2 # This file is RCSID $Id: examples,v 1.5 1999/12/13 02:38:16 henry Exp $
8 # THIS SETTING MUST BE CORRECT or almost nothing will work.
9 interfaces="ipsec0=eth1 ipsec1=ppp0"
10 # Debug-logging controls: "none" for (almost) none, "all" for lots.
13 # Manual connections to be started at startup.
14 manualstart="test1 test2"
15 # Auto connections to be loaded into Pluto at startup.
16 plutoload="samplehth samplefire"
17 # Auto connections to be started at startup.
22 # defaults for subsequent connection descriptions
24 # How persistent to be in (re)keying negotiations (0 means very).
26 # Parameters for manual-keying testing (DON'T USE OPERATIONALLY).
29 espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
30 espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
31 # key lifetime (before automatic rekeying)
38 # Left security gateway and subnet behind it.
40 leftsubnet=172.16.0.0/24
41 # Right security gateway and subnet behind it.
43 rightsubnet=192.168.0.0/24
44 # Authorize this connection, but don't actually start it, at startup.
47 # sample tunnel (manually or automatically keyed)
48 # Here we just use ESP for both encryption and authentication, which is
49 # the simplest and often the best method.
51 # left security gateway (public-network address)
53 # next hop to reach right
54 leftnexthop=10.44.55.66
55 # subnet behind left (omit if left end of the tunnel is just the s.g.)
56 leftsubnet=172.16.0.0/24
57 # right s.g., subnet behind it, and next hop to reach left
59 rightnexthop=10.88.77.66
60 rightsubnet=192.168.0.0/24
63 # (manual) encryption/authentication algorithm and parameters to it
68 # In the remaining examples, deviations from the sample-tunnel configuration
69 # are marked with ###.
71 # sample host-to-host tunnel (no subnets)
72 # Here we assume (for purposes of illustration) that the hosts talk directly
73 # to each other, so we don't need next-hop settings.
75 ### left host (public-network address)
77 ### next hop to reach right
81 ### next hop to reach left
83 ### (manual) SPI number
85 # (manual) encryption/authentication algorithm and parameters to it
90 # sample hybrid tunnel, with a host on one end and a subnet (behind a
91 # security gateway) on the other
92 # This case is also sometimes called "road warrior".
94 ### left host (public-network address)
96 # next hop to reach right
97 leftnexthop=10.44.55.66
99 leftsubnet=172.16.0.0/24
100 ### right host, and next hop to reach left
102 rightnexthop=10.88.77.66
103 ### (manual) SPI number
105 # (manual) encryption/authentication algorithm and parameters to it
108 espauthkey=[128 bits]
110 # sample firewall-penetrating tunnel
111 # Here we assume that firewalling is being done on the left side.
113 # left security gateway (public-network address)
115 # next hop to reach right
116 leftnexthop=10.44.55.66
117 # subnet behind left (omit if left end of the tunnel is just the s.g.)
118 leftsubnet=172.16.0.0/24
119 ### left is firewalling for its subnet
121 # right s.g., subnet behind it, and next hop to reach left
123 rightnexthop=10.88.77.66
124 rightsubnet=192.168.0.0/24
125 ### (manual) SPI number
127 # (manual) encryption/authentication algorithm and parameters to it
130 espauthkey=[128 bits]
132 # sample transport-mode connection (which can only be host-to-host)
133 # Here we use the whole nine yards, with encryption done by ESP and
134 # authentication by AH; this perhaps is slightly preferable for transport
135 # mode, where the IP headers are exposed.
137 ### transport mode rather than tunnel
139 ### left host (public-network address)
141 # next hop to reach right
142 leftnexthop=10.44.55.66
143 ### right host, and next hop to reach left
145 rightnexthop=10.88.77.66
146 ### (manual) SPI number
148 ### (manual) encryption algorithm and parameters to it
151 ### (manual) authentication algorithm and parameters to it
154 ### (auto) authentication control
157 # sample description with keys split out into a separate section
158 # Normally the key section would go in a separate file, with tighter
159 # permissions set on it.
161 # left security gateway (public-network address)
163 # next hop to reach right
164 leftnexthop=10.44.55.66
165 # subnet behind left (omit if left end of the tunnel is just the s.g.)
166 leftsubnet=172.16.0.0/24
167 # right s.g., subnet behind it, and next hop to reach left
169 rightnexthop=10.88.77.66
170 rightsubnet=192.168.0.0/24
171 ### (manual) SPI number
173 # (manual) encryption/authentication algorithm and parameters to it
177 # keys for the previous section
178 # Normally this would go in a separate file, picked up using an include line,
179 # to allow keeping the keys confidential.
182 espauthkey=[128 bits]