Changes
Use SHA2 instead of SHA1 on Linux
===Linux with OpenSWAN===
Tested with OpenSWAN 2.6.28 41 on Debian Squeeze Arch Linux (updated on 20122014-0209-2512).
* Generate a new host key on both endpoints:
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
sha2_truncbug=yes
left=vpn1.example.com
leftid=@vpn1.example.com
leftsubnet=2001:db8:1::/64
leftrsasigkey=0s...
right=vpn2.example.com
rightid=@vpn2.example.com
rightsubnet=2001:db8:2::/64
rightrsasigkey=0s...
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
sha2_truncbug=yes
left=vpn2.example.com
leftid=@vpn2.example.com
leftsubnet=2001:db8:2::/64
leftrsasigkey=0s...
right=vpn1.example.com
rightid=@vpn1.example.com
rightsubnet=2001:db8:1::/64
rightrsasigkey=0s...
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
==Roadwarrior==
===Linux with OpenSWAN===
Tested with OpenSWAN 2.6.37 41 on Arch Linux (updated on 20122014-0609-2712).
* Generate a new host key on both endpoints:
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
sha2_truncbug=yes
left=vpn1.example.com
leftid=@vpn1.example.com
leftsubnet=2001:db8:1::/64
leftrsasigkey=0s...
right=%any
rightid=@vpn2.example.com
rightsubnet=2001:db8:2::/64
rightrsasigkey=0s...
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
sha2_truncbug=yes
left=%defaultroute
leftid=@vpn2.example.com
leftsourceip=2001:db8:2::1
leftrsasigkey=0s...
right=vpn1.example.com
rightid=@vpn1.example.com
rightsubnet=2001:db8:1::/64
rightrsasigkey=0s...
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
ike esp from 2001:420:1:9A8::/64 to fd20:50::1/128 \
peer any \
main auth hmac-sha1 sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha1 sha2-256 enc aes-256 group modp2048 \
srcid home.example.org tag ipsec-vpn1
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
sha2_truncbug=yes
left=%defaultroute
leftid=@laptop.example.org
leftsourceip=fd20:50::1
leftrsasigkey=<laptop_pubkey> # from /etc/ipsec.secrets on '''laptop.example.org'''
right=home.example.org
rightid=@home.example.org
rightsubnet=2001:420:1:9A8::/64
rightrsasigkey=<server_pubkey> # converted later from key on '''home.example.org'''
auto=start