Next
Previous
Contents
# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
dumpdir=/root
conn %default
keyingtries=3
ikelifetime=3h
keylife=1h
disablearrivalcheck=no
# --- RSA authentication using certificates
authby=rsasig
# --- left: this server
left=%defaultroute
leftid=@gw.company.net
leftcert=gwCert.der
leftupdown=/usr/local/lib/ipsec/updown.x509
# --- right: roadwarrior
right=%any
rightrsasigkey=%cert
# --- preferred encryption algorithms
esp=aes128,3des
# --- load connections automatically at startup
auto=add
conn dhcp
rekey=no
keylife=30s
rekeymargin=15s
leftsubnet=0.0.0.0/0
leftprotoport=udp/bootps
rightprotoport=udp/bootpc
conn roadwarrior
leftsubnet=192.168.0.0/23
rightsubnetwithin=192.168.1.0/24
conn roadwarrior-sentinel
leftsubnet=0.0.0.0/0
rightsubnetwithin=192.168.1.0/24
# common server options
ddns-update-style none;
# vpn client class
class "vpn-clients" {
match if option agent.circuit-id = "ipsec0";
}
# example net
subnet 192.168.0.0 netmask 255.255.254.0 {
option domain-name "example.net";
option domain-name-servers ns1.example.net, ns2.example.net;
option routers gw.example.net;
option netbios-name-servers ads.example.net;
# lan clients
pool {
deny members of "vpn-clients";
range 192.168.0.50 192.168.0.254;
default-lease-time 7200;
max-lease-time 14400;
}
# vpn clients
pool {
allow members of "vpn-clients";
range 192.168.1.50 192.168.1.254;
default-lease-time 3600;
max-lease-time 7200;
}
}
# common server options
ddns-update-style none;
# vpn client class
class "vpn-clients" {
match if option agent.circuit-id = "ipsec0";
}
# example net
subnet 0.0.0.0 netmask 0.0.0.0 {
option domain-name "example.net";
option domain-name-servers ns1.example.net, ns2.example.net;
option routers gw.example.net;
option netbios-name-servers ads.example.net;
# lan clients
pool {
deny members of "vpn-clients";
range 192.168.0.50 192.168.0.254;
default-lease-time 7200;
max-lease-time 14400;
option subnet-mask 255.255.255.0;
}
# vpn clients
pool {
allow members of "vpn-clients";
range 192.168.1.50 192.168.1.254;
default-lease-time 3600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
}
}
# DHCP-Relay configuration file
# Logfile
LOGFILE="/var/log/dhcprelay.log"
# IPSec devices (comma separated list including NO spaces)
DEVICES="ipsec0"
# The device over which the DHCP-Server can be reached
SERVERDEVICE="eth1"
# Hostname or IP Address of the DHCP-Server
DHCPSERVER="192.168.0.10"
Next
Previous
Contents