The 2.x ipsec.conf template comes with a built in connection to facilitate Opportunistic Encryption (encrypting to virtual strangers). This reduces eavesdropping on the 'net.
You do need to set up a few DNS records to use this feature. See our OE quickstart guide for details.
You can disable the feature by commenting out the conn oeself section.
We want to make it so easy for you to declare security policy, that all you have to do is say: "These are the folks I want to talk to in the clear. These spammers' domains -- I don't want to talk to them at all. To talk to the finance department, I must use the VPN. And for any other communication, try to encrypt, but it's okay if we can't."
FreeS/WAN now offers built-in Food Groups to help with this task. Please see Configuring Food Groups.
Description here.
FreeS/WAN often doesn't work with Reverse Path filtering. We now turn it off when it is in our way, and log a warning.
Note: FreeS/WAN does not turn it back on again. If you uninstall FreeS/WAN and want to reinstate rp_filter, you must do this yourself with a command like:
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
The FreeS/WAN team promised config-file compatibility throughout the 1.x series. That means a 1.5 config file can be directly imported into a fresh 1.99 install with no problems.
With FreeS/WAN 2.x, we've given ourselves permission to make the config file easier to use. The cost: some FreeS/WAN 1.x configurations will not work properly. Many of the new features are, however, backward compatible.
... so long as you paste this line, with no preceding whitespace, at the top of your config file:
version 2
If you are bit by the new defaults, use this ipsec.conf fragment to simulate the old default values.
We've obsoleted various directives which almost no one was using:
    dump
    plutobackgroundload
    no_eroute_pass
    lifetime
    rekeystart
    rekeytries
And we've made some things, which almost everyone was using, automatic, for example:
    interfaces=%defaultroute
    plutoload=%search
    plutostart=%search
    uniqueids=yes
Some new defaults help with Opportunistic Encryption:
    authby=rsasig   ## not secret!!!
    leftrsasigkey=%dnsondemand ## looks up missing keys in DNS when needed.
    rightrsasigkey=%dnsondemand
Of course, you can still override these by explictly declaring something else in your connection.