# common pieces for ipsec.conf. No host addresses. # # for conns # left = WEST # right = EAST # # for OE stuff, # right = my stuff # left = other stuff. # conn us-to-anyone also=us also=me-to-anyone conn me-to-anyone right=%defaultroute rightnexthop=%defaultroute left=%opportunistic failureshunt=drop # uncomment to enable incoming; change to auto=route for outgoing #auto=add # food groups: clear, clear-or-private, private-or-clear, private, block # Tempting to use "postcard" instead of "clear" # these are for a subnet behind us. conn us-clear also=clear also=us conn us-let-my-dns-go also=let-my-dns-go # except the connection to the DNS server conn let-my-dns-go left=%defaultroute leftprotoport=17/%any right=0.0.0.0 rightsubnet=0.0.0.0/0 rightprotoport=17/53 type=passthrough auto=ignore conn us-clear-or-private also=clear-or-private also=us conn us-private-or-clear also=private-or-clear also=us conn us-private-or-clear-all also=private-or-clear also=us conn us-private also=private also=us conn us-block also=block also=us # a different named conn, so we can have a different policy conn private-or-clear-all also=private-or-clear # these are for self conn clear type=passthrough authby=never right=%defaultroute left=%group #auto=route conn clear-or-private type=passthrough right=%defaultroute left=%opportunisticgroup # by using "add", we get passive. # but this does not actually implement "clear" :-( failureshunt=passthrough #auto=route conn private-or-clear type=tunnel right=%defaultroute left=%opportunisticgroup failureshunt=passthrough #auto=route conn private type=tunnel right=%defaultroute left=%opportunisticgroup # without failureshunt, renegotiation will be tried. failureshunt=drop #auto=route conn block type=reject authby=never right=%defaultroute left=%group #auto=route # VPN connection conn west-east also=west-east-base-id-nss also=west-east-base-ipv4 #auto=start conn west-eastnet also=west-east-base-id-nss also=west-east-base-ipv4 also=eastnet-ipv4 #auto=start conn westnet-east also=west-east-base-id-nss also=west-east-base-ipv4 also=westnet-ipv4 #auto=start conn west-east-pass also=west-east-base-id-nss also=west-east-base-ipv4 type=passthrough #auto=start conn westnet-east-pass also=west-east-base-id-nss also=west-east-base-ipv4 also=westnet-ipv4 type=passthrough #auto=start conn west-eastnet-pass also=west-east-base-id-nss also=west-east-base-ipv4 also=eastnet-ipv4 type=passthrough #auto=start conn westnet-eastnet-ipcomp compress=yes also=westnet-eastnet conn westnet-eastnet-sourceip leftsourceip=192.0.1.254 also=westnet-eastnet # also processing split in two parts messes up with connaddrfamily checking # rewrite this now as work around as to not break ALL test cases :) #conn westnet-eastnet-6in4 # also=west-east-base-ipv4 # also=westnet-eastnet-ipv6 conn westnet-eastnet-6in4 also=west-east-base-id-nss left=192.1.2.45 #leftnexthop=192.1.2.23 right=192.1.2.23 #rightnexthop=192.1.2.45 leftsubnet=2001:db8:0:1::/64 rightsubnet=2001:db8:0:2::/64 connaddrfamily=ipv6 # Same issue for this conn #conn westnet-eastnet-4in6 # also=west-east-base-id-nss # also=west-east-base-ipv6 # #connaddrfamily=ipv6 # also=westnet-ipv4 # also=eastnet-ipv4 # auto=ignore conn westnet-eastnet-4in6 also=west-east-base-id-nss #also=west-east-base-ipv6 left=2001:db8:1:2::45 #leftnexthop=2001:db8:1:2::23 right=2001:db8:1:2::23 #rightnexthop=2001:db8:1:2::45 #connaddrfamily=ipv6 leftsubnet=192.0.1.0/24 rightsubnet=192.0.2.0/24 auto=ignore # and this one conn westnet-eastnet-6in6 also=west-east-base-id-nss #also=west-east-base-ipv6 left=2001:db8:1:2::45 leftnexthop=2001:db8:1:2::23 right=2001:db8:1:2::23 rightnexthop=2001:db8:1:2::45 also=westnet-eastnet-ipv6 # alias for the testcases conn westnet-eastnet also=westnet-eastnet-ipv4 conn westnet-eastnet-ipv4-psk also=west-east-base-id-psk also=west-east-base-ipv4 also=westnet-ipv4 also=eastnet-ipv4 conn westnet-eastnet-ipv4 also=west-east-base-id-nss also=west-east-base-ipv4 also=westnet-ipv4 also=eastnet-ipv4 # this has no base because it is included with a base of 6 or 4 conn westnet-eastnet-ipv6 leftsubnet=2001:db8:0:1::/64 rightsubnet=2001:db8:0:2::/64 connaddrfamily=ipv6 #auto=start conn westnet-eastnet-pass also=west-east-base-id-nss also=west-east-base-ipv4 also=westnet-ipv4 also=eastnet-ipv4 type=passthrough #auto=start conn westnet-eastnet-drop also=west-east-base-id-nss also=west-east-base-ipv4 also=westnet-ipv4 also=eastnet-ipv4 type=drop #auto=start conn westnet-eastnet-x509 also=westnet leftsourceip=192.0.1.254 also=eastnet rightsourceip=192.0.2.254 also=west-east-x509 # aliases for old test cases - ideally testcases stop using these two names conn eastnet also=eastnet-ipv4 conn westnet also=westnet-ipv4 conn eastnet-ipv4 rightsubnet=192.0.2.0/24 conn westnet-ipv4 leftsubnet=192.0.1.0/24 conn west-east-base also=west-east-base-ipv4 also=west-east-base-id-nss conn west-east-base-ipv4 left=192.1.2.45 leftnexthop=192.1.2.23 right=192.1.2.23 rightnexthop=192.1.2.45 conn west-east-base-ipv6 connaddrfamily=ipv6 left=2001:db8:1:2::45 leftnexthop=2001:db8:1:2::23 right=2001:db8:1:2::23 rightnexthop=2001:db8:1:2::45 conn road-east-base-ipv6 connaddrfamily=ipv6 left=2001:db8:1:3::209 leftnexthop=2001:db8:1:3::254 right=2001:db8:1:2::23 rightnexthop=2001:db8:1:2::45 conn west-east-base-id-psk leftid=@west rightid=@east authby=secret conn west-east-base-id-nss # Left security gateway, subnet behind it, next hop toward right. leftid=@west leftrsasigkey=0sAQOm9dY/449sAWr8e3xtV4tJOQ1396zihfGYHkttpT6zlprRmVq8EPKX3vIo+V+SCfDI1BLkYG6cYJgQAX0mt4+VYi2H3c3e9tOPNbBQ0Bj1mfgE8f9hW7x/H8AE2OSMrDStesHaPC2MMK7WPFmxOpTT1Spzkb1ZXz5yv0obncWyK03nDSQ+d/l/LdadKe9wfXptorhhDEsJSgZxhHCFmo9SoYAG/cb8Pif6Fvoyg6nKgNsPSr/36VWOvSlNI6bcKrNdYqkhHr6D2Gk8AwpIjtM6EfKGWtEwZb3I9IOH/wSHMwVP4NiM/rMZTN2FQPNNbuhJFAYsH1lZBY8gsMpGP8kgfgQwfZqAbD8KiffTr9gVBDf5 # Right security gateway, subnet behind it, next hop toward left. rightid=@east rightrsasigkey=0sAQO9bJbr33iJs+13DaF/e+UWwsnkfZIKkJ1VQ7RiEwOFeuAme1QfygmTz/8lyQJMeMqU5T6s0fmo5bt/zCCE4CHJ8A3FRLrzSGRhWPYPYw3SZx5Zi+zzUDlx+znaEWS2Ys1f040uwVDtnG4iDDmnzmK1r4qADy5MBVyCx40pAi67I1/b8p61feIgcBpj845drEfwXCZOsdBCYFJKsHclzuCYK0P0x1kaZAGD6k7jGiqSuFWrY91LcEcp3Om0YL9DTViPZHOVcKw1ibLCnNRiwF9WX60b5d1Jk2r1I4Lt1OfV8VXyLaImpjZTL5T7mSJcR8xtgDCIljgM9fLtN9AJ1QePae+pmc5NGneeOcQ488VRUUjv conn road-east-base also=road-east-base-id-nss right=192.1.2.23 rightnexthop=192.1.2.45 #left not specified as test case picks "random" ip conn road-east-base-id-nss # Left security gateway, subnet behind it, next hop toward right. leftid=@road leftrsasigkey=0sAQOm9dY/449sAWr8e3xtV4tJOQ1396zihfGYHkttpT6zlprRmVq8EPKX3vIo+V+SCfDI1BLkYG6cYJgQAX0mt4+VYi2H3c3e9tOPNbBQ0Bj1mfgE8f9hW7x/H8AE2OSMrDStesHaPC2MMK7WPFmxOpTT1Spzkb1ZXz5yv0obncWyK03nDSQ+d/l/LdadKe9wfXptorhhDEsJSgZxhHCFmo9SoYAG/cb8Pif6Fvoyg6nKgNsPSr/36VWOvSlNI6bcKrNdYqkhHr6D2Gk8AwpIjtM6EfKGWtEwZb3I9IOH/wSHMwVP4NiM/rMZTN2FQPNNbuhJFAYsH1lZBY8gsMpGP8kgfgQwfZqAbD8KiffTr9gVBDf5 # Right security gateway, subnet behind it, next hop toward left. rightid=@east rightrsasigkey=0sAQO9bJbr33iJs+13DaF/e+UWwsnkfZIKkJ1VQ7RiEwOFeuAme1QfygmTz/8lyQJMeMqU5T6s0fmo5bt/zCCE4CHJ8A3FRLrzSGRhWPYPYw3SZx5Zi+zzUDlx+znaEWS2Ys1f040uwVDtnG4iDDmnzmK1r4qADy5MBVyCx40pAi67I1/b8p61feIgcBpj845drEfwXCZOsdBCYFJKsHclzuCYK0P0x1kaZAGD6k7jGiqSuFWrY91LcEcp3Om0YL9DTViPZHOVcKw1ibLCnNRiwF9WX60b5d1Jk2r1I4Lt1OfV8VXyLaImpjZTL5T7mSJcR8xtgDCIljgM9fLtN9AJ1QePae+pmc5NGneeOcQ488VRUUjv conn east-x509-rw left=%any leftrsasigkey=%cert leftid=%fromcert # Right security gateway, subnet behind it,toward left. right=192.1.2.23 rightid=%fromcert rightrsasigkey=%cert rightcert=east conn west-east-x509 # Left security gateway, subnet behind it, next hop toward right. left=192.1.2.45 leftrsasigkey=%cert leftcert=west leftnexthop=192.1.2.23 leftid=%fromcert # Right security gateway, subnet behind it, next hop toward left. right=192.1.2.23 rightid=%fromcert rightrsasigkey=%cert rightcert=east rightnexthop=192.1.2.45 conn road-east-x509 # Left security gateway, subnet behind it, next hop toward right. left=192.1.3.209 leftrsasigkey=%cert leftid=%fromcert leftcert=road # Right security gateway, subnet behind it, next hop toward left. rightid=%fromcert rightrsasigkey=%cert rightcert=east rightnexthop=192.1.2.254 right=192.1.2.23 # we should split this conn so we can re-use it without hardcoded left/rightcert= conn north-east-x509 # Left security gateway, subnet behind it, next hop toward right. left=192.1.3.33 leftnexthop=192.1.3.254 leftrsasigkey=%cert leftcert=north leftid=%fromcert # Right security gateway, subnet behind it, next hop toward left. right=192.1.2.23 rightid=%fromcert rightrsasigkey=%cert rightcert=east rightnexthop=192.1.2.254 conn north-east # Left security gateway, subnet behind it, next hop toward right. #left=%defaultroute #left=%any #leftnexthop=192.2.3.254 leftid=@north leftrsasigkey=0sAQPl33O2PtU2qPE9DdMCq3/sTJ6LDg7Szw9Zv22IIYaTnhA0ry3Ps37r5bIksqWwAQN9tZatZu5IwijZmnY2qRCEtQmPF09lztgvjniAiof0a5jZkZRrUhVbnEcSvthvJbRlOH7kjcfwWNOfaRTMPsgWH6+7XZMrMzkOlFWB9LPMklhuSlpOw3arBC4RCAZVEw8CbN3RvMC4jWX1l+38GDn5Vav6DcVJmX8bz8PemX2eym+eFNZa/97WT1dqg6tRumR04CLpmsUQcbvU66SZKJyFDjHqzKvvmIQ/WcF1qrNh62GMWKWSJYStx3nzh9DHg8LWiv4mnSr/sd2biSF8yvU4LT9kDEGcNOmyVQ+CGrPHXqWZ # Right security gateway, subnet behind it, next hop toward left. right=192.1.2.23 rightid=@east rightrsasigkey=0sAQO9bJbr33iJs+13DaF/e+UWwsnkfZIKkJ1VQ7RiEwOFeuAme1QfygmTz/8lyQJMeMqU5T6s0fmo5bt/zCCE4CHJ8A3FRLrzSGRhWPYPYw3SZx5Zi+zzUDlx+znaEWS2Ys1f040uwVDtnG4iDDmnzmK1r4qADy5MBVyCx40pAi67I1/b8p61feIgcBpj845drEfwXCZOsdBCYFJKsHclzuCYK0P0x1kaZAGD6k7jGiqSuFWrY91LcEcp3Om0YL9DTViPZHOVcKw1ibLCnNRiwF9WX60b5d1Jk2r1I4Lt1OfV8VXyLaImpjZTL5T7mSJcR8xtgDCIljgM9fLtN9AJ1QePae+pmc5NGneeOcQ488VRUUjv rightnexthop=192.1.2.254 conn north-east-psk #left=%defaultroute or %any leftid=@north right=192.1.2.23 rightid=@east authby=secret conn north-east-x509-fail-base left=192.1.3.33 leftrsasigkey=%cert # right=192.1.2.23 rightrsasigkey=%cert conn northnet leftsubnet=192.0.3.0/24