bentesha · July 5, 2020 18:24
diff --git a/ipsec-config-parameters b/ipsec-config-parameters
 # Connection parameters
 # =====================
 # Connection parameters general
 keyexchange=ike # IKE version to use. Default to ike (IKE version 1). Use ikev2 for IKEv2
 connaddrfamily=ipv4 # The default value
 type=tunnel # Type of the connection. Possible values are
 # tunnel - host-to-host, host-to-subnet, subnet-to-subnet tunnel
 # transport - host-to-host transport mode
 # passthrough - no IPSec processing should be done
 # drop - Packets should be discared
 # reject - Packets should be discared and ICMP message returned
 left=%defaultroute # The IP of the left participating gateway. Possible values:
 # %defaultroute - Use the local address of the default route interface. Also overides any values supplied for leftnexthope
 # interface name - IP address of the interface will be used instead
 # left's IP - If left is NATed (behind NAT) use the NATed (local) IP. If right is NATed, use the public NAT IP
 leftsubnet=<subnet IP range> # Encryption doman behind the left participant
 # If this field is omitted, left/32 is assumed
 leftsubnets={subnetlist} # For more than one subnets, this option could be used.
 # Either leftsubnet or leftsubnets can be used at a time, but not both
 leftnexthop=%direct # Next-hop gateway IP address for the left participant's connection to the public network. Possible values are
 # %direct - Meaning use the right's IP (IP address of the other participating gateway) 
 # %defaultroute - Use next hop gateway address of the default route interface
 # Note that this is relevant only locally. The other end does not need to agree to it
 leftsourceip=<ip address> # The ip address to use by the host when sending packets to the other gateway/subnet
 # Useful in subnet-subnet tunnels to ensure left uses it internal IP when communicating with right or right subnet
 # Relevant only locally. The other gateway need not to agree

 auto=ignore # The operation to take on IPSec startup. Possible useful values are:
 # ignore - Do not do anything. Default value
 # start - Start connection on reboot
 authby=rsasig # How the two gateways should authenticate each other. Possible useful values are:
 # rsasig - Use RSA digital signatures. (Default)
 # secret - Use pre-shared secrets
 # NOTE: If asymmetric authentication is requested, IKEV2 must be enabled,
 #  and the options leftauth= and rightauth= should be used instead
 ike=aes256-sha256;dh2 # IKE encryption/authenticaion algorithm to use for phase 1
 # NOTE: The mode used is always "strick-mode", and therefore no need to use the "!" symbol
 phase2=esp # Type of SA to use for phase 2 (Default esp). Other possible option is ah
 esp=aes256-sha256;modp2048 # Algorithm that will be offered/accepted for phase 2 negotiations
 # Specify PFSgroup at the end to enable PFS. When specifying multiple algorithms, PFSgroup should come last
 # For AH, the format is AUTH;PFSgroup e.g. aes256;modp2048
 nat-keepalive=yes # Whether to enable NAT-T keep alive messages. Default is yes
 dpddelay=30s # The delay (default to seconds) between Dead Peer Detections that
 # are sent for this connection. Defalt value is 30s.
 # If this value is set, dpdtimeout also needs to be set
 dpdtimeout=120s # Length of time to wait without hearing back from our peer
 # before declaring the peer dead.
 # if dpdtimeout is set, dpdaction must also be set
 dpdaction=hold # What action to perform is a peer is declared dead. Default value is hold
 # meaning the eroute will be put into %hold status. Other possible values are
 # clear - The eroute and SA will both be cleared
 # restart - Renegotiate all SA's to the dead peer
 aggrmode=no # Use IKEv1 Aggressive mode instead of the Main mode. Possible values are
 # no - Default
 # yes - To use aggressive mode
 rekey=yes # Whether a connection should be negotiated when it is about to expire. Default value is yes
 rekeymargin=9m # How long before a connection expiry should attempts to negotiate a replacement begin
 # Revevant only locally
 salifetime=8h # How long a particular instance of a connection should last, from successful negotiation
 # to expiry
 keyingtries=%forever # How attempts should be made to negotiate a connection or replacement for one,
 # before giving up. Default value is %forever. Another valid value must be a whole number
 ikelifetime=1h # How long the keying channel of a connection should last before being renegotiated.
 # Default value is 1h (1 hour)

 # Config parameters
 #==================
 interfaces=%defaultroute # Virtual and physical interfaces for IPSec to use
 # Possible values include:
 # %defaultroute - equivalent to ipsec0=p, where p if the interface the default route points to
 # virtual=physical - pair of interfaces, e.g. ipsec0=eth0.  Multiple pairs should be quoted and separated by space
 #  %none - indicating no interface should be used
 nat-ikeyport=4500 # Port to use for nat traversal. Default is 4500
 ikeport=500 # The port for IKE to listen on. Default value is 500
 listen=<ip address> # IP address to listen on. Default depends on interfaces=.
 # Only one IP address is accepted
	# Connection parameters
	# =====================
	# Connection parameters general
	keyexchange=ike # IKE version to use. Default to ike (IKE version 1). Use ikev2 for IKEv2
	connaddrfamily=ipv4 # The default value
	type=tunnel # Type of the connection. Possible values are
	# tunnel - host-to-host, host-to-subnet, subnet-to-subnet tunnel
	# transport - host-to-host transport mode
	# passthrough - no IPSec processing should be done
	# drop - Packets should be discared
	# reject - Packets should be discared and ICMP message returned
	left=%defaultroute # The IP of the left participating gateway. Possible values:
	# %defaultroute - Use the local address of the default route interface. Also overides any values supplied for leftnexthope
	# interface name - IP address of the interface will be used instead
	# left's IP - If left is NATed (behind NAT) use the NATed (local) IP. If right is NATed, use the public NAT IP
	leftsubnet=<subnet IP range> # Encryption doman behind the left participant
	# If this field is omitted, left/32 is assumed
	leftsubnets={subnetlist} # For more than one subnets, this option could be used.
	# Either leftsubnet or leftsubnets can be used at a time, but not both
	leftnexthop=%direct # Next-hop gateway IP address for the left participant's connection to the public network. Possible values are
	# %direct - Meaning use the right's IP (IP address of the other participating gateway)
	# %defaultroute - Use next hop gateway address of the default route interface
	# Note that this is relevant only locally. The other end does not need to agree to it
	leftsourceip=<ip address> # The ip address to use by the host when sending packets to the other gateway/subnet
	# Useful in subnet-subnet tunnels to ensure left uses it internal IP when communicating with right or right subnet
	# Relevant only locally. The other gateway need not to agree

	auto=ignore # The operation to take on IPSec startup. Possible useful values are:
	# ignore - Do not do anything. Default value
	# start - Start connection on reboot
	authby=rsasig # How the two gateways should authenticate each other. Possible useful values are:
	# rsasig - Use RSA digital signatures. (Default)
	# secret - Use pre-shared secrets
	# NOTE: If asymmetric authentication is requested, IKEV2 must be enabled,
	# and the options leftauth= and rightauth= should be used instead
	ike=aes256-sha256;dh2 # IKE encryption/authenticaion algorithm to use for phase 1
	# NOTE: The mode used is always "strick-mode", and therefore no need to use the "!" symbol
	phase2=esp # Type of SA to use for phase 2 (Default esp). Other possible option is ah
	esp=aes256-sha256;modp2048 # Algorithm that will be offered/accepted for phase 2 negotiations
	# Specify PFSgroup at the end to enable PFS. When specifying multiple algorithms, PFSgroup should come last
	# For AH, the format is AUTH;PFSgroup e.g. aes256;modp2048
	nat-keepalive=yes # Whether to enable NAT-T keep alive messages. Default is yes
	dpddelay=30s # The delay (default to seconds) between Dead Peer Detections that
	# are sent for this connection. Defalt value is 30s.
	# If this value is set, dpdtimeout also needs to be set
	dpdtimeout=120s # Length of time to wait without hearing back from our peer
	# before declaring the peer dead.
	# if dpdtimeout is set, dpdaction must also be set
	dpdaction=hold # What action to perform is a peer is declared dead. Default value is hold
	# meaning the eroute will be put into %hold status. Other possible values are
	# clear - The eroute and SA will both be cleared
	# restart - Renegotiate all SA's to the dead peer
	aggrmode=no # Use IKEv1 Aggressive mode instead of the Main mode. Possible values are
	# no - Default
	# yes - To use aggressive mode
	rekey=yes # Whether a connection should be negotiated when it is about to expire. Default value is yes
	rekeymargin=9m # How long before a connection expiry should attempts to negotiate a replacement begin
	# Revevant only locally
	salifetime=8h # How long a particular instance of a connection should last, from successful negotiation
	# to expiry
	keyingtries=%forever # How attempts should be made to negotiate a connection or replacement for one,
	# before giving up. Default value is %forever. Another valid value must be a whole number
	ikelifetime=1h # How long the keying channel of a connection should last before being renegotiated.
	# Default value is 1h (1 hour)

	# Config parameters
	#==================
	interfaces=%defaultroute # Virtual and physical interfaces for IPSec to use
	# Possible values include:
	# %defaultroute - equivalent to ipsec0=p, where p if the interface the default route points to
	# virtual=physical - pair of interfaces, e.g. ipsec0=eth0. Multiple pairs should be quoted and separated by space
	# %none - indicating no interface should be used
	nat-ikeyport=4500 # Port to use for nat traversal. Default is 4500
	ikeport=500 # The port for IKE to listen on. Default value is 500
	listen=<ip address> # IP address to listen on. Default depends on interfaces=.
	# Only one IP address is accepted