Can anyone advise me on the easiest way to do this? Should I continue using OpenSwan? Is there a good HOWTO for this, or will I be the guy that writes it? (Assume I know everything on http://www.wlug.org.nz/26sec :)
Disclaimer: I've RTFM'd before, this is all from memory, and I've never actually had a chance to actually experiment with this. On the flipside I got openswan working for you when you set that up the first time, and I hadn't played with that much either. <grin> To my knowledge there is no good single resource saying how to configure IPsec using 2.6, and what there is is mostly freebsd specific. with 26sec there are several ways to configure it. The obvious way is to use "racoon". racoon is a daemon that runs and uses IKE to setup and maintain connections, updating the kernels tables as necessary. You'd configure it with something like: (192.168.0.1 has 10.1.0.0/16 behind it, 192.168.0.2 has 10.2.0.0/16 behind it, this is the config for 192.168.0.1 ) remote 192.168.0.2 { proposal { authentication_method pre_shared_key; encryption_algorithm 3des; hash_algorithm sha1; dh_group 2; } } sainfo address 10.1.0.0/16 any address 10.2.0.0/16 { authentication_algorithm hmac_sha1; compression_algorithm deflate; lifetime time 12 hour; pfs_group 2; } then set up routing such that ip route add 10.2.0.0/16 via 192.168.0.2 YMMV. The other approach is to use setkey(8) directly to modify the kernels ideas of what's going on. man setkey(8) for help. This is perhaps preferably for static tunnel configuration (rather than roadwarrier style approaches) "Firewalling" is done by the kernels policy database which is configured with racoon's security associations, or by using setkey's -P to set policy.