Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Linux strongSwan U5.5.1/K4.9.0-6-amd64
- ------------------------------------------
- conn hetzner
- left=2a02:...::2
- leftid=2a02:...::2
- right=2a01:...::1
- rightid=2a01:...::1
- rightsubnet=100.100.101.0/24
- fragmentation = yes
- keyexchange = ikev2
- reauth = yes
- forceencaps = no
- mobike = no
- rekey = yes
- installpolicy = yes
- type = tunnel
- dpdaction = restart
- dpddelay = 10s
- dpdtimeout = 60s
- auto = route
- ikelifetime = 5400s
- lifetime = 3600s
- ike = aes256-sha256-modp1024!
- esp = aes256-sha256-modp4096,aes256-sha256-modp4096,aes256-sha256-modp4096,aes256-sha256-modp4096!
- leftauth = psk
- rightauth = psk
- conn hetzner-1
- also=hetzner
- leftsubnet=100.100.100.0/24
- conn hetzner-2
- also=hetzner
- leftsubnet=10.163.0.0/16
- ------------------------------------------
- /ip ipsec policy group
- add name=group1
- /ip ipsec profile
- add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h30m name=profile1 nat-traversal=no
- /ip ipsec peer
- add address=2a02:...::2/128 exchange-mode=ike2 name=peer1 profile=profile1
- /ip ipsec proposal
- add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=proposal1 pfs-group=modp4096
- /ip ipsec identity
- add peer=peer1 policy-template-group=group1 secret=...
- /ip ipsec policy
- add dst-address=100.100.100.0/24 level=unique proposal=proposal1 sa-dst-address=2a02:...::2 sa-src-address=2a01:...::1 src-address=100.100.101.0/24 tunnel=yes
- add dst-address=10.163.0.0/16 level=unique proposal=proposal1 sa-dst-address=2a02:...::2 sa-src-address=2a01:...::1 src-address=100.100.101.0/24 tunnel=yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
