46 lines
1.1 KiB
Plaintext
46 lines
1.1 KiB
Plaintext
# /etc/ipsec.conf
|
|
version 2
|
|
|
|
config setup
|
|
nat_traversal=yes
|
|
# example assumes we using 192.168.1.0/24 ourselves
|
|
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24.
|
|
# Only the mast stack of Openswan supports SAref tracking
|
|
protostack=mast
|
|
#protostack=netkey
|
|
|
|
conn L2TP-CERT
|
|
#
|
|
# Configuration for one user with any type of IPsec/L2TP client
|
|
# including the updated Windows 2000/XP (MS KB Q818043), but
|
|
# excluding the non-updated Windows 2000/XP.
|
|
#
|
|
#
|
|
# Use a certificate. Disable Perfect Forward Secrecy.
|
|
#
|
|
authby=rsasig
|
|
pfs=no
|
|
#
|
|
left=123.123.123.123
|
|
leftrsasigkey=%cert
|
|
leftcert=/etc/ipsec.d/ssl/localCERT.pem
|
|
#
|
|
leftprotoport=17/1701
|
|
#
|
|
# The remote user.
|
|
#
|
|
right=%any
|
|
rightrsasigkey=%cert
|
|
rightcert=/etc/ipsec.d/ssl/userCERT.pem
|
|
rightsubnet=vhost:%priv,%no
|
|
rightprotoport=17/%any
|
|
#
|
|
# Change 'ignore' to 'add' to enable the configuration for this user.
|
|
#
|
|
auto=ignore
|
|
keyingtries=3
|
|
# Only the mast stack with Openswan supports SAref tracking with
|
|
# overlapping IP address support
|
|
overlapip=yes
|
|
sareftrack=yes
|