Attention: All pages of this wiki depend on the pages that come before it, in order as they are listed on the Main Page. Please check for Dependencies.
Please also look at What You Need to Know Before Using This Wiki

/etc/ipsec.conf: Difference between revisions

From COCNM
Jump to navigation Jump to search
 
 
(2 intermediate revisions by the same user not shown)
Line 23: Line 23:
conn rw-l2tp-computerisms-withnat
conn rw-l2tp-computerisms-withnat
   rightsubnet=vhost:%no,%priv
   rightsubnet=vhost:%no,%priv
   also=rw-l2tp-pacesetter-nonat
   also=rw-l2tp-computerisms-nonat




Line 40: Line 40:
#  left=199.247.177.61
#  left=199.247.177.61
#  leftsubnet=192.168.26.0/24
#  leftsubnet=192.168.26.0/24
#  leftcert=porchlian.computerisms.com.pem
#  leftcert=porchlian.computerisms.com
#  leftrsasigkey=%cert
#  leftrsasigkey=%cert
#  right=199.247.237.32
#  right=199.247.237.32
#  rightsubnet=192.168.125.0/24
#  rightsubnet=192.168.125.0/24
#  rightcert=barnlian.computerisms.com.pem
#  rightcert=barnlian.computerisms.com
#  rightrsasigkey=%cert
#  rightrsasigkey=%cert
#  auto=start
#  auto=start
Line 54: Line 54:
#  leftsourceip=192.168.26.1
#  leftsourceip=192.168.26.1
#  leftid=%fromcert
#  leftid=%fromcert
#  leftcert=porchlian.computerisms.com.pem
#  leftcert=porchlian.computerisms.com
#  right=190.120.231.143
#  right=190.120.231.143
#  rightnexthop=190.120.228.1
#  rightnexthop=190.120.228.1
#  rightsubnet=0.0.0.0/0
#  rightsubnet=0.0.0.0/0
#  rightid=%fromcert
#  rightid=%fromcert
#  rightcert=speedlian.computerisms.com.pem
#  rightcert=speedlian.computerisms.com
#  auto=start
#  auto=start
#  dpdaction=restart
#  dpdaction=restart

Latest revision as of 19:14, 15 July 2014

Notes

  • conn computerisms2remoff connects two subnets.
    • Copy the exact same conn on the remote firewall
    • barnlian is the hypothetical remote gateway, you have to import his cert into nss too.
  • conn big-gw is useful for internet connections with limited flows
    • This sends all internet-destined traffic out a tunnel consisting of only two flows
    • Then you can rent a server or something with a non-flow restricted connection
  • Mac support: if you need to mix mac and windows, use psk instead of certificates.

Config File

version 2.0

config setup
   interfaces="%defaultroute"
   plutodebug=none
   klipsdebug=none
   protostack=netkey
   virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.26.0/24
   nat_traversal=yes
   oe=off

conn rw-l2tp-computerisms-withnat
   rightsubnet=vhost:%no,%priv
   also=rw-l2tp-computerisms-nonat


conn rw-l2tp-computerisms-nonat
   left=199.247.177.61
   leftnexthop=199.247.176.1
   leftprotoport=17/%any
   leftcert=porchlian.computerisms.com
   right=%any
   rightprotoport=17/%any
   rightca=%same
   pfs=no
   auto=add

#conn computerisms2remoff
#   left=199.247.177.61
#   leftsubnet=192.168.26.0/24
#   leftcert=porchlian.computerisms.com
#   leftrsasigkey=%cert
#   right=199.247.237.32
#   rightsubnet=192.168.125.0/24
#   rightcert=barnlian.computerisms.com
#   rightrsasigkey=%cert
#   auto=start

#conn big-gw
#   left=199.247.177.61
#   leftnexthop=199.247.176.1
#   leftsubnet=192.168.26.0/24
#   leftsourceip=192.168.26.1
#   leftid=%fromcert
#   leftcert=porchlian.computerisms.com
#   right=190.120.231.143
#   rightnexthop=190.120.228.1
#   rightsubnet=0.0.0.0/0
#   rightid=%fromcert
#   rightcert=speedlian.computerisms.com
#   auto=start
#   dpdaction=restart