftsourceip=2001:db8:2::1 | ||
| + | leftrsasigkey=0s... | ||
| + | right=vpn1.example.com | ||
| + | rightid=@vpn1.example.com | ||
| + | rightsubnet=2001:db8:1::/64 | ||
| + | rightrsasigkey=0s... | ||
| + | ike=aes256-sha1-modp2048 | ||
| + | forceencaps=yes | ||
| + | auto=start | ||
| + | Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location. | ||
| + | |||
| + | * After configuring OpenSWAN, restart the daemon on each endpoint and your tunnels should be established after a minute or two. | ||
| + | |||
| + | ===OpenBSD=== | ||
| + | Tested on [[OpenBSD]] 5.1 (updated on 2012-06-27). | ||
| + | |||
| + | * Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''': | ||
| + | <pre>isakmpd_flags="-K" | ||
| + | ipsec=YES</pre> | ||
| + | |||
| + | * Configure '''/etc/ipsec.conf''' on your VPN server: | ||
| + | ike esp from 2001:db8:1::/64 to 2001:db8:2::1 \ | ||
| + | peer any \ | ||
| + | main auth hmac-sha2-256 enc aes-256 group modp2048 \ | ||
| + | quick auth hmac-sha2-256 enc aes-256 group modp2048 \ | ||
| + | srcid vpn1.example.com tag ipsec-vpn1 | ||
| + | |||
| + | * Configure '''/etc/ipsec.conf''' on the machine that will connect to your VPN: | ||
| + | ike esp from 2001:db8:2::1 to 2001:db8:1::/64 \ | ||
| + | peer vpn1.example.com \ | ||
| + | main auth hmac-sha2-256 enc aes-256 group modp2048 \ | ||
| + | quick auth hmac-sha2-256 enc aes-256 group modp2048 \ | ||
| + | srcid vpn2.example.com tag ipsec-vpn1 | ||
| + | |||
| + | * We will be using RSA public key authentication, similar to what is commonly done with SSH, here. When you installed OpenBSD, the file '''/etc/isakmpd/local.pub''' was generated. This file will need to be copied to the other endpoint and vice versa. To set this up on vpn1, simply copy '''/etc/isakmpd/local.pub''' on '''vpn1''' to '''/etc/isakmpd/pubkeys/fqdn/vpn1.example.com''' on '''vpn2'''. Next do this process in reverse for '''vpn2'''. | ||
| + | |||
| + | * After you make the necessary changes, starting IPsec is simply a matter of running the following command on each endpoint to start your tunnels: | ||
| + | sudo /etc/rc.d/isakmpd start | ||
| + | sudo ipsecctl -f /etc/ipsec.conf | ||
| + | |||
| + | The changes we made to rc.conf above ensure that your IPsec tunnels will be reestablished on boot. | ||
| + | |||
| + | ===Linux with OpenSWAN (laptop) to OpenBSD (router)=== | ||
| + | Tested on [[OpenBSD]] 5.1 (updated on 2012-06-27). | ||
| + | |||
| + | Assume router has an IPv4 only hostname of home.example.org and you want to route the IPv6 subnet 2001:420:1:9A8::/64 | ||
| + | Assume the laptop is called laptop.example.org (does not have to be an actuall DNS entry) and will round the org-local subnet fd20:50::1/128 (which is actually just 1 ip) | ||
| + | |||
| + | * Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''': | ||
| + | <pre>isakmpd_flags="-K" | ||
| + | ipsec=YES</pre> | ||
| + | |||
| + | * Configure '''/etc/ipsec.conf''' on '''home.example.org''': | ||
| + | ike esp from 2001:420:1:9A8::/64 to fd20:50::1/128 \ | ||
| + | peer any \ | ||
| + | main auth hmac-sha1 enc aes-256 group modp2048 \ | ||
| + | quick auth hmac-sha1 enc aes-256 group modp2048 \ | ||
| + | srcid home.example.org tag ipsec-vpn1 | ||
| + | |||
| + | * Generate a new host key on '''laptop.example.org''': | ||
| + | sudo ipsec newhostkey --output /etc/ipsec.secrets | ||
| + | |||
| + | * Configure '''/etc/ipsec.conf''' on '''laptop.example.org''': | ||
| + | config setup | ||
| + | protostack=netkey | ||
| + | nat_traversal=off | ||
| + | |||
| + | conn vpn2 | ||
| + | authby=rsasig | ||
| + | connaddrfamily=ipv6 | ||
| + | type=tunnel | ||
| + | left=%defaultroute | ||
| + | leftid=@laptop.example.org | ||
| + | leftsubnet=fd20:50::1/128 | ||
| + | leftsourceip=fd20:50::1 | ||
| + | leftrsasigkey=<laptop_pubkey> # from /etc/ipsec.secrets on '''laptop.example.org''' | ||
| + | right=home.example.org | ||
| + | rightid=@home.example.org | ||
| + | rightsubnet=2001:420:1:9A8::/64 | ||
| + | rightrsasigkey=<server_pubkey> # converted later from key on '''home.example.org''' | ||
| + | ike=aes256-sha1-modp2048 | ||
| + | forceencaps=yes | ||
| + | auto=start | ||
| + | |||
| + | The trickiest part (and its not actually *that* tricky) is to convert the the pubkey on Linux to the format OpenBSD uses, and vice versa. There is a handy perl script found [http://pastebin.com/THUf4Dsg here] that takes in a Linux or OpenBSD formated pubkey in stdin and outputs a OpenBSD or Linux formated pubkey. | ||
| + | |||
| + | On OpenBSD the pubkey is found in '''/etc/isakmpd/local.pub''' and in Linux it is found in /etc/ipsec.secrets. In ipsec.secrets, you will find a public key like: | ||
| + | #pubkey=0s... | ||
| + | |||
| + | * To convert this to OpenBSD format, run | ||
| + | |||
| + | echo ": PUB 0s..." | ./ipsec.pl | ||
| + | |||
| + | where 0s... is your full public key. | ||
| + | |||
| + | * For the OpenBSD key, it is possible to pipe in local.pub like: | ||
| + | |||
| + | cat local.pub | ./ipsec.pl | ||
| + | |||
| + | * Place the output from the OpenBSD pubkey into '''/etc/ipsec.conf''' on '''laptop.example.org''' here: | ||
| + | |||
| + | rightrsasigkey=<server_pubkey> | ||
| + | |||
| + | and put the output for the Linux pubkey into '''/etc/isakmpd/pubkeys/fqdn/laptop.example.org''' | ||
| + | |||
| + | * After you make the necessary changes, starting IPsec is simply a matter of running the following command on '''home.example.org''': | ||
| + | sudo /etc/rc.d/isakmpd start | ||
| + | sudo ipsecctl -f /etc/ipsec.conf | ||
| + | |||
| + | and on '''laptop.example.org''' restart openswan (generally under the rc script name ipsec) in whatever manner perscribed by your favorite distro. | ||
== External links == | == External links == | ||
Revision as of 02:50, 4 September 2014
Contents
Network-to-Network
For purposes of this tutorial, we are setting up two endpoints, vpn1 and vpn2, both using IPv6 with the subnets 2001:db8:1::/64 and 2001:db8:2::/64, respectively.
Linux with OpenSWAN
Tested with OpenSWAN 2.6.28 on Debian Squeeze (updated on 2012-02-25).
- Generate a new host key on both endpoints:
sudo ipsec newhostkey --output /etc/ipsec.secrets
- Configure /etc/ipsec.conf on vpn1:
config setup
protostack=netkey
nat_traversal=off
conn vpn2
authby=rsasig
connaddrfamily=ipv6
type=tunnel
left=vpn1.example.com
leftid=@vpn1.example.com
leftsubnet=2001:db8:1::/64
leftrsasigkey=0s...
right=vpn2.example.com
rightid=@vpn2.example.com
rightsubnet=2001:db8:2::/64
rightrsasigkey=0s...
ike=aes256-sha1-modp2048
forceencaps=yes
auto=start
Make sure to change leftrsasigkey to the public key of the RSA key that was generated in the above command, which can be found in /etc/ipsec.secrets. Replace rightrsasigkey with the RSA generated by the above command on the other endpoint, which can be found in the same location.
- Configure /etc/ipsec.conf on vpn2:
config setup
protostack=netkey
nat_traversal=off
conn vpn1
authby=rsasig
connaddrfamily=ipv6
type=tunnel
left=vpn2.example.com
leftid=@vpn2.example.com
leftsubnet=2001:db8:2::/64
leftrsasigkey=0s...
right=vpn1.example.com
rightid=@vpn1.example.com
rightsubnet=2001:db8:1::/64
rightrsasigkey=0s...
ike=aes256-sha1-modp2048
forceencaps=yes
auto=start
Make sure to change leftrsasigkey to the public key of the RSA key that was generated in the above command, which can be found in /etc/ipsec.secrets. Replace rightrsasigkey with the RSA generated by the above command on the other endpoint, which can be found in the same location.
- After configuring OpenSWAN, restart the daemon on each endpoint and your tunnels should be established after a minute or two.
OpenBSD
Tested on OpenBSD 5.0 (updated on 2012-02-25).
- Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your /etc/rc.conf:
isakmpd_flags="-K" ipsec=YES
- Configure /etc/ipsec.conf on vpn1:
ike esp from 2001:db8:1::/64 to 2001:db8:2::/64 \
peer vpn2.example.com \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
quick auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid vpn1.example.com tag ipsec-vpn1
- Configure /etc/ipsec.conf on vpn2:
ike esp from 2001:db8:2::/64 to 2001:db8:1::/64 \
peer vpn1.example.com \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
quick auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid vpn2.example.com tag ipsec-vpn1
- We will be using RSA public key authentication, similar to what is commonly done with SSH, here. When you installed OpenBSD, the file /etc/isakmpd/local.pub was generated. This file will need to be copied to the other endpoint and vice versa. To set this up on vpn1, simply copy /etc/isakmpd/local.pub on vpn1 to /etc/isakmpd/pubkeys/fqdn/vpn1.example.com on vpn2. Next do this process in reverse for vpn2.
- After you make the necessary changes, starting IPsec is simply a matter of running the following command on each endpoint to start your tunnels:
sudo /etc/rc.d/isakmpd start sudo ipsecctl -f /etc/ipsec.conf
The changes we made to rc.conf above ensure that your IPsec tunnels will be reestablished on boot.
Roadwarrior
Linux with OpenSWAN
Tested with OpenSWAN 2.6.37 on Arch Linux (updated on 2012-06-27).
- Generate a new host key on both endpoints:
sudo ipsec newhostkey --output /etc/ipsec.secrets
- Configure /etc/ipsec.conf on your VPN server:
config setup
protostack=netkey
nat_traversal=on
conn myvpn
authby=rsasig
connaddrfamily=ipv6
type=tunnel
left=vpn1.example.com
leftid=@vpn1.example.com
leftsubnet=2001:db8:1::/64
leftrsasigkey=0s...
right=%any
rightid=@vpn2.example.com
rightsubnet=2001:db8:2::/64
rightrsasigkey=0s...
ike=aes256-sha1-modp2048
forceencaps=yes
auto=start
Make sure to change leftrsasigkey to the public key of the RSA key that was generated in the above command, which can be found in /etc/ipsec.secrets. Replace rightrsasigkey with the RSA generated by the above command on the other endpoint, which can be found in the same location.
- Configure /etc/ipsec.conf on the machine that will connect to your VPN:
config setup
protostack=netkey
nat_traversal=on
conn vpn1
authby=rsasig
connaddrfamily=ipv6
type=tunnel
left=%defaultroute
leftid=@vpn2.example.com
leftsubnet=2001:db8:2::1/128
leftsourceip=2001:db8:2::1
leftrsasigkey=0s...
right=vpn1.example.com
rightid=@vpn1.example.com
rightsubnet=2001:db8:1::/64
rightrsasigkey=0s...
ike=aes256-sha1-modp2048
forceencaps=yes
auto=start
Make sure to change leftrsasigkey to the public key of the RSA key that was generated in the above command, which can be found in /etc/ipsec.secrets. Replace rightrsasigkey with the RSA generated by the above command on the other endpoint, which can be found in the same location.
- After configuring OpenSWAN, restart the daemon on each endpoint and your tunnels should be established after a minute or two.
OpenBSD
Tested on OpenBSD 5.1 (updated on 2012-06-27).
- Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your /etc/rc.conf:
isakmpd_flags="-K" ipsec=YES
- Configure /etc/ipsec.conf on your VPN server:
ike esp from 2001:db8:1::/64 to 2001:db8:2::1 \
peer any \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
quick auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid vpn1.example.com tag ipsec-vpn1
- Configure /etc/ipsec.conf on the machine that will connect to your VPN:
ike esp from 2001:db8:2::1 to 2001:db8:1::/64 \
peer vpn1.example.com \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
quick auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid vpn2.example.com tag ipsec-vpn1
- We will be using RSA public key authentication, similar to what is commonly done with SSH, here. When you installed OpenBSD, the file /etc/isakmpd/local.pub was generated. This file will need to be copied to the other endpoint and vice versa. To set this up on vpn1, simply copy /etc/isakmpd/local.pub on vpn1 to /etc/isakmpd/pubkeys/fqdn/vpn1.example.com on vpn2. Next do this process in reverse for vpn2.
- After you make the necessary changes, starting IPsec is simply a matter of running the following command on each endpoint to start your tunnels:
sudo /etc/rc.d/isakmpd start sudo ipsecctl -f /etc/ipsec.conf
The changes we made to rc.conf above ensure that your IPsec tunnels will be reestablished on boot.
Linux with OpenSWAN (laptop) to OpenBSD (router)
Tested on OpenBSD 5.1 (updated on 2012-06-27).
Assume router has an IPv4 only hostname of home.example.org and you want to route the IPv6 subnet 2001:420:1:9A8::/64 Assume the laptop is called laptop.example.org (does not have to be an actuall DNS entry) and will round the org-local subnet fd20:50::1/128 (which is actually just 1 ip)
- Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your /etc/rc.conf:
isakmpd_flags="-K" ipsec=YES
- Configure /etc/ipsec.conf on home.example.org:
ike esp from 2001:420:1:9A8::/64 to fd20:50::1/128 \
peer any \
main auth hmac-sha1 enc aes-256 group modp2048 \
quick auth hmac-sha1 enc aes-256 group modp2048 \
srcid home.example.org tag ipsec-vpn1
- Generate a new host key on laptop.example.org:
sudo ipsec newhostkey --output /etc/ipsec.secrets
- Configure /etc/ipsec.conf on laptop.example.org:
config setup
protostack=netkey
nat_traversal=off
conn vpn2
authby=rsasig
connaddrfamily=ipv6
type=tunnel
left=%defaultroute
leftid=@laptop.example.org
leftsubnet=fd20:50::1/128
leftsourceip=fd20:50::1
leftrsasigkey=<laptop_pubkey> # from /etc/ipsec.secrets on laptop.example.org
right=home.example.org
rightid=@home.example.org
rightsubnet=2001:420:1:9A8::/64
rightrsasigkey=<server_pubkey> # converted later from key on home.example.org
ike=aes256-sha1-modp2048
forceencaps=yes
auto=start
The trickiest part (and its not actually *that* tricky) is to convert the the pubkey on Linux to the format OpenBSD uses, and vice versa. There is a handy perl script found here that takes in a Linux or OpenBSD formated pubkey in stdin and outputs a OpenBSD or Linux formated pubkey.
On OpenBSD the pubkey is found in /etc/isakmpd/local.pub and in Linux it is found in /etc/ipsec.secrets. In ipsec.secrets, you will find a public key like:
#pubkey=0s...
- To convert this to OpenBSD format, run
echo ": PUB 0s..." | ./ipsec.pl
where 0s... is your full public key.
- For the OpenBSD key, it is possible to pipe in local.pub like:
cat local.pub | ./ipsec.pl
- Place the output from the OpenBSD pubkey into /etc/ipsec.conf on laptop.example.org here:
rightrsasigkey=<server_pubkey>
and put the output for the Linux pubkey into /etc/isakmpd/pubkeys/fqdn/laptop.example.org
- After you make the necessary changes, starting IPsec is simply a matter of running the following command on home.example.org:
sudo /etc/rc.d/isakmpd start sudo ipsecctl -f /etc/ipsec.conf
and on laptop.example.org restart openswan (generally under the rc script name ipsec) in whatever manner perscribed by your favorite distro.
