From 900d5091319e708597aeb0b376ea6251296fe9fc Mon Sep 17 00:00:00 2001 From: hshoexer <> Date: Sat, 24 Dec 2005 15:44:12 +0000 Subject: [PATCH] Very basic sample ipsec.conf, more to come. Has been demanded by deraadt@ for a long time, but i'm a bloody slacker... --- src/etc/ipsec.conf | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 src/etc/ipsec.conf diff --git a/src/etc/ipsec.conf b/src/etc/ipsec.conf new file mode 100644 index 00000000..0f507e9f --- /dev/null +++ b/src/etc/ipsec.conf @@ -0,0 +1,26 @@ +# $OpenBSD: ipsec.conf,v 1.1 2005/12/24 15:44:12 hshoexer Exp $ +# +# See ipsec.conf(5) for syntax and examples. + +# Set up two tunnels using automatic keying with isakmpd(8): +# +# First between the networks 10.1.1.0/24 and 10.1.2.0/24, +# second between the machines 192.168.3.1 and 192.168.3.2. +# Use FQDNs as IDs. + +ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \ + srcid me.mylan.net dstid the.others.net +ike esp from 192.168.3.1 to 192.168.3.2 \ + srcid me.mylan.net dstid the.others.net + +# Set up a tunnel using static keying: +# +# The first rules sets up the flow, second the SA. As default +# transforms ipsecctl(8) will use hmac-sha2-256 for authentication +# and aesctr for encryption. hmac-sha2-256 uses a 256 bit key, aesctr +# a 160 bit key. + +flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.2 +esp from 192.168.3.1 to 192.168.3.2 spi 0xdeadbeef:0xbeefdead \ + authkey 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \ + enckey 0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee