-
Notifications
You must be signed in to change notification settings - Fork 2
/
ipsec.conf.j2
83 lines (62 loc) · 4.02 KB
/
ipsec.conf.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
version 2 # conforms to second version of ipsec.conf specification
config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
protostack=netkey
#decide which protocol stack is going to be used.
force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds.
conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.
pfs=no
#Disable pfs
auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
keyingtries=3
#Only negotiate a conn. 3 times.
ikelifetime=8h
keylife=1h
# This does not work, the Windows 8.1 L2TP VPN client breaks.
#
# Following errors show up in /var/log/auth.log:
#
# Jun 15 11:18:19 vpn pluto[10302]: "L2TP-PSK-noNAT"[16] 91.65.92.33 #16: responding to Main Mode from unknown peer 91.65.92.33
# Jun 15 11:18:19 vpn pluto[10302]: "L2TP-PSK-noNAT"[16] 91.65.92.33 #16: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
# Jun 15 11:18:19 vpn pluto[10302]: "L2TP-PSK-noNAT"[16] 91.65.92.33 #16: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
# Jun 15 11:18:19 vpn pluto[10302]: "L2TP-PSK-noNAT"[16] 91.65.92.33 #16: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA1, OAKLEY_GROUP_MODP2048] refused due to strict flag
# Jun 15 11:18:19 vpn pluto[10302]: "L2TP-PSK-noNAT"[16] 91.65.92.33 #16: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP2048] refused due to strict flag
# Jun 15 11:18:19 vpn pluto[10302]: "L2TP-PSK-noNAT"[16] 91.65.92.33 #16: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
# Jun 15 11:18:19 vpn pluto[10302]: "L2TP-PSK-noNAT"[16] 91.65.92.33 #16: no acceptable Oakley Transform
# Jun 15 11:18:19 vpn pluto[10302]: "L2TP-PSK-noNAT"[16] 91.65.92.33 #16: sending notification NO_PROPOSAL_CHOSEN to 91.65.92.33:500
# Jun 15 11:18:19 vpn pluto[10302]: "L2TP-PSK-noNAT"[16] 91.65.92.33: deleting connection "L2TP-PSK-noNAT" instance with peer 91.65.92.33 {isakmp=#0/ipsec=#0}
#ike=aes256-sha1;modp1024!
#phase2alg=aes256-sha1;modp1024
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
# Fix is mentioned:
#
# "[Openswan Users] Unable to connect using Windows 7"
# https://lists.openswan.org/pipermail/users/2014-April/022947.html
#
# Connection succeeds:
# Jun 15 11:22:47 vpn pluto[12556]: "L2TP-PSK-noNAT"[2] 91.65.92.33 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe6a33730 <0x5258a0de xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.190 NATD=91.65.92.33:4500 DPD=none}
ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
type=transport
#because we use l2tp as tunnel protocol
left={{ ansible_default_ipv4["address"] }}
#fill in server IP above
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.