leftis an alias for local-side (our PC), while generally it is not. I assume that you have read man
- Make sure you fulfill
virtual_privatewith allowed subnets correctly. For IPv4 it is:
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16and then add
v4:!192.168.1.0/24-like entries separated by comma. For IPv6:
- Force keepalive packets if you use cellular connection or you're NATed.
force_keepalive=yes keep_alive=10Also, modify Dead Peer Detection accordingly.
dpddelay=10 dpdtimeout=480This really helped me to get connections based on 3G modem work flawlessly.
*nexthopfor ppp connections is peer itself.
- It is better to include
rightnexthopin case if
rightis IP. For FQDN, OpenSWAN will do the job.
- AES is faster for most architectures except if it is hardware-accelerated. For NETKEY kernel crypto is working by default, and for KLIPS you would like to insmod cryptodev (or even cryptosoft).
- For L2TP/IPSec client, be specific with open ports:
leftprotoport=17/1701. For L2TP/IPsec server, be less specific:
leftprotoport=17/%any. Same rule applies to to other side: For L2TP/IPSec client, use
- Make sure you have a good route (and/or routing rule) to peer. Some environments might work well until actual connection is established, and then they change routes, making route to peer tunnelled. It mustn't be tunnelled. (For KLIPS it is a bit harder to manage).
- XFRM (Netkey) stack is hard to manage in some environments (i.e. gateways). Sometimes I prefer KLIPS for that.
- For KLIPS, disable rp_filter. There are other good security advices, but without it it won't work at all.
- If you wish to install certificates on Android, you'd want to have
critical,CA:FALSE(or TRUE)-like extension in your certificate.
- Set correct IDs for both sides (
rightid). It is really critical. It totally depends on the server side. I usually prefer
%fromcertdesignation, which instructs openswan to insert full description of certificate of the side
- Don't forget to configure date :)