| 57 |
- |
1 |
# /etc/ipsec.conf - Libreswan IPsec configuration file
|
| 3 |
- |
2 |
|
| 57 |
- |
3 |
# This file: /etc/ipsec.conf
|
| 3 |
- |
4 |
#
|
| 57 |
- |
5 |
# Enable when using this configuration file with openswan instead of libreswan
|
|
|
6 |
#version 2
|
|
|
7 |
#
|
| 3 |
- |
8 |
# Manual: ipsec.conf.5
|
|
|
9 |
|
|
|
10 |
# basic configuration
|
|
|
11 |
config setup
|
| 57 |
- |
12 |
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
|
|
|
13 |
# For MacOSX use "bsd"
|
|
|
14 |
protostack=netkey
|
|
|
15 |
#
|
|
|
16 |
# Normally, pluto logs via syslog. If you want to log to a file,
|
|
|
17 |
# specify below or to disable logging, eg for embedded systems, use
|
|
|
18 |
# the file name /dev/null
|
|
|
19 |
# Note: SElinux policies might prevent pluto writing to a log file at
|
|
|
20 |
# an unusual location.
|
|
|
21 |
#logfile=/var/log/pluto.log
|
|
|
22 |
#
|
|
|
23 |
# The interfaces= line is only required for the klips/mast stack
|
|
|
24 |
#interfaces="%defaultroute"
|
|
|
25 |
#interfaces="ipsec0=eth0 ipsec1=ppp0"
|
|
|
26 |
#
|
|
|
27 |
# If you want to limit listening on a single IP - not required for
|
|
|
28 |
# normal operation
|
|
|
29 |
#listen=127.0.0.1
|
|
|
30 |
#
|
|
|
31 |
# Do not set debug options to debug configuration issues!
|
|
|
32 |
#
|
|
|
33 |
# plutodebug / klipsdebug = "all", "none" or a combation from below:
|
|
|
34 |
# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
|
|
|
35 |
# private".
|
|
|
36 |
# Note: "crypt" is not included with "all", as it can show confidential
|
|
|
37 |
# information. It must be specifically specified
|
|
|
38 |
# examples:
|
|
|
39 |
# plutodebug="control parsing"
|
|
|
40 |
# plutodebug="all crypt"
|
|
|
41 |
# Again: only enable plutodebug or klipsdebug when asked by a developer
|
|
|
42 |
#plutodebug=none
|
|
|
43 |
#klipsdebug=none
|
|
|
44 |
#
|
|
|
45 |
# Enable core dumps (might require system changes, like ulimit -C)
|
|
|
46 |
# This is required for abrtd to work properly
|
|
|
47 |
# Note: SElinux policies might prevent pluto writing the core at
|
|
|
48 |
# unusual locations
|
|
|
49 |
dumpdir=/var/run/pluto/
|
|
|
50 |
#
|
|
|
51 |
# NAT-TRAVERSAL support
|
|
|
52 |
# exclude networks used on server side by adding %v4:!a.b.c.0/24
|
|
|
53 |
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
|
|
|
54 |
# using 25/8 as "private" address space on their wireless networks.
|
|
|
55 |
# This range has never been announced via BGP (at least upto 2015)
|
|
|
56 |
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
|
| 3 |
- |
57 |
|
| 57 |
- |
58 |
# For example connections, see your distribution's documentation directory,
|
|
|
59 |
# or https://libreswan.org/wiki/
|
|
|
60 |
#
|
|
|
61 |
# There is also a lot of information in the manual page, "man ipsec.conf"
|
|
|
62 |
#
|
|
|
63 |
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
|
|
|
64 |
include /etc/ipsec.d/*.conf
|