wit-network-config/files/ipsec.conf.wit

config setup
    #strictcrlpolicy=yes
    cachecrls=yes


conn %default
    #keyexchange=ikev2
    keyingtries=%forever
    dpdtimeout=10
    dpddelay=2
    dpdaction=hold
    #closeaction=none
    #rekeyfuzz = 100%
    ikelifetime = 4h
    margintime = 12m
    reauth = no
    type=transport
    ike=aes256-sha512-modp4096!
    esp=aes256-sha512-modp4096!
    leftcert=FQHOSTNAME.crt
    leftid="C=US, O=Wit, CN=FQHOSTNAME"
    rightid="C=US, O=Wit, CN=*"
    auto=route


conn local4
    left=LOOPBACKv4
    leftsubnet=LOOPBACKv4
    right=LOOPBACKv4
    rightsubnet=LOOPBACKv4
    auth=none
    type=passthrough


conn loopback4
    left=LOOPBACKv4
    leftsubnet=LOOPBACKv4
    right=IPSEC_IPV4_SUBNETS
    rightsubnet=IPSEC_IPV4_SUBNETS


conn local6
    left=LOOPBACKv6
    leftsubnet=LOOPBACKv6
    right=LOOPBACKv6
    rightsubnet=LOOPBACKv6
    auth=none
    type=passthrough


conn loopback6
    left=LOOPBACKv6
    leftsubnet=LOOPBACKv6
    right=%any6
    rightsubnet=IPSEC_IPV6_SUBNETS
adding ipsec config as well 2018-07-27 15:34:21 -05:00			`config setup`
			`#strictcrlpolicy=yes`
			`cachecrls=yes`


			`conn %default`
enabling debug post-script again and removing hardcoded domain name in post-script for subnets lookups 2018-12-01 11:30:10 -06:00			`#keyexchange=ikev2`
adding ipsec config as well 2018-07-27 15:34:21 -05:00			`keyingtries=%forever`
raising dpdtimeout to be 5x the delay, it's much more agressive than defaults but at least its the same multiplier than default 2018-11-18 16:18:29 -06:00			`dpdtimeout=10`
ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability 2018-11-18 15:06:53 -06:00			`dpddelay=2`
changed my mind about closeaction, we should maybe have that, but trying to use hold instead 2018-11-18 15:14:26 -06:00			`dpdaction=hold`
			`#closeaction=none`
ipsec: removing old proposal now that we are 100% upgraded, also tweaking some settings making use of ikev2 2018-11-30 11:27:18 -06:00			`#rekeyfuzz = 100%`
			`ikelifetime = 4h`
			`margintime = 12m`
			`reauth = no`
adding ipsec config as well 2018-07-27 15:34:21 -05:00			`type=transport`
ipsec: removing old proposal now that we are 100% upgraded, also tweaking some settings making use of ikev2 2018-11-30 11:27:18 -06:00			`ike=aes256-sha512-modp4096!`
			`esp=aes256-sha512-modp4096!`
adding ipv6 tunnel to strongswan and matching firewall rules 2018-09-17 14:28:02 -05:00			`leftcert=FQHOSTNAME.crt`
			`leftid="C=US, O=Wit, CN=FQHOSTNAME"`
			`rightid="C=US, O=Wit, CN=*"`
			`auto=route`
adding ipsec config as well 2018-07-27 15:34:21 -05:00

ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability 2018-11-18 15:06:53 -06:00			`conn local4`
			`left=LOOPBACKv4`
			`leftsubnet=LOOPBACKv4`
			`right=LOOPBACKv4`
			`rightsubnet=LOOPBACKv4`
			`auth=none`
			`type=passthrough`


adding ipv6 tunnel to strongswan and matching firewall rules 2018-09-17 14:28:02 -05:00			`conn loopback4`
ipsec: setting source IP to loopback 2018-10-31 17:06:30 -05:00			`left=LOOPBACKv4`
setting leftsubnet to only be the local loopback instead of a wide range. this will avoid blackholing traffic for edges and potentially other nodes 2018-10-23 16:28:29 -05:00			`leftsubnet=LOOPBACKv4`
ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability 2018-11-18 15:06:53 -06:00			`right=IPSEC_IPV4_SUBNETS`
more work on edge.... adding support for dynamic ipsec subnets and some more minor patches 2018-10-19 12:57:07 -05:00			`rightsubnet=IPSEC_IPV4_SUBNETS`
ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability 2018-11-18 15:06:53 -06:00

			`conn local6`
			`left=LOOPBACKv6`
			`leftsubnet=LOOPBACKv6`
			`right=LOOPBACKv6`
			`rightsubnet=LOOPBACKv6`
			`auth=none`
			`type=passthrough`
adding ipv6 tunnel to strongswan and matching firewall rules 2018-09-17 14:28:02 -05:00

			`conn loopback6`
ipsec: setting source IP to loopback 2018-10-31 17:06:30 -05:00			`left=LOOPBACKv6`
setting leftsubnet to only be the local loopback instead of a wide range. this will avoid blackholing traffic for edges and potentially other nodes 2018-10-23 16:28:29 -05:00			`leftsubnet=LOOPBACKv6`
adding ipv6 tunnel to strongswan and matching firewall rules 2018-09-17 14:28:02 -05:00			`right=%any6`
ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability 2018-11-18 15:06:53 -06:00			`rightsubnet=IPSEC_IPV6_SUBNETS`
adding ipsec config as well 2018-07-27 15:34:21 -05:00