This is at http://www.sandelman.ottawa.on.ca/SSW/ietf/wavesec/FreeSWAN-SecWLan.txt

1.	Install FreeSWAN.
	(XXX add notes on various ways of doing this)

2.	Get your public key into DNS. 
	If you are running Dynamic DNS, you can put this into your forward
	zone easily with something like the following, if you substiute your 
	your private file, server and zone info.

	#!/bin/sh

	cd /etc/namedb

	host=$1

	keyrec=`ipsec showhostkey | sed 1d | (read name class type fourtytwo rest && echo $name 3600 $class $type 16896 $rest)`

*	nsupdate -d -v -k K$host.+157+26817.private <<EOF
*	server 192.139.46.30
*	zone dasblinkenled.org
	update delete $host KEY
	update add $keyrec
	send
	EOF

Or you can just cut&paste the output of "ipsec showhostkey" it into a zone
that you control. If you have no such zone, come to the helpdesk/contact mcr,
and we will enrol you into "dasblinkenled.org" (likely using TSIG and
nsupdate if we can).

These instructions will change soon, we hope, to be replaced with the 
following instructions on having DHCLIENT do the work for you. 
(THIS DOES NOT WORK AS OF Mon Mar 18 22:42:49 CST 2002)

===

Make sure that you are getting your dhclient to update the reverse
map with your hostname, you need the following:

*	    send fqdn.fqdn "myhost.example.org.";
	    send fqdn.encoded on;
	    send fqdn.server-update off;

Then add the following:

option oe-key     code 159 = string;
send oe-key = 03:01:fi:ll:me:in:76:D1;

The hex in fact your public key. You can generate the above from your
/etc/ipsec.secrets file as follows:

ipsec showhostkey | sed 1d | cut -d ' ' -f 4- | mmencode -u | hexdump -v -e '1/1 ":%02X"' | cut -c 2-

3.    Email or see us. You will need to get an IP address from us for the
      inside of your tunnel. Let this address be: F.H.I.J.

      Set up a conn as follows:

      conn me--nsavax
        left=%defaultroute
        leftid=@myhost.example.org	  * whatever you used in #1 *
	leftsubnet=F.H.I.J/32
	leftupdown=/usr/local/lib/ipsec/secwlan_updown
        right=nsavax.ietf53.cw.net
	rightsubnet=0.0.0.0/0
        auto=up

4. install 
   http://www.sandelman.ottawa.on.ca/SSW/ietf/secwlan/secwlan_updown
   as /usr/local/lib/ipsec/secwlan

   Put the address you are assigned by us into /etc/sysconfig/defaultsource :

# cat /etc/sysconfig/defaultsource
DEFAULTSOURCE=166.63.179.17		* whatever you were assigned. 

5. Make sure that you have the "ip" command. 
   This is from the "iproute2" package. This is installed by default on most 
   distros (RH ships it), but you may have to explicitely ask for it. 
   The source is at:
       
       
YOU MUST HAVE NETLINK and Advanced ROUTING.

5. bring up your conn:
      ipsec auto --up me--nsavax



DEBUGGING.

If you do in fact have your key in a forward zone, but you are having no luck 
with talking to us, then one good way to debug is with Opportunistic
Encryption mode. Find the conn labelled: "me-to-anyone" and modify it as follows:

conn me-to-anyone
        left=%defaultroute
        leftid=@myhost.example.org
        right=%opportunistic
        keylife=1h
        rekey=no
        # uncomment this next line to enable it
        auto=route

That is, insert "leftid=@myhost.example.org".

Do   "ipsec auto --add    me-to-anyone" 
and  "ipsec auto --route  me-to-anyone"

and websurf to http://oetest.freeswan.org/

If you look at the output of "ipsec eroute", you'll see that there should be
a line like:

11         166.63.182.233/32  -> 0.0.0.0/0          => %trap

You will likely also see a line like:

6          166.63.182.233/32  -> 192.139.46.73/32   => %hold

or

6          166.63.182.233/32  -> 192.139.46.73/32   => tun0x1002@192.139.46.38

If the former, then your system is still trying to negotiate the tunnel. If
the later, then the tunnel is in fact up. 


$Id: FreeSWAN-WAVEsec.txt,v 1.1 2002/05/22 22:24:57 mcr Exp $