- Overview of the Openswan commands and configuration files

Implementation

Openswan consists of two subsystems. The userland subsystem consists of the
IKE keying daemon, called pluto, and various helper applications. The actual
encryption is done in kernel mode. The Openswan implementation of the kernel
code is called KLIPS. This can be a kernel loadable module called ipsec.o.

As of kernel 2.6, Linux comes with its own kernel implementation. This is a
port of the BSD Kame code. There is no consistent name used by people to refer
to this implementation. Some call it the "native ipsec code", some call it the
"2.6 code" or "26sec". Some call it kame, some pfkey and some afkey. It
consists of various kernel modules that all need to get loaded to get a
functional kernel mode implementation. af_key.ko, xfrm_user.ko, esp4.ko
and ah4.ko.

The Openswan userland tools can both use KLIPS or the Kame code, but you can't
use both at the same time.

Configuration files

Openswan puts all the sensitive information, such as private keys, or
pre-shared secrets, in a single file: /etc/ipsec.secrets.

All the other configuration options go into /etc/ipsec.conf. This file can
refer to other include files, which are all normally found under the
directory structure /etc/ipsec.d/

Commands

Normally, Openswan is started through the system startup scripts, for example
in /etc/init.d/ipsec. Once it is running, you can use the "ipsec" command to
to send or receive commands about the current state. These commands all talk
to the IKE daemon called pluto. "ipsec --help" will give you some information.
You can also use "man ipsec_command" to get more information about a certain
command.