# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file # CAUTION # CAUTION # CAUTION # If you are using manually-keyed connections for more than just preliminary # testing, encryption/authentication keys for those connections should be # put in a separate file (with permissions rw-------) using the also parameter # and the include facility -- see the ipsec.conf(5) manpage -- so that the # keys are not generally readable. # CAUTION # CAUTION # CAUTION # basic configuration config setup # virtual and physical interfaces for IPSEC, normally a single # `virtual=physical' pair, or a (quoted!) list of pairs. In the # simple case, where you only want to run IPSEC on one interface, # the virtual (ipsec0) shouldn't need changing but the physical # (eth999) will (to the interface connecting to the public network, # e.g. eth0 or ppp0 or something like that). # *This must be right* or almost nothing will work. interfaces="ipsec0=eth0" # should setup turn IP forwarding on after IPSEC is started, and off # before it is stopped? forwardcontrol=no # KLIPS debugging output. "none" for none, "all" for lots klipsdebug=none # Pluto debugging output. "none" for none, "all" for lots plutodebug=none # manually-keyed connections to set up at startup manualstart= # connections to load into Pluto's internal database at startup plutoload=nortel checkpoint cisco interdyn microsoft radguard redcreek intel timestep vpnet datafellows # connections for Pluto to try to negotiate at startup plutostart=redcreek nortel datafellows cisco interdyn timestep # should Pluto wait for each negotiation to finish before proceeding? plutowait=no # connection specifications # sample tunnel (manually or automatically keyed) # Here we just use ESP for both encryption and authentication, which is # the simplest and often the best method. #conn sample # type=tunnel # # left security gateway (public-network address) # left=10.0.0.1 # # next hop to reach right # leftnexthop=10.44.55.66 # # subnet behind left (omit if left end of the tunnel is just the s.g.) # leftsubnet=172.16.0.0/24 # # right s.g., subnet behind it, and next hop to reach left # right=10.12.12.1 # rightnexthop=10.88.77.66 # rightsubnet=192.168.0.0/24 # # (manual) base for SPI numbering; must end in 0 # # spibase=0x200 # # (manual) encryption/authentication algorithm and parameters to it # esp=3des-md5-96 # espenckey=0x40ee9860_d890027c_a8b32072_3cbb0855_8ee22f98_11adca08 # espauthkey=0xac56a5c2_be6188cd_078c290b_89b3498c ## # (auto) key-exchange type # keyexchange=ike # # (auto) key lifetime (before automatic rekeying) # keylife=8h # # (auto) how persistent to be in (re)keying negotiations (0 means very) # keyingtries=0 conn allen type=tunnel # left security gateway (public-network address) left=45.210.50.120 # next hop to reach right #leftnexthop=45.210.50.70 # subnet behind left (omit if left end of the tunnel is just the s.g.) leftsubnet=45.210.20.0/24 # right s.g., subnet behind it, and next hop to reach left right=45.210.50.70 #rightnexthop=45.210.50.120 #rightsubnet=45.210.15.0/24 # (manual) base for SPI numbering; must end in 0 #spibase=0x200 # (manual) encryption/authentication algorithm and parameters to it # esp=des-md5 # espenckey=0x40ee9860_d890027c_a8b32072_3cbb0855_8ee22f98_11adca08 # espauthkey=0xac56a5c2_be6188cd_078c290b_89b3498c # (auto) key-exchange type keyexchange=ike # (auto) key lifetime (before automatic rekeying) keylife=12h # (auto) how persistent to be in (re)keying negotiations (0 means very) keyingtries=0 auth=esp pfs=no # # Start the Interoperability test clients here # conn nortel type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.102 rightsubnet=45.210.2.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn checkpoint type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.104 rightsubnet=45.210.4.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn cisco type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.105 rightsubnet=45.210.5.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn compatible type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.106 rightsubnet=45.210.6.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn interdyn type=tunnel left=45.210.50.120 leftsubnet=45.210.20.80/32 right=45.210.50.109 rightsubnet=45.210.9.80/32 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn microsoft type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.111 rightsubnet=45.210.11.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn novell type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.113 rightsubnet=45.210.13.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn radguard type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.114 rightsubnet=45.210.14.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn redcreek type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.115 rightsubnet=45.210.15.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn intel type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.116 rightsubnet=45.210.16.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn timestep type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.117 rightsubnet=45.210.17.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn vpnet type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.118 rightsubnet=45.210.18.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no conn datafellows type=tunnel left=45.210.50.120 leftsubnet=45.210.20.0/24 right=45.210.50.119 rightsubnet=45.210.19.0/24 keyexchange=ike keylife=12h keyingtries=0 auth=esp pfs=no