ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability
This commit is contained in:
toby
parent
e3fba4ecad
commit
86d5c80bbb
|
|
@ -12,5 +12,5 @@ files/qemu-ifup etc/libvirt/hooks
|
||||||
files/firewall etc/init.d
|
files/firewall etc/init.d
|
||||||
files/frr.conf.wit etc/frr
|
files/frr.conf.wit etc/frr
|
||||||
files/ipsec.conf.wit etc
|
files/ipsec.conf.wit etc
|
||||||
files/swanctl-wit.conf.wit etc/swanctl/conf.d
|
|
||||||
files/ips.issue etc/issue.d
|
files/ips.issue etc/issue.d
|
||||||
|
files/wit-logging.conf etc/strongswan.d
|
||||||
|
|
|
||||||
|
|
@ -1,21 +1,15 @@
|
||||||
config setup
|
config setup
|
||||||
#charondebug="all"
|
|
||||||
#uniqueids=yes
|
#uniqueids=yes
|
||||||
#strictcrlpolicy=yes
|
#strictcrlpolicy=yes
|
||||||
cachecrls=yes
|
cachecrls=yes
|
||||||
|
|
||||||
#ca ca-wit #define alternative CRL distribution point
|
|
||||||
# cacert=ca-wit.crt
|
|
||||||
# crluri=ca-wit.crl
|
|
||||||
# auto=add
|
|
||||||
|
|
||||||
conn %default
|
conn %default
|
||||||
|
#keyexchange=ikev1
|
||||||
keyingtries=%forever
|
keyingtries=%forever
|
||||||
dpdtimeout=10
|
dpdtimeout=9
|
||||||
dpddelay=3
|
dpddelay=2
|
||||||
dpdaction=restart
|
|
||||||
type=transport
|
type=transport
|
||||||
keyexchange=ikev1
|
|
||||||
ike=aes256-sha512-modp4096,aes128-sha1-modp2048!
|
ike=aes256-sha512-modp4096,aes128-sha1-modp2048!
|
||||||
esp=aes256-sha512-modp4096,aes128-sha1-modp2048!
|
esp=aes256-sha512-modp4096,aes128-sha1-modp2048!
|
||||||
leftcert=FQHOSTNAME.crt
|
leftcert=FQHOSTNAME.crt
|
||||||
|
|
@ -24,18 +18,34 @@ conn %default
|
||||||
auto=route
|
auto=route
|
||||||
|
|
||||||
|
|
||||||
conn loopback4
|
conn local4
|
||||||
#leftsourceip=%config4
|
|
||||||
left=LOOPBACKv4
|
left=LOOPBACKv4
|
||||||
leftsubnet=LOOPBACKv4
|
leftsubnet=LOOPBACKv4
|
||||||
|
right=LOOPBACKv4
|
||||||
|
rightsubnet=LOOPBACKv4
|
||||||
|
auth=none
|
||||||
|
type=passthrough
|
||||||
|
|
||||||
|
|
||||||
|
conn loopback4
|
||||||
|
left=LOOPBACKv4
|
||||||
|
leftsubnet=LOOPBACKv4
|
||||||
|
right=IPSEC_IPV4_SUBNETS
|
||||||
rightsubnet=IPSEC_IPV4_SUBNETS
|
rightsubnet=IPSEC_IPV4_SUBNETS
|
||||||
right=%any4
|
|
||||||
|
|
||||||
|
conn local6
|
||||||
|
left=LOOPBACKv6
|
||||||
|
leftsubnet=LOOPBACKv6
|
||||||
|
right=LOOPBACKv6
|
||||||
|
rightsubnet=LOOPBACKv6
|
||||||
|
auth=none
|
||||||
|
type=passthrough
|
||||||
|
|
||||||
|
|
||||||
conn loopback6
|
conn loopback6
|
||||||
#leftsourceip=%config6
|
|
||||||
left=LOOPBACKv6
|
left=LOOPBACKv6
|
||||||
leftsubnet=LOOPBACKv6
|
leftsubnet=LOOPBACKv6
|
||||||
rightsubnet=IPSEC_IPV6_SUBNETS
|
|
||||||
right=%any6
|
right=%any6
|
||||||
|
rightsubnet=IPSEC_IPV6_SUBNETS
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,21 @@
|
||||||
|
charon {
|
||||||
|
install_routes = no
|
||||||
|
install_virtual_ip = no
|
||||||
|
interfaces_use = lo
|
||||||
|
syslog {
|
||||||
|
auth {
|
||||||
|
ike_name = yes
|
||||||
|
default = 0
|
||||||
|
}
|
||||||
|
daemon {
|
||||||
|
ike_name = yes
|
||||||
|
default = 1
|
||||||
|
knl = 1
|
||||||
|
cfg = 1
|
||||||
|
ike = 0
|
||||||
|
net = 0
|
||||||
|
enc = 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
Loading…
Reference in New Issue