Next Previous Contents

5. Example Configuration Files

5.1 ipsec.conf


# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file

config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        dumpdir=/root

conn %default
        keyingtries=3
        ikelifetime=3h
        keylife=1h
        disablearrivalcheck=no
        # --- RSA authentication using certificates
        authby=rsasig
        # --- left: this server
        left=%defaultroute
        leftid=@gw.company.net
        leftcert=gwCert.der
        leftupdown=/usr/local/lib/ipsec/updown.x509
        # --- right: roadwarrior
        right=%any
        rightrsasigkey=%cert
        # --- preferred encryption algorithms
        esp=aes128,3des
        # --- load connections automatically at startup
        auto=add

conn dhcp
        rekey=no
        keylife=30s
        rekeymargin=15s
        leftsubnet=0.0.0.0/0
        leftprotoport=udp/bootps
        rightprotoport=udp/bootpc

conn roadwarrior
        leftsubnet=192.168.0.0/23
        rightsubnetwithin=192.168.1.0/24

conn roadwarrior-sentinel
        leftsubnet=0.0.0.0/0
        rightsubnetwithin=192.168.1.0/24

5.2 dhcpd.conf


# common server options
ddns-update-style none;

# vpn client class
class "vpn-clients" {
  match if option agent.circuit-id = "ipsec0";
}

# example net
subnet 192.168.0.0 netmask 255.255.254.0 {

  option domain-name "example.net";
  option domain-name-servers ns1.example.net, ns2.example.net;
  option routers gw.example.net;
  option netbios-name-servers ads.example.net;

  # lan clients
  pool {
    deny members of "vpn-clients";
    range 192.168.0.50 192.168.0.254;
    default-lease-time 7200;
    max-lease-time 14400;
  }

  # vpn clients
  pool {
    allow members of "vpn-clients";
    range 192.168.1.50 192.168.1.254;
    default-lease-time 3600;
    max-lease-time 7200;
  }

}

5.3 dhcpd.conf - DHCP-Server and Relay on the same host


# common server options
ddns-update-style none;

# vpn client class
class "vpn-clients" {
  match if option agent.circuit-id = "ipsec0";
}

# example net
subnet 0.0.0.0 netmask 0.0.0.0 {

  option domain-name "example.net";
  option domain-name-servers ns1.example.net, ns2.example.net;
  option routers gw.example.net;
  option netbios-name-servers ads.example.net;

  # lan clients
  pool {
    deny members of "vpn-clients";
    range 192.168.0.50 192.168.0.254;
    default-lease-time 7200;
    max-lease-time 14400;
    option subnet-mask 255.255.255.0;
  }

  # vpn clients
  pool {
    allow members of "vpn-clients";
    range 192.168.1.50 192.168.1.254;
    default-lease-time 3600;
    max-lease-time 7200;
    option subnet-mask 255.255.255.0;
  }

}

5.4 dhcprelay.conf


# DHCP-Relay configuration file

# Logfile
LOGFILE="/var/log/dhcprelay.log"

# IPSec devices (comma separated list including NO spaces)
DEVICES="ipsec0"

# The device over which the DHCP-Server can be reached
SERVERDEVICE="eth1" 

# Hostname or IP Address of the DHCP-Server
DHCPSERVER="192.168.0.10"


Next Previous Contents