# /etc/ipsec.conf - Libreswan IPsec configuration file

version 2.0

config setup
	interfaces="ipsec0=eth0"

# note that connaddrfamily=ipv6 is kinda a bad option.
# It is only needed if host-host is ipv6 of subnet-subnet
# is ipv6. The latter could be over ipv4 hosts!
#
# all below conns are bogus and should fail

conn bad-nexthop
	left=2001:db8:1:2::45
	leftnexthop=192.1.2.23
	right=2001:db8:1:2::23
	rightnexthop=2001:db8:1:2::45
	connaddrfamily=ipv6

conn bad-subnet
	left=2001:db8:1:2::45
	leftnexthop=2001:db8:1:2::23
	leftsubnet=192.0.1.0/24
	leftsourceip=2001:db8:0:1::45
	right=2001:db8:1:2::23
	rightnexthop=2001:db8:1:2::45
	rightsubnet=2001:db8:0:2::/64
	rightsourceip=2001:db8:0:2::23/64
	connaddrfamily=ipv6

conn bad-connaddrfamily
	leftsubnet=2001:db8:0:1::/64
	rightsubnet=2001:db8:0:2::/64
	connaddrfamily=ipv4
	left=192.1.2.45
	leftnexthop=192.1.2.23
	right=192.1.2.23
	rightnexthop=192.1.2.45

conn bad-left-right
	left=192.1.2.45
	leftsubnet=192.0.1.0/24
	leftsourceip=2001:db8:0:1::45
	right=2001:db8:1:2::23
	rightnexthop=2001:db8:1:2::45
	rightsourceip=2001:db8:0:2::23/64
	#connaddrfamily=ipv4