API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 7th, 2015
121
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.15 KB | None | 0 0
raw download clone embed print report
  1. version 2 # conforms to second version of ipsec.conf specification
  2.  
  3. config setup
  4. dumpdir=/var/run/pluto/
  5. #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
  6.  
  7. nat_traversal=yes
  8. #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
  9.  
  10. virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
  11. #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
  12.  
  13. protostack=netkey
  14. #decide which protocol stack is going to be used.
  15.  
  16. force_keepalive=yes
  17. keep_alive=60
  18. # Send a keep-alive packet every 60 seconds.
  19.  
  20. conn L2TP-PSK-noNAT
  21. authby=secret
  22. #shared secret. Use rsasig for certificates.
  23.  
  24. pfs=no
  25. #Disable pfs
  26.  
  27. auto=add
  28. #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
  29.  
  30. keyingtries=3
  31. #Only negotiate a conn. 3 times.
  32.  
  33. ikelifetime=8h
  34. keylife=1h
  35.  
  36. ike=aes256-sha1,aes128-sha1,3des-sha1
  37. phase2alg=aes256-sha1,aes128-sha1,3des-sha1
  38. # https://lists.openswan.org/pipermail/users/2014-April/022947.html
  39. # specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
  40.  
  41. type=transport
  42. #because we use l2tp as tunnel protocol
  43.  
  44. left=%SERVERIP%
  45. #fill in server IP above
  46.  
  47. leftprotoport=17/1701
  48. right=%any
  49. rightprotoport=17/%any
  50.  
  51. dpddelay=10
  52. # Dead Peer Dectection (RFC 3706) keepalives delay
  53. dpdtimeout=20
  54. # length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
  55. dpdaction=clear
  56. # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!