# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes dumpdir=/root conn %default keyingtries=3 ikelifetime=3h keylife=1h disablearrivalcheck=no # --- RSA authentication using certificates authby=rsasig # --- left: this server left=%defaultroute leftid=@gw.company.net leftcert=gwCert.der leftupdown=/usr/local/lib/ipsec/updown.x509 # --- right: roadwarrior right=%any rightrsasigkey=%cert # --- preferred encryption algorithms esp=aes128,3des # --- load connections automatically at startup auto=add conn dhcp rekey=no keylife=30s rekeymargin=15s leftsubnet=0.0.0.0/0 leftprotoport=udp/bootps rightprotoport=udp/bootpc conn roadwarrior leftsubnet=192.168.0.0/23 rightsubnetwithin=192.168.1.0/24 conn roadwarrior-sentinel leftsubnet=0.0.0.0/0 rightsubnetwithin=192.168.1.0/24
# common server options ddns-update-style none; # vpn client class class "vpn-clients" { match if option agent.circuit-id = "ipsec0"; } # example net subnet 192.168.0.0 netmask 255.255.254.0 { option domain-name "example.net"; option domain-name-servers ns1.example.net, ns2.example.net; option routers gw.example.net; option netbios-name-servers ads.example.net; # lan clients pool { deny members of "vpn-clients"; range 192.168.0.50 192.168.0.254; default-lease-time 7200; max-lease-time 14400; } # vpn clients pool { allow members of "vpn-clients"; range 192.168.1.50 192.168.1.254; default-lease-time 3600; max-lease-time 7200; } }
# common server options ddns-update-style none; # vpn client class class "vpn-clients" { match if option agent.circuit-id = "ipsec0"; } # example net subnet 0.0.0.0 netmask 0.0.0.0 { option domain-name "example.net"; option domain-name-servers ns1.example.net, ns2.example.net; option routers gw.example.net; option netbios-name-servers ads.example.net; # lan clients pool { deny members of "vpn-clients"; range 192.168.0.50 192.168.0.254; default-lease-time 7200; max-lease-time 14400; option subnet-mask 255.255.255.0; } # vpn clients pool { allow members of "vpn-clients"; range 192.168.1.50 192.168.1.254; default-lease-time 3600; max-lease-time 7200; option subnet-mask 255.255.255.0; } }
# DHCP-Relay configuration file # Logfile LOGFILE="/var/log/dhcprelay.log" # IPSec devices (comma separated list including NO spaces) DEVICES="ipsec0" # The device over which the DHCP-Server can be reached SERVERDEVICE="eth1" # Hostname or IP Address of the DHCP-Server DHCPSERVER="192.168.0.10"