Attention: All pages of this wiki depend on the pages that come before it, in order as they are listed on the Main Page. Please check for Dependencies.
Please also look at What You Need to Know Before Using This Wiki

/etc/ipsec.conf

From COCNM
Revision as of 19:14, 15 July 2014 by Bob (talk | contribs) (→‎Config File)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Notes

  • conn computerisms2remoff connects two subnets.
    • Copy the exact same conn on the remote firewall
    • barnlian is the hypothetical remote gateway, you have to import his cert into nss too.
  • conn big-gw is useful for internet connections with limited flows
    • This sends all internet-destined traffic out a tunnel consisting of only two flows
    • Then you can rent a server or something with a non-flow restricted connection
  • Mac support: if you need to mix mac and windows, use psk instead of certificates.

Config File

version 2.0

config setup
   interfaces="%defaultroute"
   plutodebug=none
   klipsdebug=none
   protostack=netkey
   virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.26.0/24
   nat_traversal=yes
   oe=off

conn rw-l2tp-computerisms-withnat
   rightsubnet=vhost:%no,%priv
   also=rw-l2tp-computerisms-nonat


conn rw-l2tp-computerisms-nonat
   left=199.247.177.61
   leftnexthop=199.247.176.1
   leftprotoport=17/%any
   leftcert=porchlian.computerisms.com
   right=%any
   rightprotoport=17/%any
   rightca=%same
   pfs=no
   auto=add

#conn computerisms2remoff
#   left=199.247.177.61
#   leftsubnet=192.168.26.0/24
#   leftcert=porchlian.computerisms.com
#   leftrsasigkey=%cert
#   right=199.247.237.32
#   rightsubnet=192.168.125.0/24
#   rightcert=barnlian.computerisms.com
#   rightrsasigkey=%cert
#   auto=start

#conn big-gw
#   left=199.247.177.61
#   leftnexthop=199.247.176.1
#   leftsubnet=192.168.26.0/24
#   leftsourceip=192.168.26.1
#   leftid=%fromcert
#   leftcert=porchlian.computerisms.com
#   right=190.120.231.143
#   rightnexthop=190.120.228.1
#   rightsubnet=0.0.0.0/0
#   rightid=%fromcert
#   rightcert=speedlian.computerisms.com
#   auto=start
#   dpdaction=restart