ipsec.conf.common

ipsec vpn

# common pieces for ipsec.conf. No host addresses.
#
# for conns
# left  = WEST
# right = EAST
#
# for OE stuff,
# right = my stuff
# left  = other stuff.
#

conn us-to-anyone
	also=us
	also=me-to-anyone

conn me-to-anyone
	right=%defaultroute
	left=%opportunistic
	# uncomment to enable incoming; change to auto=route for outgoing
	#auto=add

# food groups: clear, clear-or-private, private-or-clear, private, block
# Tempting to use "postcard" instead of "clear"
# these are for a subnet behind us.
conn us-clear
	also=clear
	also=us

# except the connection to the DNS server
conn let-my-dns-go
	also=clear

conn us-let-my-dns-go
	also=clear
	also=us

conn us-clear-or-private
	also=clear-or-private
	also=us

conn us-private-or-clear
	also=private-or-clear
	also=us

conn us-private-or-clear-all
	also=private-or-clear
	also=us

conn us-private
	also=private
	also=us

conn us-block
	also=block
	also=us

# a different named conn, so we can have a different policy
conn private-or-clear-all
	also=private-or-clear

# these are for self
conn clear
	type=passthrough
	authby=never
	right=%defaultroute
	left=%group
	#auto=route

conn clear-or-private
	type=passthrough
	right=%defaultroute
	left=%opportunisticgroup
	# by using "add", we get passive.
	# but this does not actually implement "clear" :-(
	failureshunt=passthrough
	#auto=route

conn private-or-clear
	type=tunnel
	right=%defaultroute
	left=%opportunisticgroup
	failureshunt=passthrough
	#auto=route

conn private
	type=tunnel
	right=%defaultroute
	left=%opportunisticgroup
	# without failureshunt, renegotiation will be tried.
	failureshunt=drop
	#auto=route

conn block
	type=reject
	authby=never
	right=%defaultroute
	left=%group
	#auto=route

# VPN connection
conn west-east
	also=west-east-base
	#auto=start

conn west-eastnet
	also=west-east-base
	also=eastnet
	#auto=start

conn westnet-east
	also=west-east-base
	also=westnet
	#auto=start

conn west-east-pass
	also=west-east-base
	type=passthrough
	#auto=start

conn westnet-east-pass
	also=west-east-base
	also=westnet
	type=passthrough
	#auto=start

conn west-eastnet-pass
	also=west-east-base
	also=eastnet
	type=passthrough
	#auto=start

conn westnet-eastnet-ipcomp
	compress=yes
	also=westnet-eastnet

conn westnet-eastnet
	also=west-east-base
	also=westnet
	also=eastnet
	#auto=start

conn westnet-eastnet-pass
	also=west-east-base
	also=westnet
	also=eastnet
	type=passthrough
	#auto=start

conn westnet-eastnet-drop
	also=west-east-base
	also=westnet
	also=eastnet
	type=drop
	#auto=start

conn eastnet
	rightsubnet=192.0.2.0/24

conn westnet
	leftsubnet=192.0.1.0/24

conn west-east-base
	# Left security gateway, subnet behind it, next hop toward right.
	left=192.1.2.45
	leftid=@west
	leftrsasigkey=0sAQNzGEFs18VKT00sA+4p+GUKn9C55PYuPQca6C+9Qhj0jfMdQnTRTDLeI+lp9TnidHH7fVpq+PkfiF2LHlZtDwMurLlwzbNOghlEYKfQ080WlOTTUAmOLhAzH28MF70q3hzq0m5fCaVZWtxcV+LfHWdxceCkjBUSaTFtR2W12urFCBz+SB3+OM33aeIbfHxmck2yzhJ8xyMods5kF3ek/RZlFvgN8VqBdcFVrZwTh0mXDCGN12HNFixL6FzQ1jQKerKBbjb0m/IPqugvpVPWVIUajUpLMEmi1FAXc1mFZE9x1SFuSr0NzYIu2ZaHfvsAZY5oN+I+R2oC67fUCjgxY+t7
	leftnexthop=192.1.2.23
	# Right security gateway, subnet behind it, next hop toward left.
	right=192.1.2.23
	rightid=@east
	rightrsasigkey=0sAQN3cn11FrBVbZhWGwRnFDAf8O9FHBmBIyIvmvt0kfkI2UGDDq8k+vYgRkwBZDviLd1p3SkL30LzuV0rqG3vBriqaAUUGoCQ0UMgsuX+k01bROLsqGB1QNXYvYiPLsnoDhKd2Gx9MUMHEjwwEZeyskMT5k91jvoAZvdEkg+9h7urbJ+kRQ4e+IHkMUrreDGwGVptV/hYQVCD54RZep6xp5ymaKRCDgMpzWvlzO80fP7JDjSZf9LI/MMu6c+qwXIKnWoNha75IhFyLWniVczxK2RdhmMhLsi0kC0CoOwWDSIEOb+5zbECDjjud+SF5tT8qRCWnSomX8jtbCdZ50WraQlL
	rightnexthop=192.1.2.45

conn road-east-base
	right=192.1.2.23
	rightid=@east
	rightrsasigkey=0sAQN3cn11FrBVbZhWGwRnFDAf8O9FHBmBIyIvmvt0kfkI2UGDDq8k+vYgRkwBZDviLd1p3SkL30LzuV0rqG3vBriqaAUUGoCQ0UMgsuX+k01bROLsqGB1QNXYvYiPLsnoDhKd2Gx9MUMHEjwwEZeyskMT5k91jvoAZvdEkg+9h7urbJ+kRQ4e+IHkMUrreDGwGVptV/hYQVCD54RZep6xp5ymaKRCDgMpzWvlzO80fP7JDjSZf9LI/MMu6c+qwXIKnWoNha75IhFyLWniVczxK2RdhmMhLsi0kC0CoOwWDSIEOb+5zbECDjjud+SF5tT8qRCWnSomX8jtbCdZ50WraQlL
	rightnexthop=192.1.2.45
	leftid=@road.uml.freeswan.org
        leftrsasigkey=0sAQNxbOBmDqiNrUmn5q4kzBQ6I6pW/g2c8iDh3Y/KDtELBC6G0dASaaa95lV0cZT2kla681hVLzRF4MUCmFkH5ih514Nrwc5aptte49/70WotqcbvAhXeBX0zbg78gUPaT7CcUEAYxHoqHubao4mmfWlSrOnpf4crE/q3J6zH+8Z3bfsTGnpThgfNCItHpH7jkHPUYDilHsk0Zfd5fxjVDbl8JbQoT3P1KrdmpK7M1sXQhug12ocq8HlrXa3smJIq5b4T0rF+MYrThrNytNIEn53phuj6S8qmONin4usCqpUw50i2VqaBNQSY++/B57AqThFZNqt7TjqqT0CQ7tPRELgXwRvWA04GDhqBHHWoOrLdsR0p
	leftnexthop=192.1.3.254

conn westnet-eastnet-x509
	leftsubnet=192.0.1.0/24
	rightsubnet=192.0.2.0/24
	also=west-east-x509

conn west-east-x509
        # Left security gateway, subnet behind it, next hop toward right.
        left=192.1.2.45
        leftrsasigkey=%cert
        leftcert=west.uml.freeswan.org.cert  
        leftnexthop=192.1.2.23
        leftid="C=CA, ST=Ontario, O=Openswan, L=Toronto, CN=west.uml.freeswan.org, E=west@openswan.org"
        # Right security gateway, subnet behind it, next hop toward left.
        right=192.1.2.23
        rightid="C=CA, ST=Ontario, O=Openswan, L=Toronto, CN=east.uml.openswan.org, E=east@openswan.org"
        rightrsasigkey=%cert
        rightcert=east.uml.freeswan.org.cert
        rightnexthop=192.1.2.45

conn north-east-x509
	# Left security gateway, subnet behind it, next hop toward right.
	left=192.1.2.49
        leftrsasigkey=%cert
        leftcert=north.uml.freeswan.org.cert  
	leftnexthop=192.1.2.23
	leftid="C=CA/ST=Ontario/O=Openswan/CN=west.uml.freeswan.org/Email=west@openswan.org"
	# Right security gateway, subnet behind it, next hop toward left.
	right=192.1.2.23
	rightid="C=CA/ST=Ontario/O=Openswan/CN=east.uml.freeswan.org/Email=east@openswan.org"
        rightrsasigkey=%cert
	rightcert=east.uml.freeswan.org.cert
	rightnexthop=192.1.2.49

conn north-east
	# Left security gateway, subnet behind it, next hop toward right.
	left=%any
	leftnexthop=192.2.3.254
	leftid=@north
        leftrsasigkey=0sAQPwDB+4k65xvxQ3qtPV6rUucJovYeRGnfv6T7HaeK/5TcBXDyhEDrfNLS13p5cJYUu13LJbeLYS9MQZSZq7PRsg8DsG1oVeDmJbQM9CaVKs9REMnTiRbzye3mDnsQQRRr63BnU/IMDJrmO54ZenkQIbtEkFOX6vm2gtmf/s8C0lPvQk/cNXgkHx6fTq3sZs7pUiFvspj/CrZTx4ShhFNkyvv6RrUu728HspGZwseoZqC7ZbIqnsMqjPeG65qLl+IRYk4s8yT6JBYjYxX96LoHf9V8v0Qbjq4LJm7UpaqX4EJscDRGPByVZaiAwntCU3uzc/NAlgyZJN14yzwXfv1kQUJFLDGYNBF+z0dqON+0DfuCTR
	# Right security gateway, subnet behind it, next hop toward left.
	right=192.1.2.23
	rightid=@east
	rightrsasigkey=0sAQN3cn11FrBVbZhWGwRnFDAf8O9FHBmBIyIvmvt0kfkI2UGDDq8k+vYgRkwBZDviLd1p3SkL30LzuV0rqG3vBriqaAUUGoCQ0UMgsuX+k01bROLsqGB1QNXYvYiPLsnoDhKd2Gx9MUMHEjwwEZeyskMT5k91jvoAZvdEkg+9h7urbJ+kRQ4e+IHkMUrreDGwGVptV/hYQVCD54RZep6xp5ymaKRCDgMpzWvlzO80fP7JDjSZf9LI/MMu6c+qwXIKnWoNha75IhFyLWniVczxK2RdhmMhLsi0kC0CoOwWDSIEOb+5zbECDjjud+SF5tT8qRCWnSomX8jtbCdZ50WraQlL
	rightnexthop=192.1.2.254