...
Code Block |
---|
language | text |
---|
title | IPSEC config file |
---|
|
conn clear
auto=ondemand
type=passthrough
authby=never
left=%defaultroute
right=%group
conn private
auto=ondemand
type=transport
authby=rsasig
ikev2=insist
failureshunt=drop
negotiationshunt=drop
fragmentation=yes
left=%defaultroute
leftcert=thisnode
leftsendcert=always
leftrsasigkey=%cert
#Dynamic connection
right=%opportunisticgroup
#If you set the rightid then any valid cert will work. By not setting the rightid we ensure the id is the host which is the IP
#LEAVE THIS COMMENTED OUT
#rightid=%fromcert
#For simplicity just need to be the same CA
rightca=%same
rightrsasigkey=%cert
# support Apple and Windows at the same time
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048
#AH mode
#phase2=AH
#ah=aes_xcbc
ESP Mode aes_gcm256-null seems to be the recommended and fastest cypher
esp=aes_gcm256-null |
Configure the /etc/ipsec.d/polciies/privateĀ file (private=== conn private above)
Code Block |
---|
|
/etc/ipsec.d/policies/private:
# encrypt all smtp traffic to some host
# 10.0.1.0/24 tcp 0 25
# encrypt all incoming smtp traffic
# 0.0.0.0/0 tcp 25 0
#146.6.192.149/32
#Encrypyt all connection so this host:
129.116.112.207/32
/etc/ipsec.d/policies/clear:
# don't IPsec encrypt any incoming ssh
#This could be a issue if the bad person sources NFS traffic from port 22
0.0.0.0/0 tcp 22 0
0.0.0.0/0 tcp 0 22
|