ciarand · May 19, 2015 02:10
diff --git a/ipsec.conf.bash b/ipsec.conf.bash
 tee /etc/ipsec.conf << EOF 
 config setup
 	dumpdir=/var/run/pluto/
 	#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
 
 	nat_traversal=yes
 	#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
 
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
 	#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
 
 	protostack=netkey
 	#decide which protocol stack is going to be used.
 
    force_keepalive=yes
 	keep_alive=60
 	# Send a keep-alive packet every 60 seconds.
 
 conn L2TP-PSK-noNAT
 	authby=secret
 	#shared secret. Use rsasig for certificates.
 
 	pfs=no
 	#Disable pfs
 
 	auto=add
 	#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
 
 	keyingtries=3
 	#Only negotiate a conn. 3 times.
 
 	ikelifetime=8h
 	keylife=1h
 
    ike=aes256-sha1,aes128-sha1,3des-sha1
    phase2alg=aes256-sha1,aes128-sha1,3des-sha1
 	# https://lists.openswan.org/pipermail/users/2014-April/022947.html
 	# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
 
 	type=transport
 	#because we use l2tp as tunnel protocol
 
 	left= 45.55.208.96
 	#fill in server IP above
 
 	leftprotoport=17/1701
 	right=%any
 	rightprotoport=17/%any
 
 	dpddelay=10
 	# Dead Peer Dectection (RFC 3706) keepalives delay
 	dpdtimeout=20
 	#  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
 	dpdaction=clear
 	# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
 EOF
	tee /etc/ipsec.conf << EOF
	config setup
	dumpdir=/var/run/pluto/
	#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?

	nat_traversal=yes
	#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec

	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
	#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.

	protostack=netkey
	#decide which protocol stack is going to be used.

	force_keepalive=yes
	keep_alive=60
	# Send a keep-alive packet every 60 seconds.

	conn L2TP-PSK-noNAT
	authby=secret
	#shared secret. Use rsasig for certificates.

	pfs=no
	#Disable pfs

	auto=add
	#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

	keyingtries=3
	#Only negotiate a conn. 3 times.

	ikelifetime=8h
	keylife=1h

	ike=aes256-sha1,aes128-sha1,3des-sha1
	phase2alg=aes256-sha1,aes128-sha1,3des-sha1
	# https://lists.openswan.org/pipermail/users/2014-April/022947.html
	# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.

	type=transport
	#because we use l2tp as tunnel protocol

	left= 45.55.208.96
	#fill in server IP above

	leftprotoport=17/1701
	right=%any
	rightprotoport=17/%any

	dpddelay=10
	# Dead Peer Dectection (RFC 3706) keepalives delay
	dpdtimeout=20
	# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
	dpdaction=clear
	# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
	EOF