diff options
| -rw-r--r-- | src/swanctl/Makefile.am | 2 | ||||
| -rw-r--r-- | src/swanctl/swanctl.conf | 122 |
2 files changed, 124 insertions, 0 deletions
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index c951b1587..d731c0467 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -20,6 +20,8 @@ swanctl_LDADD = \ swanctl.o : $(top_builddir)/config.status +EXTRA_DIST = swanctl.conf + AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libcharon/plugins/vici \ diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf new file mode 100644 index 000000000..7580740b1 --- /dev/null +++ b/src/swanctl/swanctl.conf @@ -0,0 +1,122 @@ +connections { + +# # an IKE configuration named conn1 +# conn1 { +# # IKE version to use +# version = 2 +# # list of acceptable local addresses/subnets +# local_addrs = 0.0.0.0 +# # peer address, additional addresses/subnets as responder +# remote_addrs = 192.168.5.1 +# # local UPD port for IKE +# local_port = 500 +# # remote UDP port for IKE +# remote_port = 500 +# # Proposals for IKE, "default" is the default proposal +# proposals = aes128gcm16-prfsha256-modp2048, default +# # virtual IPs to request, such as 0.0.0.0 or :: +# vips = +# # IKEv1 aggressive mode +# aggressive = no +# # use of pull/push in IKEv1 mode config +# pull = yes +# # enforce UDP encapsulation by faking NAT-D payloads +# encap = no +# # enable IKEv2 MOBIKE +# mobike = yes +# # interval of liveness checks +# dpd_delay = 10s +# # timeout for DPD checks (IKEV1 only) +# dpd_timeout = 30s +# # use IKEv1 UDP packet fragmentation +# fragmentation = force +# # send certificate requests +# send_certreq = yes +# # send certificate payloads +# send_cert = ifasked +# # number of retransmission sequences to do before givin up +# keyingtries = 0 +# # uniquness policy, never|no|keep|replace| +# unique = no +# # time to schedule IKE reauthentication +# reauth_time = 3h +# # time to schedule IKE rekeying +# rekey_time = 2h +# # hard IKE_SA lifetime if rekey/reauth does not complete +# over_time = 10m +# # range of random time to subtract from rekey/rauth times +# rand_time = 10m +# +# # local authentication, first round +# local { +# # additional certificates to load +# certs = a.pem, xy.der +# # authentication to perform locally +# auth = pubkey +# # IKE identity for local +# id = win@strongswan.org +# # Client EAP-Identity to use +# eap_id = moon +# # Server side EAP identity to use, EAP-TTLS etc. +# aaa_identity = srv +# # IKEv1 XAuth username +# xauth_id = moon +# } +# # remote authentication, first round +# remote { +# # IKE identity for peer +# id = %any +# # list of acceptable peer certificates +# certs = client.pem +# # list of acceptable CA certificates +# cacert = ca.der +# # revocation policy, strict|ifuri +# revocation = ifuri +# # authentication to expect from remote +# auth = pubkey +# } +# children { +# # First CHILD_SA configuration +# child1 { +# # AH proposals to offer +# ah_proposals = default +# # ESP proposals to offer +# esp_proposals = aes128gcm16-modp2048, default +# # local subnets to tunnel +# local_ts = 192.168.3.0/24 +# # remote subnets to tunnel +# remote_ts = 192.168.1.0/24 +# # updown script to invoke +# updown = path-to-script +# # hostaccess variable to pass to updown +# hostaccess = yes +# # IPsec mode, tunnel|transport|pass|drop +# mode = tunnel +# # action to perform on DPD timeout +# dpd_action = restart +# # enable IPComp +# ipcomp = no +# # inactivity timeout before closing CHILD_SA +# inactivity = 2m +# # fixed reqid to use for this CHILD_SA +# reqid = 5 +# # Netfilter mark for input traffic +# mark_in = 1 +# # Netfilter mark for output traffic +# mark_out = 5/0xffffffff +# # Traffic Flow Confidentiality padding +# tfc_padding = 1500 +# } +# } +# } + +} + +secrets { + eap { +# tester = testpassword + } + ike { +# sun.strongswan.org = 0x12345678901234 + } +} |