Getting Started with IPsec

A tbird posting to the The Shmoo Group about how to begin implementing a standards-based VPN.

On Wed, 6 Mar 2002, Paul Holman wrote:

I've been putting off use of VPNs for having had a terrible time with the clients in the past. In general, I try to do application layer encryption/authentication, but that argument starts to break up when you're just wrapping everything with SSH or SSL.

There are some reasons I'm interested in giving this a shot: Securing NFS & Remote access to internal network resources come to mind.

So I could use some guidance as I jump into this. My plan is to hook up with another novice friend tomorrow night and try playing with some Windows & Linux machines to see if we can get them working. Maybe MacOS X too.

I assume I should be using Free S/WAN on Linux. What about Windows. What the hell is that "Click here for a VPN" shit in Win2K? PPTP? Should I be using that or not? Where do I start?

Greetz all --

The FreeS/WAN implementation has gotten a lot easier to use in the last couple of years, but OpenBSD's built-in IPsec support also has a lot of users. FreeS/WAN has beautifully thorough documentation maintained by Sandy Harris; it's at

My favorite starting document for OpenBSD is

In either case, here's a brief list (in no particular order) of things to watch out for, general suggestions, and other useful URLs:

  • Most everything I know about troubleshooting is at
  • Routing is what usually proves to be the most annoying. You don't need to configure a default route for the VPN connection anywhere but in the VPN configuration files. Resist the urge. If your traffic doesn't get from point A to point B, it's usually a problem with the security associations you're setting up. Or, if the box is firewalled, you've forgotten to set up rules allowing the encrypted traffic.
  • Get the IPsec connection up and running using secret keys and no IKE; then add in IKE for session negotiation. [Confession: this definitely used to be good advice, but I haven't set anything up from scratch in a while. It's conceivable that IKE is easier to use now, and it's certainly true that IKE's error messages are fairly indicative of what's wrong.]
  • Windows2000 has built in IPsec networking obtained from Cisco. It's a pretty clean implementation. The empire's starting point for documentation is at
  • Everything in the universe that I know about VPNs is pretty much on and the associated mailing list,

    You don't want to use PPTP. The VPN site has Windows IPsec clients listed if you need to support non-2k boxen.

    Hope that helps.

    cheers -- tbird