olegvg
12/13/2016 - 6:43 PM

ipsec.conf

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc

@ciscoauth %any : PSK "keykeykeykeykey"
test : XAUTH "zzzzzzzzzz"

xx.xx.xx.xx yy.yy.yy.yy : PSK "keykeykeykeykeykeykeykey"
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        #charondebug="cfg 3, dmn 3, ike 3, net 3, chd 3, mgr 3"
        #strictcrlpolicy=yes
        uniqueids=no

# Add connections here.
conn %default
        ike=aes256-sha256-modp1024
        esp=aes256-sha256
        ikelifetime=600m
        keylife=600m
        reauth=no
        rekey=yes
        #rekeymargin=3m
        keyingtries=%forever
        closeaction=restart
        compress=yes
        dpdaction=restart
        dpddelay=20s
        dpdtimeout=60s
        mobike=yes

conn xauth-roadwarrior-ipsec-server
        keyexchange=ikev1
        authby=psk
        type=tunnel
        forceencaps=yes       # force all to be nat'ed. because of iOS
        left=%defaultroute
        leftid=@ciscoauth
        leftsubnet=0.0.0.0/0,::/0
        right=%any
        rightauth2=xauth
        rightsourceip=10.31.1.0/24
        rightdns=8.8.8.8,8.8.4.4
        auto=add

conn kiev
        keyexchange=ikev1

        ike=aes256-sha512-modp4096
        esp=aes256-sha256

        authby=psk
        type=tunnel

        left=xx.xx.xx.xx
        leftsubnet=10.200.0.0/16
        leftsourceip=10.200.255.254

        right=yy.yy.yy.yy
        rightsubnet=192.168.0.0/24
        #rightsourceip=192.168.0.1

        auto=start

include /var/lib/strongswan/ipsec.conf.inc