Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagetext
titleIPSEC config file
conn clear
        auto=ondemand
        type=passthrough
        authby=never
        left=%defaultroute
        right=%group

conn private
    auto=ondemand
    type=transport
    authby=rsasig
    ikev2=insist
    failureshunt=drop
    negotiationshunt=drop
    fragmentation=yes

    left=%defaultroute
    leftcert=thisnode
    leftsendcert=always
    leftrsasigkey=%cert

	#Dynamic connection
    right=%opportunisticgroup

    #If you set the rightid then any valid cert will work. By not setting the rightid we ensure the id is the host which is the IP 
	#LEAVE THIS COMMENTED OUT
	#rightid=%fromcert
	#For simplicity just need to be the same CA
    rightca=%same
    rightrsasigkey=%cert
    # support Apple and Windows at the same time
    ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048
	#AH mode
    #phase2=AH
    #ah=aes_xcbc
    ESP Mode aes_gcm256-null seems to be the recommended and fastest cypher
 	esp=aes_gcm256-null


Configure the /etc/ipsec.d/polciies/privateĀ  file (private=== conn private above)

Code Block
titleSelector File
/etc/ipsec.d/policies/private:
# encrypt all smtp traffic to some host
#  10.0.1.0/24  tcp  0  25
# encrypt all incoming smtp traffic
#  0.0.0.0/0  tcp  25  0
#146.6.192.149/32
#Encrypyt all connection so this host:
129.116.112.207/32


/etc/ipsec.d/policies/clear:
# don't IPsec encrypt any incoming ssh
#This could be a issue if the bad person sources NFS traffic from port 22
0.0.0.0/0  tcp  22  0
0.0.0.0/0  tcp  0 22