swanctl: Add a swanctl.conf template file
authorMartin Willi <martin@revosec.ch>
Wed, 5 Mar 2014 11:15:24 +0000 (12:15 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 7 May 2014 13:48:15 +0000 (15:48 +0200)
src/swanctl/Makefile.am
src/swanctl/swanctl.conf [new file with mode: 0644]

index c951b15..d731c04 100644 (file)
@@ -20,6 +20,8 @@ swanctl_LDADD = \
 
 swanctl.o :            $(top_builddir)/config.status
 
+EXTRA_DIST = swanctl.conf
+
 AM_CPPFLAGS = \
        -I$(top_srcdir)/src/libstrongswan \
        -I$(top_srcdir)/src/libcharon/plugins/vici \
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
new file mode 100644 (file)
index 0000000..7580740
--- /dev/null
@@ -0,0 +1,122 @@
+connections {
+
+#      # an IKE configuration named conn1
+#      conn1 {
+#              # IKE version to use
+#              version = 2
+#              # list of acceptable local addresses/subnets
+#              local_addrs = 0.0.0.0
+#              # peer address, additional addresses/subnets as responder
+#              remote_addrs = 192.168.5.1
+#              # local UPD port for IKE
+#              local_port = 500
+#              # remote UDP port for IKE
+#              remote_port = 500
+#              # Proposals for IKE, "default" is the default proposal
+#              proposals = aes128gcm16-prfsha256-modp2048, default
+#              # virtual IPs to request, such as 0.0.0.0 or ::
+#              vips =
+#              # IKEv1 aggressive mode
+#              aggressive = no
+#              # use of pull/push in IKEv1 mode config
+#              pull = yes
+#              # enforce UDP encapsulation by faking NAT-D payloads
+#              encap = no
+#              # enable IKEv2 MOBIKE
+#              mobike = yes
+#              # interval of liveness checks
+#              dpd_delay = 10s
+#              # timeout for DPD checks (IKEV1 only)
+#              dpd_timeout = 30s
+#              # use IKEv1 UDP packet fragmentation
+#              fragmentation = force
+#              # send certificate requests
+#              send_certreq = yes
+#              # send certificate payloads
+#              send_cert = ifasked
+#              # number of retransmission sequences to do before givin up
+#              keyingtries = 0
+#              # uniquness policy, never|no|keep|replace|
+#              unique = no
+#              # time to schedule IKE reauthentication
+#              reauth_time = 3h
+#              # time to schedule IKE rekeying
+#              rekey_time = 2h
+#              # hard IKE_SA lifetime if rekey/reauth does not complete
+#              over_time = 10m
+#              # range of random time to subtract from rekey/rauth times
+#              rand_time = 10m
+#
+#              # local authentication, first round
+#              local {
+#                      # additional certificates to load
+#                      certs = a.pem, xy.der
+#                      # authentication to perform locally
+#                      auth = pubkey
+#                      # IKE identity for local
+#                      id = win@strongswan.org
+#                      # Client EAP-Identity to use
+#                      eap_id = moon
+#                      # Server side EAP identity to use, EAP-TTLS etc.
+#                      aaa_identity = srv
+#                      # IKEv1 XAuth username
+#                      xauth_id = moon
+#              }
+#              # remote authentication, first round
+#              remote {
+#                      # IKE identity for peer
+#                      id = %any
+#                      # list of acceptable peer certificates
+#                      certs = client.pem
+#                      # list of acceptable CA certificates
+#                      cacert = ca.der
+#                      # revocation policy, strict|ifuri
+#                      revocation = ifuri
+#                      # authentication to expect from remote
+#                      auth = pubkey
+#              }
+#              children {
+#                      # First CHILD_SA configuration
+#                      child1 {
+#                              # AH proposals to offer
+#                              ah_proposals = default
+#                              # ESP proposals to offer
+#                              esp_proposals = aes128gcm16-modp2048, default
+#                              # local subnets to tunnel
+#                              local_ts = 192.168.3.0/24
+#                              # remote subnets to tunnel
+#                              remote_ts = 192.168.1.0/24
+#                              # updown script to invoke
+#                              updown = path-to-script
+#                              # hostaccess variable to pass to updown
+#                              hostaccess = yes
+#                              # IPsec mode, tunnel|transport|pass|drop
+#                              mode = tunnel
+#                              # action to perform on DPD timeout
+#                              dpd_action = restart
+#                              # enable IPComp
+#                              ipcomp = no
+#                              # inactivity timeout before closing CHILD_SA
+#                              inactivity = 2m
+#                              # fixed reqid to use for this CHILD_SA
+#                              reqid = 5
+#                              # Netfilter mark for input traffic
+#                              mark_in = 1
+#                              # Netfilter mark for output traffic
+#                              mark_out = 5/0xffffffff
+#                              # Traffic Flow Confidentiality padding
+#                              tfc_padding = 1500
+#                      }
+#              }
+#      }
+
+}
+
+secrets {
+       eap {
+#              tester = testpassword
+       }
+       ike {
+#              sun.strongswan.org = 0x12345678901234
+       }
+}