Attention: All pages of this wiki depend on the pages that come before it, in order as they are listed on the Main Page. Please check for Dependencies.
Please also look at What You Need to Know Before Using This Wiki

Difference between revisions of "/etc/ipsec.conf"

From COCNM
Jump to: navigation, search
(Config File)
(Config File)
 
Line 54: Line 54:
 
#  leftsourceip=192.168.26.1
 
#  leftsourceip=192.168.26.1
 
#  leftid=%fromcert
 
#  leftid=%fromcert
#  leftcert=porchlian.computerisms.com.pem
+
#  leftcert=porchlian.computerisms.com
 
#  right=190.120.231.143
 
#  right=190.120.231.143
 
#  rightnexthop=190.120.228.1
 
#  rightnexthop=190.120.228.1
 
#  rightsubnet=0.0.0.0/0
 
#  rightsubnet=0.0.0.0/0
 
#  rightid=%fromcert
 
#  rightid=%fromcert
#  rightcert=speedlian.computerisms.com.pem
+
#  rightcert=speedlian.computerisms.com
 
#  auto=start
 
#  auto=start
 
#  dpdaction=restart
 
#  dpdaction=restart

Latest revision as of 19:14, 15 July 2014

Notes

  • conn computerisms2remoff connects two subnets.
    • Copy the exact same conn on the remote firewall
    • barnlian is the hypothetical remote gateway, you have to import his cert into nss too.
  • conn big-gw is useful for internet connections with limited flows
    • This sends all internet-destined traffic out a tunnel consisting of only two flows
    • Then you can rent a server or something with a non-flow restricted connection
  • Mac support: if you need to mix mac and windows, use psk instead of certificates.

Config File

version 2.0

config setup
   interfaces="%defaultroute"
   plutodebug=none
   klipsdebug=none
   protostack=netkey
   virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.26.0/24
   nat_traversal=yes
   oe=off

conn rw-l2tp-computerisms-withnat
   rightsubnet=vhost:%no,%priv
   also=rw-l2tp-computerisms-nonat


conn rw-l2tp-computerisms-nonat
   left=199.247.177.61
   leftnexthop=199.247.176.1
   leftprotoport=17/%any
   leftcert=porchlian.computerisms.com
   right=%any
   rightprotoport=17/%any
   rightca=%same
   pfs=no
   auto=add

#conn computerisms2remoff
#   left=199.247.177.61
#   leftsubnet=192.168.26.0/24
#   leftcert=porchlian.computerisms.com
#   leftrsasigkey=%cert
#   right=199.247.237.32
#   rightsubnet=192.168.125.0/24
#   rightcert=barnlian.computerisms.com
#   rightrsasigkey=%cert
#   auto=start

#conn big-gw
#   left=199.247.177.61
#   leftnexthop=199.247.176.1
#   leftsubnet=192.168.26.0/24
#   leftsourceip=192.168.26.1
#   leftid=%fromcert
#   leftcert=porchlian.computerisms.com
#   right=190.120.231.143
#   rightnexthop=190.120.228.1
#   rightsubnet=0.0.0.0/0
#   rightid=%fromcert
#   rightcert=speedlian.computerisms.com
#   auto=start
#   dpdaction=restart