1 # ipsec.conf - strongSwan IPsec configuration file\r
2 # The following variables will have to be replaced by the automation setup:\r
3 # %LOCAL_IP_ADDRESS% = IP address for the side where the ipsec.conf file will reside\r
4 # %LOCAL_IP_SUBNET% = IP address or the public side NAT address for the side where the ipsec.conf file will reside\r
5 # %CERT_FILE_PATH_NAME% = Certification file and path name. (alpha side = /home/gguser/ipsec/alphaCert.der, beta side = /etc/ipsec.d/certs/betaCert.der)\r
6 # %LOCAL_CN% = Local network name (alpha.test.org or beta.test.org)\r
7 # %REMOTE_CN% = Remote network name (beta.test.org or alpha.test.org)\r
8 # %REMOTE_IP_ADDRESS% = IP address for the remote side\r
9 # %REMOTE_IP_SUBNET% = IP address or the public side NAT address for the remote side\r
10 # %IKE_LIFETIME% = IKE rekey lifetime (48H for 48 hours)\r
11 # %LIFETIME% = Rekey lifetime (48H for 48 hours)"\r
12 # %LOCAL_IPV6_ADDRESS% = Local side IPV6 address (2000::1)\r
13 # %REMOTE_IPV6_ADDRESS% = Remote side IPV6 address (2000::2)\r
14 # %CONNECTION_SIDE% = Connection side indicator. (Alpha for alpha side, Beta for beta side)\r
15 # %CONNECTION_NAME% = Connection side name. (Udp, Tcp, Sctp, Link, Conn ...)\r
16 # %PROTOCOL% = Protocol to be used for link (udp, tcp, sctp ...)\r
17 # %ESP_ENCRYPTION% = Esp encryption to be used (aes128, aes192, 3des ...)\r
18 # %ESP_INTEGRITY% = Esp integrity to be used (sha1, aesxcbc ...)\r
19 \r
20 # basic configuration\r
21 config setup\r
22 strictcrlpolicy=no\r
23 charondebug=all\r
24 \r
25 # Add connections here.\r
26 conn %default\r
27 left=192.168.1.50\r
28 leftcert=/etc/ipsec.d/certs/betaCert.der\r
29 leftid="C=US, O=Test, CN=beta.test.org"\r
30 right=192.168.1.84\r
31 rightid="C=US, O=Test, CN=alpha.test.org"\r
32 keyexchange=ikev2\r
33 ike=aes128-sha1-modp2048!\r
34 type=tunnel\r
35 esp=aes128-sha1-modp2048-noesn!\r
36 margintime=1h\r
37 ikelifetime=168h\r
38 lifetime=168h\r
39 reauth=no\r
40 \r
41 conn Beta-Conn1\r
42 leftsubnet=192.168.1.50/32[udp],192.168.1.51/32[udp]\r
43 rightsubnet=192.168.1.84/32[udp],192.168.1.85/32[udp]\r
44 auto=add\r
45 \r
46 conn Beta-Conn9\r
47 leftprotoport=udp\r
48 leftsubnet=192.168.1.51/32\r
49 rightprotoport=udp\r
50 rightsubnet=192.168.1.85/32\r
51 auto=add\r
52 \r
53 conn Beta-Conn2\r
54 leftprotoport=udp\r
55 leftsubnet=2000::3/64\r
56 rightprotoport=udp\r
57 rightsubnet=2000::1/64\r
58 auto=add\r
59 \r
60 conn Beta-Conn3\r
61 leftprotoport=udp\r
62 leftsubnet=192.168.1.50/32\r
63 rightprotoport=udp\r
64 rightsubnet=192.168.1.84/32\r
65 type=passthrough\r
66 authby=never\r
67 auto=add\r
68 \r
69 conn Beta-Conn4\r
70 leftprotoport=udp\r
71 leftsubnet=2000::3/64\r
72 rightprotoport=udp\r
73 rightsubnet=2000::1/64\r
74 type=passthrough\r
75 authby=never\r
76 auto=add\r
77 \r
78 conn Beta-Icmp1\r
79 leftprotoport=icmp\r
80 leftsubnet=192.168.1.50/32\r
81 rightprotoport=icmp\r
82 rightsubnet=192.168.1.84/32\r
83 auto=add\r