# ipsec.conf - strongSwan IPsec configuration file

config setup
  # uniqueids=never
  charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

ca acme
  cacert=ca.crt.pem
  auto=add

# this is the default rekey time
# rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))  authby=pubkey
# https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#ipseconf-Formula
conn %default
  # crypto settings
  keyexchange=ikev2
  authby=pubkey
  ike=aes128-sha256-modp2048,aes256-sha256-modp4096,aes256-sha256-modp2048!
  esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes128-sha256-modp1024,aes256-sha256-modp1536!
  # tunnel processing info
  type=tunnel
  fragmentation=yes
  forceencaps=yes     # force to encrypt UDP also
  dpdaction=clear     # dead-peer detection to clear any "dangling" connections
  dpddelay=300s
  rekey=no            #TODO check this out
  # ikelifetime=60m
  # keylife=20m
  # rekeymargin=3m
  # keyingtries=1
  # 
  # tunneling config
  # If left|rightcert is configured the identity has to be confirmed by the
  #  certificate, that is, it has to match the full subject DN or one of the 
  #  subjectAltName extensions contained in the certificate
  left=192.168.123.129   # attempting to bind to this specific IP
  leftid=@s.acme.xyz     # the client needs to be configured for the "server id" of this string
  leftsubnet=0.0.0.0/0   # required or the right IP's aren't routing to each other...


# standard user connection
conn mob-standard
  # tunneling config
  leftcert=server_s.acme.xyz_s.crt.pem
  right=%any
  rightca="C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
  # virstual IP address pool
  rightsourceip=10.10.10.0/24
  rightdns=192.168.123.129
  auto=add


# maintenance role connection that will have elevated priveledges
# this configuration can be used with a "maintenance tablet" to update a MOB Hub
conn mob-maintenance
  # tunneling config
  leftcert=server_s.acme.xyz_m.crt.pem
  right=%any
  rightca="C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
  # virstual IP address pool
  rightsourceip=10.10.11.0/24
  rightdns=192.168.123.129
  auto=add