-
-
Save jameswhite/dba343eca828f0a1bbc5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
path certificate "/etc/racoon/certs"; | |
listen { | |
isakmp 65.19.178.106 [500]; | |
isakmp_natt 65.19.178.106 [4500]; | |
adminsock disabled; | |
} | |
# connection to freyr.websages.com | |
remote 72.14.177.235 [500] { | |
exchange_mode main; | |
peers_identifier asn1dn; | |
my_identifier asn1dn; | |
verify_identifier on; | |
verify_cert on; | |
certificate_type x509 "odin.websages.com.crt" "odin.websages.com.key"; | |
lifetime time 1440 min; | |
proposal { | |
encryption_algorithm aes 256; | |
hash_algorithm sha1; | |
authentication_method rsasig; | |
dh_group 5; | |
lifetime time 86400 sec; | |
} | |
} | |
sainfo address 172.16.0.2/32 any address 172.16.0.1/32 any { | |
lifetime time 1 hour ; | |
encryption_algorithm aes 256; | |
authentication_algorithm hmac_sha1; | |
compression_algorithm deflate; | |
} | |
# connection to thor.websages.com | |
remote 207.192.74.54 [500] { | |
exchange_mode main; | |
peers_identifier asn1dn; | |
my_identifier asn1dn; | |
verify_identifier on; | |
verify_cert on; | |
certificate_type x509 "odin.websages.com.crt" "odin.websages.com.key"; | |
lifetime time 1440 min; | |
proposal { | |
encryption_algorithm aes 256; | |
hash_algorithm sha1; | |
authentication_method rsasig; | |
dh_group 5; | |
lifetime time 86400 sec; | |
} | |
} | |
sainfo address 172.16.0.2/32 any address 172.16.0.3/32 any { | |
lifetime time 1 hour ; | |
encryption_algorithm aes 256; | |
authentication_algorithm hmac_sha1; | |
compression_algorithm deflate; | |
} | |
# connection to loki.websages.com | |
remote 74.207.230.73 [500] { | |
exchange_mode main; | |
peers_identifier asn1dn; | |
my_identifier asn1dn; | |
verify_identifier on; | |
verify_cert on; | |
certificate_type x509 "odin.websages.com.crt" "odin.websages.com.key"; | |
lifetime time 1440 min; | |
proposal { | |
encryption_algorithm aes 256; | |
hash_algorithm sha1; | |
authentication_method rsasig; | |
dh_group 5; | |
lifetime time 86400 sec; | |
} | |
} | |
sainfo address 172.16.0.2/32 any address 172.16.0.10/32 any { | |
lifetime time 1 hour ; | |
encryption_algorithm aes 256; | |
authentication_algorithm hmac_sha1; | |
compression_algorithm deflate; | |
} | |
# connection to vili.websages.com | |
remote 74.207.235.127 [500] { | |
exchange_mode main; | |
peers_identifier asn1dn; | |
my_identifier asn1dn; | |
verify_identifier on; | |
verify_cert on; | |
certificate_type x509 "odin.websages.com.crt" "odin.websages.com.key"; | |
lifetime time 1440 min; | |
proposal { | |
encryption_algorithm aes 256; | |
hash_algorithm sha1; | |
authentication_method rsasig; | |
dh_group 5; | |
lifetime time 86400 sec; | |
} | |
} | |
sainfo address 172.16.0.2/32 any address 172.16.0.11/32 any { | |
lifetime time 1 hour ; | |
encryption_algorithm aes 256; | |
authentication_algorithm hmac_sha1; | |
compression_algorithm deflate; | |
} | |
# listener for remote mobile devices | |
remote anonymous { | |
exchange_mode main; | |
generate_policy on ; | |
passive on ; | |
ca_type x509 "ca.crt"; | |
certificate_type x509 "odin.websages.com.crt" "odin.websages.com.key"; | |
my_identifier asn1dn; | |
passive on; | |
nat_traversal on; | |
mode_cfg on; | |
script "/etc/racoon/phase1-up.sh" phase1_up; | |
script "/etc/racoon/phase1-down.sh" phase1_down; | |
dpd_delay 20; | |
ike_frag on; | |
lifetime time 3600 sec; | |
proposal_check strict; | |
proposal { | |
authentication_method xauth_rsa_server; | |
encryption_algorithm aes; | |
hash_algorithm sha1; | |
dh_group 2; | |
} | |
} | |
mode_cfg { | |
conf_source local; | |
pfs_group 2; | |
auth_throttle 3; | |
auth_source ldap; # Authenticate against LDAP | |
save_passwd off; # Allow users to save passwords | |
# group_source ldap; # Verify group membership in LDAP | |
# auth_groups "ipsec vpn"; # Require users to be member of this group in order to vpn | |
default_domain "websages.com"; | |
dns4 172.16.0.2; | |
network4 172.16.0.64; | |
netmask4 255.255.255.224; | |
pool_size 32; | |
# split_network include 172.16.0.0/12; # split tunneling, only tunnel traffic to these subnets | |
# split_dns "websages.com"; | |
} | |
ldapcfg { | |
host "127.0.0.1"; | |
base "dc=websages,dc=com"; | |
subtree on; | |
bind_dn "cn=LDAP Anonymous,ou=Special,dc=websages,dc=com"; | |
bind_pw "8de47d5aa7d61e92c577d8156b966583f6d7d75d714a3b99fca4fb2f8bfe97c6"; | |
attr_user "uid"; # Searches for (<attr_user>=<userid>) | |
# attr_group "cn"; # Searches for (&(<attr_group>=<groupname>)(<attr_member>=<userid>)) | |
# attr_member "member"; | |
} | |
sainfo anonymous { | |
pfs_group 2; | |
lifetime time 3600 sec; | |
encryption_algorithm aes; | |
authentication_algorithm hmac_sha1; | |
compression_algorithm deflate; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
echo "
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
spddelete ${INTERNAL_ADDR4}[any] 0.0.0.0/0[any] any -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
" | setkey -c