I plan to add a series of articles on how to connect an IPCop firewall to various other devices using IPSec VPNs, Certificates and Perfect Forward Security. I had a one page article on another site that will eventually forward to here.
These articles will go over how to set up certificate based IPSec VPNs from an IPCop firewall using Openswan. I really started studying how to set up IPSec VPN tunnels several years ago and found some problems. The reason that I decided to write these articles is that too many other tutorials use pre-shared keys(PSK) and IPSec aggressive mode. Using that combination is just insecure. Some cable providers will let you see all of the traffic of your neighbors or someone could compromise a server at your ISP and run a packet sniffer capturing your traffic and then run ikecrack.pl on it. They would then have your pre-shared key and be able to impersonate you when your connection goes down. So these articles will go through a more secure way of setting up connections using certificates and IPSec “Main” mode.
This was tested using IPCop 2.1.5 and various other IPSec VPN clients. Each on its own page or pages.
I have an AT&T DSL line with the DSL modem set in “DMZPlus” mode with my IPCop box red or WAN interface getting an external IP address via DHCP. This is important for net-to-net connections as both sides must have a DNS resolvable name and not be behind another firewall using NAT.
Set up a dynamic DNS service like freedns.afraid.org or get a static IP address from your Internet Service Provider and buy a domain and have a host name point to it. This way the remote computer can find your IPCop server to initiate the VPN connection.