Set the appropriate Firewall rules to accept OpenVPN traffic:
*filter # OpenVPN ports -A INPUT -p udp -m udp --sport 1194 -j ACCEPT -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT COMMIT
Or disable the firewall (only during test phase!) with:
/etc/init.d/firewall stop
Put the OpenVPN main configuration file on the gateway and launch it with (replace with the appropriate file name):
openvpn --config /user/client-openvpn.conf 2>&1 | logger &
Check that OpenVPN client is well launched on your gateway:
ps | grep [o]penvpn 31342 root 4700 S openvpn --config /user/client-openvpn.conf
Check with the ifconfig command that the vpn0 interface is now active.
Once everything is working, you can add initialization scripts to enable the VPN automatically. Don't forget to enable the firewall again if it was disabled.
Set the appropriate Firewall rules to accept IPsec traffic:
*filter # OpenVPN ports -A INPUT -p udp -m udp --sport 500 -j ACCEPT -A OUTPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --sport 4500 -j ACCEPT -A OUTPUT -p udp -m udp --dport 4500 -j ACCEPT COMMIT
Or disable the firewall (only during test phase!) with:
/etc/init.d/firewall stop
Two TKM daemons can be used:
/etc/ipsec.secrets file is used, and the P12 file is stored as clear in the filesystem: use charon/etc/ipsec.secrets file is empty, and the secrets and P12 files are stored ciphered in the TrustZone: use charon-tkm
To do so, either add the --daemon charon or --daemon charon-tkm to the command line, or set the DAEMON_NAME environment variable to the desired value. For example, if the TrustZone is used:
export DAEMON_NAME=charon-tkm # or, alternatively ipsec start <other ipsec options...> --daemon charon-tkm
If the TrustZone is not used, here is how the VPN should be started:
export DAEMON_NAME=charon # or, alternatively ipsec start <other ipsec options...> --daemon charon
To troubleshoot, the --nofork switch can be added to the command line. This will prevent the daemon from forking, and will log all output to the console (instead of syslog).
Once everything is working, you can add initialization scripts to enable the VPN automatically. Don't forget to enable the firewall again.