# /etc/ipsec.conf - strongSwan IPsec configuration file
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- eap_identity=carol
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+# the PT-TLS client reads its configuration via the command line
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-carol : EAP "Ar3etTnp"
+# the PT-TLS client loads its secrets via the command line
--- /dev/null
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
# /etc/ipsec.conf - strongSwan IPsec configuration file
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- eap_identity=dave
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+# the PT-TLS client reads its configuration via the command line
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-dave : EAP "W7R0g3do"
+# the PT-TLS client loads its secrets via the command line
--- /dev/null
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightsendcert=never
- right=%any
- eap_identity=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
+++ /dev/null
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow RADIUS protocol with alice
--A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
--A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-COMMIT
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
- multiple_authentication=no
- plugins {
- eap-radius {
- secret = gv6URkSs
- #server = PH_IP6_ALICE
- server = PH_IP_ALICE
- filter_id = yes
- }
- }
-}
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol dave alice"
+IPSECHOSTS="carol dave alice"
# Guest instances on which FreeRadius is started
#