Attention: All pages of this wiki depend on the pages that come before it, in order as they are listed on the Main Page. Please check for Dependencies.
Please also look at What You Need to Know Before Using This Wiki
/etc/ipsec.conf: Difference between revisions
Jump to navigation
Jump to search
(2 intermediate revisions by the same user not shown) | |||
Line 23: | Line 23: | ||
conn rw-l2tp-computerisms-withnat | conn rw-l2tp-computerisms-withnat | ||
rightsubnet=vhost:%no,%priv | rightsubnet=vhost:%no,%priv | ||
also=rw-l2tp- | also=rw-l2tp-computerisms-nonat | ||
Line 40: | Line 40: | ||
# left=199.247.177.61 | # left=199.247.177.61 | ||
# leftsubnet=192.168.26.0/24 | # leftsubnet=192.168.26.0/24 | ||
# leftcert=porchlian.computerisms.com | # leftcert=porchlian.computerisms.com | ||
# leftrsasigkey=%cert | # leftrsasigkey=%cert | ||
# right=199.247.237.32 | # right=199.247.237.32 | ||
# rightsubnet=192.168.125.0/24 | # rightsubnet=192.168.125.0/24 | ||
# rightcert=barnlian.computerisms.com | # rightcert=barnlian.computerisms.com | ||
# rightrsasigkey=%cert | # rightrsasigkey=%cert | ||
# auto=start | # auto=start | ||
Line 54: | Line 54: | ||
# leftsourceip=192.168.26.1 | # leftsourceip=192.168.26.1 | ||
# leftid=%fromcert | # leftid=%fromcert | ||
# leftcert=porchlian.computerisms.com | # leftcert=porchlian.computerisms.com | ||
# right=190.120.231.143 | # right=190.120.231.143 | ||
# rightnexthop=190.120.228.1 | # rightnexthop=190.120.228.1 | ||
# rightsubnet=0.0.0.0/0 | # rightsubnet=0.0.0.0/0 | ||
# rightid=%fromcert | # rightid=%fromcert | ||
# rightcert=speedlian.computerisms.com | # rightcert=speedlian.computerisms.com | ||
# auto=start | # auto=start | ||
# dpdaction=restart | # dpdaction=restart |
Latest revision as of 18:14, 15 July 2014
Notes
- conn computerisms2remoff connects two subnets.
- Copy the exact same conn on the remote firewall
- barnlian is the hypothetical remote gateway, you have to import his cert into nss too.
- conn big-gw is useful for internet connections with limited flows
- This sends all internet-destined traffic out a tunnel consisting of only two flows
- Then you can rent a server or something with a non-flow restricted connection
- Mac support: if you need to mix mac and windows, use psk instead of certificates.
Config File
version 2.0 config setup interfaces="%defaultroute" plutodebug=none klipsdebug=none protostack=netkey virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.26.0/24 nat_traversal=yes oe=off conn rw-l2tp-computerisms-withnat rightsubnet=vhost:%no,%priv also=rw-l2tp-computerisms-nonat conn rw-l2tp-computerisms-nonat left=199.247.177.61 leftnexthop=199.247.176.1 leftprotoport=17/%any leftcert=porchlian.computerisms.com right=%any rightprotoport=17/%any rightca=%same pfs=no auto=add #conn computerisms2remoff # left=199.247.177.61 # leftsubnet=192.168.26.0/24 # leftcert=porchlian.computerisms.com # leftrsasigkey=%cert # right=199.247.237.32 # rightsubnet=192.168.125.0/24 # rightcert=barnlian.computerisms.com # rightrsasigkey=%cert # auto=start #conn big-gw # left=199.247.177.61 # leftnexthop=199.247.176.1 # leftsubnet=192.168.26.0/24 # leftsourceip=192.168.26.1 # leftid=%fromcert # leftcert=porchlian.computerisms.com # right=190.120.231.143 # rightnexthop=190.120.228.1 # rightsubnet=0.0.0.0/0 # rightid=%fromcert # rightcert=speedlian.computerisms.com # auto=start # dpdaction=restart