64 lines
2.3 KiB
Plaintext
64 lines
2.3 KiB
Plaintext
# ipsec.conf - strongSwan IPsec configuration file
|
|
|
|
config setup
|
|
# uniqueids=never
|
|
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
|
|
|
|
ca acme
|
|
cacert=ca.crt.pem
|
|
auto=add
|
|
|
|
# this is the default rekey time
|
|
# rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) authby=pubkey
|
|
# https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#ipseconf-Formula
|
|
conn %default
|
|
# crypto settings
|
|
keyexchange=ikev2
|
|
authby=pubkey
|
|
ike=aes128-sha256-modp2048,aes256-sha256-modp4096,aes256-sha256-modp2048!
|
|
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes128-sha256-modp1024,aes256-sha256-modp1536!
|
|
# tunnel processing info
|
|
type=tunnel
|
|
fragmentation=yes
|
|
forceencaps=yes # force to encrypt UDP also
|
|
dpdaction=clear # dead-peer detection to clear any "dangling" connections
|
|
dpddelay=300s
|
|
rekey=no #TODO check this out
|
|
# ikelifetime=60m
|
|
# keylife=20m
|
|
# rekeymargin=3m
|
|
# keyingtries=1
|
|
#
|
|
# tunneling config
|
|
# If left|rightcert is configured the identity has to be confirmed by the
|
|
# certificate, that is, it has to match the full subject DN or one of the
|
|
# subjectAltName extensions contained in the certificate
|
|
left=192.168.123.129 # attempting to bind to this specific IP
|
|
leftid=@s.acme.xyz # the client needs to be configured for the "server id" of this string
|
|
leftsubnet=0.0.0.0/0 # required or the right IP's aren't routing to each other...
|
|
|
|
|
|
# standard user connection
|
|
conn mob-standard
|
|
# tunneling config
|
|
leftcert=server_s.acme.xyz_s.crt.pem
|
|
right=%any
|
|
rightca="C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
|
|
# virstual IP address pool
|
|
rightsourceip=10.10.10.0/24
|
|
rightdns=192.168.123.129
|
|
auto=add
|
|
|
|
|
|
# maintenance role connection that will have elevated priveledges
|
|
# this configuration can be used with a "maintenance tablet" to update a MOB Hub
|
|
conn mob-maintenance
|
|
# tunneling config
|
|
leftcert=server_s.acme.xyz_m.crt.pem
|
|
right=%any
|
|
rightca="C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
|
|
# virstual IP address pool
|
|
rightsourceip=10.10.11.0/24
|
|
rightdns=192.168.123.129
|
|
auto=add
|