Installing and Configuring a Linux VPN Server (Part 2)

Thankfully, FreeS/Wan provides a very simple way to extract the public portion of the key in the correct format. Assuming that you are working from the London server (which is designated Left), type:

ipsec showhostkey –left > leftpubkey.txt

This will output the London (or Left) public key to a new file called leftpubkey.txt. Do the same on the Accra (or Right) server, but use –right > rightpubkey.txtinstead. After doing that, it is a good idea to chmod the ipsec.secrets files to 600.

After the keys are generated, you’ll need to have them both on the same server to build the ipsec.conf file, and this presents a small dilemma. You will want to be sure that the public key you are receiving from the remote server is the correct one, and has not been created by some malicious third party. If you’re creating the servers right next to each other this might not be an issue, but you could be dealing with someone you have never met before or something similar. Creating a secure tunnel with an unknown third party could have huge security consequences, so it is generally recommended that you use PGP to sign public key files (or the email message used to transmit them) to be sure of the identity of the sender. If your servers already communicate over a secure or direct connection, transfer a key file from one server to the other. In this case, FTP the Accra rightpubley.txt file to the London server.

The file that controls how connections are defined and initiated is ipsec.conf. If you open this file in vi (as shown here), you’ll see a number of configuration parameters. The file contains three main sections, each of which is important to understand. The top part of the file describes the machine configuration, in a section called config setup. The next section is called conn default, and contains settings that will apply to all connections. After these you will find actual connection descriptions, which is where we’ll ultimately define our londonaccra tunnel. Before editing this file, make a backup copy called ipsec.old or similar.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.