1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
# sample connections
# This file is RCSID $Id: examples,v 1.1 2004/03/15 20:35:21 as Exp $
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work.
interfaces="ipsec0=eth1 ipsec1=ppp0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Manual connections to be started at startup.
manualstart="test1 test2"
# Auto connections to be loaded into Pluto at startup.
plutoload="samplehth samplefire"
# Auto connections to be started at startup.
plutostart=samplefire
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# Parameters for manual-keying testing (DON'T USE OPERATIONALLY).
spi=0x200
esp=3des-md5-96
espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
# key lifetime (before automatic rekeying)
keylife=8h
# sample connection
conn sample
# Left security gateway and subnet behind it.
left=10.0.0.1
leftsubnet=172.16.0.0/24
# Right security gateway and subnet behind it.
right=10.12.12.1
rightsubnet=192.168.0.0/24
# Authorize this connection, but don't actually start it, at startup.
auto=add
# sample tunnel (manually or automatically keyed)
# Here we just use ESP for both encryption and authentication, which is
# the simplest and often the best method.
conn sample
# left security gateway (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
# subnet behind left (omit if left end of the tunnel is just the s.g.)
leftsubnet=172.16.0.0/24
# right s.g., subnet behind it, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
rightsubnet=192.168.0.0/24
# (manual) SPI number
spi=0x200
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
espenckey=[192 bits]
espauthkey=[128 bits]
# In the remaining examples, deviations from the sample-tunnel configuration
# are marked with ###.
# sample host-to-host tunnel (no subnets)
# Here we assume (for purposes of illustration) that the hosts talk directly
# to each other, so we don't need next-hop settings.
conn samplehth
### left host (public-network address)
left=10.0.0.1
### next hop to reach right
leftnexthop=
### right host
right=10.12.12.1
### next hop to reach left
rightnexthop=
### (manual) SPI number
spi=0x300
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
espenckey=[192 bits]
espauthkey=[128 bits]
# sample hybrid tunnel, with a host on one end and a subnet (behind a
# security gateway) on the other
# This case is also sometimes called "road warrior".
conn samplehyb
### left host (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
# subnet behind left
leftsubnet=172.16.0.0/24
### right host, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
### (manual) SPI number
spi=0x400
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
espenckey=[192 bits]
espauthkey=[128 bits]
# sample firewall-penetrating tunnel
# Here we assume that firewalling is being done on the left side.
conn samplefire
# left security gateway (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
# subnet behind left (omit if left end of the tunnel is just the s.g.)
leftsubnet=172.16.0.0/24
### left is firewalling for its subnet
leftfirewall=yes
# right s.g., subnet behind it, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
rightsubnet=192.168.0.0/24
### (manual) SPI number
spi=0x500
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
espenckey=[192 bits]
espauthkey=[128 bits]
# sample transport-mode connection (which can only be host-to-host)
# Here we use the whole nine yards, with encryption done by ESP and
# authentication by AH; this perhaps is slightly preferable for transport
# mode, where the IP headers are exposed.
conn sampletm
### transport mode rather than tunnel
type=transport
### left host (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
### right host, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
### (manual) SPI number
spi=0x600
### (manual) encryption algorithm and parameters to it
esp=3des
espenckey=[192 bits]
### (manual) authentication algorithm and parameters to it
ah=hmac-md5
ahkey=[128 bits]
### (auto) authentication control
auth=ah
# sample description with keys split out into a separate section
# Normally the key section would go in a separate file, with tighter
# permissions set on it.
conn samplesep
# left security gateway (public-network address)
left=10.0.0.1
# next hop to reach right
leftnexthop=10.44.55.66
# subnet behind left (omit if left end of the tunnel is just the s.g.)
leftsubnet=172.16.0.0/24
# right s.g., subnet behind it, and next hop to reach left
right=10.12.12.1
rightnexthop=10.88.77.66
rightsubnet=192.168.0.0/24
### (manual) SPI number
spi=0x700
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
also=samplesep-keys
# keys for the previous section
# Normally this would go in a separate file, picked up using an include line,
# to allow keeping the keys confidential.
conn samplesep-keys
espenckey=[192 bits]
espauthkey=[128 bits]
|
