defaults.txt

This a good VPN source

Openswan defaults

If you have started Openswan for the first time, this normally generates
a default RSA keypair to use. The public key of that pair needs to be
(securely!) communicated to the other end before communication can start.
You will find the key in /etc/ipsec.secrets. If you don't see any key in
that file, you can generate one by issuing:

ipsec newhostkey --output /etc/ipsec.secrets

There are two general sections on the /etc/ipsec.conf file. One is the
"config setup" section and the other is the "conn default" section. Any
tunnels you want to configure go after these two sections, in their own
"conn tunnel-name" section. Be aware that the indentation and white space
in th configuration files is important. Always follow the layout that you
see in the file, and always keep an empty line between different connection
definitions.

You only need to make changes to these two sections if Openswan cannot
determine certain settings automatically. The most common case is that the
machine has no single default route, so we cannot determine over which
physical interface the encrypted packets need to go. If you know that you
will want to send encrypted packets over eth0 and ppp0, you can change
the interfaces line accordingly:

	interfaces="ipsec0=eth0,ipsec1=ppp0"

Do not enable the plutodebug or klipsdebug lines unless you are investigating
a problem in the Openswan code. To find out why your configuration doesn't
work, one only needs to look at the syslog messages, often collected in the
file /var/log/secure.

In the default section you can put any parameter that stays the same for most
of your tunnel connections, so  you don't have to keep copying that option into
all your connection definitions. You can override these options in the actual
tunnel connection.

Openswan supports a mode called "opportunistic encryption", which often gets
in the way of simple static tunnels. If you are just configuring a dedicated
VPN server using Openswan, add the following conns to disable OE.

conn OEself
       auto=ignore
conn clear
        auto=ignore
conn private
        auto=ignore
conn private-or-clear
        auto=ignore
conn clear-or-private
        auto=ignore
conn block
        auto=ignore
conn packetdefault
        auto=ignore