Chapter 1 presents some historical context of IPsec and Openswan, and discusses the legal aspects about using and selling cryptography such as Openswan, and discusses some of the aspects of weighing encryption privacy and law enforcement.
Chapter 2 explains in non-mathematical terms how the IPsec protocols work. It is written especially with the system administrator in mind, and should appeal to both experts and beginners in the world of cryptography.
Chapter 3 contains all you need to know to install Openswan on your Linux distribution. It covers installing available binary packages, as well as how to build Openswan from source. It also guides you through the options your kernel needs to support, and helps you choose between the two IPsec stacks that are currently available - KLIPS and NETKEY.
Chapter 4 is a step by step tutorial on how to configure the most common type of VPN connections using Openswan. These include net-to-net, host-to-net, roaming users and head office to branch offices. In other words, all the possible Openswan-to-Openswan connections. It also discusses commonly deployed third party scenarios, including Cisco implementations using Aggressive Mode and XAUTH with Openswan as the IPsec client.
Chapter 5 introduces X.509 certificate based authentication for IPsec. It explains how X.509 certificates work, how to generate them for Linux, Windows and MacOSX clients, and how to run your own Certificate Agency.
Chapter 6 explains the Openswan feature called Opportunistic Encryption ("OE"). This method of allows one to automate host-to-host encryption for machines without any specific configuration by the end-user. Using OE, anyone can use IPsec protected connections to your servers without even realizing they are using IPsec. The goal of OE is to make IPsec the de-facto standard for all communication on the internet.
Chapter 7 goes right down to the packet level and discusses common problems that you might face on your IPsec gateway. These include special firewalling rules, handling broken IPsec implementations and the various MTU related issues that can come up.
Chapter 8 discusses IPsec from the two most popular end-user Operating Systems: Microsoft Windows and Apple MacOSX. It helps you decide on whether you would prefer X.509 certificate based IPsec, or the less complex L2TP/IPsec. It has a step by step guide on how to setup L2TP on your Openswan VPN server. It also explains how to configure X.509 or L2TP on your Microsoft Windows or Apple MacOSX clients, and includes all the screenshots to guide your way. It closes with a description on how to configure commonly used third-party software packages for Openswan.
Chapter 9 deals with getting Openswan to properly interoperate with third party IPsec VPN servers such as Cisco, Checkpoint, Netscreen, Watchguard and various DSL based modem/router appliances commonly used by end-users.
Chapter 10 explores how to use IPsec to encrypt all traffic between local machines. It specifically focuses on 802.11 type wireless connections, but it applies in general to all LAN based computers. It discusses the Xelerance designed IPsec deployment scenario called WaveSEC: the implementation used at IETF, BlackHat and DefCon to encrypt their wireless networks.
Chapter 11 discusses the advanced use of Openswan. It discusses how to setup a proper fail-over VPN server with Openswan, and discusses large enterprise deployments bottlenecks, as well as how to deal with BGP and OSPF using IPsec and Openswan.
Chapter 12 is the culmination of two years of end-user support on the public mailing lists. It discusses the common mistakes and issues that people who are not working with IPsec on a daily basis tend to run into. Unless you are doing something extremely specific to your particular setup, your problem will be shown in this chapter, along with the explanation of what went wrong and how to remedy your situation.
Appendix A is our last minute update to the current events of Openswan. It discusses bleeding edge Linux kernel issues, the latest security vulnerabilities and upcoming features for end-users and developers that did not exist when the authors were writing the bulk of this book. It also discusses known but unsolved bugs existing at the time this book went to the printer.
