version 2.0 # conforms to second version of ipsec.conf specification config setup plutostderrlog=/tmp/pluto.log plutorestartoncrash=yes plutodebug=all protostack=netkey dumpdir=/var/run/pluto/ nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) #virtual_private=%v4:0.0.0.0/0 virtual_private=%v4:0.0.0.0/0,%v4:!193.111.228.0/24 # virtual_private=%v4:193.110.158.0/24,%v4:!193.110.157.0/24,%v4:!193.111.228.0/24 conn xauth-rsa authby=rsasig pfs=no auto=add rekey=no left=193.110.157.148 leftcert=vpn.nohats.ca leftid=%fromcert leftsendcert=always leftsubnet=0.0.0.0/0 rightaddresspool=193.111.228.1-193.111.228.31 right=%any rightrsasigkey=%cert modecfgdns1=193.110.157.123 modecfgdns2=8.8.8.8 leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes rightmodecfgclient=yes modecfgpull=yes xauthby=pam # Can be played with below # dpddelay=30 # dpdtimeout=120 # dpdaction=clear # xauthfail=soft ike_frag=force