move scrap notes into notes/

6 files changed, 745 insertions, 0 deletions

diff --git a/notes/andy.brief.conf b/notes/andy.brief.conf
new file mode 100644
index 0000000..977a546
--- /dev/null
+++ b/notes/andy.brief.conf
@@ -0,0 +1,28 @@
+connections {
+    andy {
+        remote_addrs = 68.48.18.140
+        vips = ::
+        local1 {
+            pubkeys = ssh_host_rsa_key.pub
+            auth = pubkey
+            id = dd6c:fbfd:eeb8:4709
+        }
+        remote1 {
+            id = "68.48.18.140"
+            pubkeys = andy.pub
+            auth = pubkey
+        }
+        children {
+            child1 {
+                remote_ts = 0::0/0
+                mode = tunnel
+                dpd_action = restart
+            }
+        }
+    }
+}
+secrets {
+    private1 {
+        file = ssh_host_rsa_key
+    }
+}
diff --git a/notes/andy.conf b/notes/andy.conf
new file mode 100644
index 0000000..ea5e71a
--- /dev/null
+++ b/notes/andy.conf
@@ -0,0 +1,580 @@
+# conn andy
+#   type=tunnel
+#   auto=add
+#
+#   left=%any
+#   leftsourceip=%config
+#   leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz"
+#   leftid=dd6c:fbfd:eeb8:4709
+#   right=%any
+#   right=68.48.18.140
+#   #rightsubnet=2601:401:8200:2d4c::1/64
+#   rightsubnet=0::0/0
+#   rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt"
+
+# Section defining IKE connection configurations.
+connections {
+
+    # Section for an IKE connection named andy.
+    andy {
+
+        # IKE major version to use for connection.
+        # version = 0
+
+        # Local address(es) to use for IKE communication, comma separated.
+        # local_addrs = %any
+
+        # Remote address(es) to use for IKE communication, comma separated.
+        remote_addrs = 68.48.18.140
+
+        # Local UDP port for IKE communication.
+        # local_port = 500
+
+        # Remote UDP port for IKE communication.
+        # remote_port = 500
+
+        # Comma separated proposals to accept for IKE.
+        # proposals = default
+
+        # Virtual IPs to request in configuration payload / Mode Config.
+        vips = ::
+
+        # Use Aggressive Mode in IKEv1.
+        # aggressive = no
+
+        # Set the Mode Config mode to use.
+        # pull = yes
+
+        # Differentiated Services Field Codepoint to set on outgoing IKE packets
+        # (six binary digits).
+        # dscp = 000000
+
+        # Enforce UDP encapsulation by faking NAT-D payloads.
+        # encap = no
+
+        # Enables MOBIKE on IKEv2 connections.
+        # mobike = yes
+
+        # Interval of liveness checks (DPD).
+        # dpd_delay = 0s
+
+        # Timeout for DPD checks (IKEV1 only).
+        # dpd_timeout = 0s
+
+        # Use IKE UDP datagram fragmentation (yes, accept, no or force).
+        # fragmentation = yes
+
+        # Use childless IKE_SA initiation (allow, force or never).
+        # childless = allow
+
+        # Send certificate requests payloads (yes or no).
+        # send_certreq = yes
+
+        # Send certificate payloads (always, never or ifasked).
+        # send_cert = ifasked
+
+        # String identifying the Postquantum Preshared Key (PPK) to be used.
+        # ppk_id =
+
+        # Whether a Postquantum Preshared Key (PPK) is required for this
+        # connection.
+        # ppk_required = no
+
+        # Number of retransmission sequences to perform during initial connect.
+        # keyingtries = 1
+
+        # Connection uniqueness policy (never, no, keep or replace).
+        # unique = no
+
+        # Time to schedule IKE reauthentication.
+        # reauth_time = 0s
+
+        # Time to schedule IKE rekeying.
+        # rekey_time = 4h
+
+        # Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
+        # over_time = 10% of rekey_time/reauth_time
+
+        # Range of random time to subtract from rekey/reauth times.
+        # rand_time = over_time
+
+        # Comma separated list of named IP pools.
+        # pools =
+
+        # Default inbound XFRM interface ID for children.
+        # if_id_in = 0
+
+        # Default outbound XFRM interface ID for children.
+        # if_id_out = 0
+
+        # Whether this connection is a mediation connection.
+        # mediation = no
+
+        # The name of the connection to mediate this connection through.
+        # mediated_by =
+
+        # Identity under which the peer is registered at the mediation server.
+        # mediation_peer =
+
+        # Section for a local authentication round.
+        local1 {
+
+            # Optional numeric identifier by which authentication rounds are
+            # sorted.  If not specified rounds are ordered by their position in
+            # the config file/VICI message.
+            # round = 0
+
+            # Comma separated list of certificate candidates to use for
+            # authentication.
+            # certs =
+
+            # Section for a certificate candidate to use for authentication.
+            # cert<suffix> =
+
+            # Comma separated list of raw public key candidates to use for
+            # authentication.
+            pubkeys = ssh_host_rsa_key.pub
+
+            # Authentication to perform locally (pubkey, psk, xauth[-backend] or
+            # eap[-method]).
+            auth = pubkey
+
+            # IKE identity to use for authentication round.
+            id = dd6c:fbfd:eeb8:4709
+
+            # Client EAP-Identity to use in EAP-Identity exchange and the EAP
+            # method.
+            # eap_id = id
+
+            # Server side EAP-Identity to expect in the EAP method.
+            # aaa_id = remote-id
+
+            # Client XAuth username used in the XAuth exchange.
+            # xauth_id = id
+
+            # cert<suffix> {
+
+                # Absolute path to the certificate to load.
+                # file =
+
+                # Hex-encoded CKA_ID of the certificate on a token.
+                # handle =
+
+                # Optional slot number of the token that stores the certificate.
+                # slot =
+
+                # Optional PKCS#11 module name.
+                # module =
+
+            # }
+
+        }
+
+        # Section for a remote authentication round.
+        remote1 {
+
+            # Optional numeric identifier by which authentication rounds are
+            # sorted.  If not specified rounds are ordered by their position in
+            # the config file/VICI message.
+            # round = 0
+
+            # IKE identity to expect for authentication round.
+            #id = %any
+            id = "68.48.18.140"
+
+            # Identity to use as peer identity during EAP authentication.
+            # eap_id = id
+
+            # Authorization group memberships to require.
+            # groups =
+
+            # Certificate policy OIDs the peer's certificate must have.
+            # cert_policy =
+
+            # Comma separated list of certificate to accept for authentication.
+            # certs =
+
+            # Section for a certificate to accept for authentication.
+            # cert<suffix> =
+
+            # Comma separated list of CA certificates to accept for
+            # authentication.
+            # cacerts =
+
+            # Section for a CA certificate to accept for authentication.
+            # cacert<suffix> =
+
+            # Identity in CA certificate to accept for authentication.
+            # ca_id =
+
+            # Comma separated list of raw public keys to accept for
+            # authentication.
+            pubkeys = andy.pub
+
+            # Certificate revocation policy, (strict, ifuri or relaxed).
+            # revocation = relaxed
+
+            # Authentication to expect from remote (pubkey, psk, xauth[-backend]
+            # or eap[-method]).
+            auth = pubkey
+
+            # cert<suffix> {
+
+                # Absolute path to the certificate to load.
+                # file =
+
+                # Hex-encoded CKA_ID of the certificate on a token.
+                # handle =
+
+                # Optional slot number of the token that stores the certificate.
+                # slot =
+
+                # Optional PKCS#11 module name.
+                # module =
+
+            # }
+
+            # cacert<suffix> {
+
+                # Absolute path to the certificate to load.
+                # file =
+
+                # Hex-encoded CKA_ID of the CA certificate on a token.
+                # handle =
+
+                # Optional slot number of the token that stores the CA
+                # certificate.
+                # slot =
+
+                # Optional PKCS#11 module name.
+                # module =
+
+            # }
+
+        }
+
+        children {
+
+            # CHILD_SA configuration sub-section.
+            child1 {
+
+                # AH proposals to offer for the CHILD_SA.
+                # ah_proposals =
+
+                # ESP proposals to offer for the CHILD_SA.
+                # esp_proposals = default
+
+                # Use incorrect 96-bit truncation for HMAC-SHA-256.
+                # sha256_96 = no
+
+                # Local traffic selectors to include in CHILD_SA.
+                # local_ts = dynamic
+
+                # Remote selectors to include in CHILD_SA.
+                remote_ts = 0::0/0
+
+                # Time to schedule CHILD_SA rekeying.
+                # rekey_time = 1h
+
+                # Maximum lifetime before CHILD_SA gets closed, as time.
+                # life_time = rekey_time + 10%
+
+                # Range of random time to subtract from rekey_time.
+                # rand_time = life_time - rekey_time
+
+                # Number of bytes processed before initiating CHILD_SA rekeying.
+                # rekey_bytes = 0
+
+                # Maximum bytes processed before CHILD_SA gets closed.
+                # life_bytes = rekey_bytes + 10%
+
+                # Range of random bytes to subtract from rekey_bytes.
+                # rand_bytes = life_bytes - rekey_bytes
+
+                # Number of packets processed before initiating CHILD_SA
+                # rekeying.
+                # rekey_packets = 0
+
+                # Maximum number of packets processed before CHILD_SA gets
+                # closed.
+                # life_packets = rekey_packets + 10%
+
+                # Range of random packets to subtract from packets_bytes.
+                # rand_packets = life_packets - rekey_packets
+
+                # Updown script to invoke on CHILD_SA up and down events.
+                # updown =
+
+                # Hostaccess variable to pass to updown script.
+                # hostaccess = no
+
+                # IPsec Mode to establish (tunnel, transport, transport_proxy,
+                # beet, pass or drop).
+                mode = tunnel
+
+                # Whether to install IPsec policies or not.
+                # policies = yes
+
+                # Whether to install outbound FWD IPsec policies or not.
+                # policies_fwd_out = no
+
+                # Action to perform on DPD timeout (clear, trap or restart).
+                dpd_action = restart
+
+                # Enable IPComp compression before encryption.
+                # ipcomp = no
+
+                # Timeout before closing CHILD_SA after inactivity.
+                # inactivity = 0s
+
+                # Fixed reqid to use for this CHILD_SA.
+                # reqid = 0
+
+                # Optional fixed priority for IPsec policies.
+                # priority = 0
+
+                # Optional interface name to restrict IPsec policies.
+                # interface =
+
+                # Netfilter mark and mask for input traffic.
+                # mark_in = 0/0x00000000
+
+                # Whether to set *mark_in* on the inbound SA.
+                # mark_in_sa = no
+
+                # Netfilter mark and mask for output traffic.
+                # mark_out = 0/0x00000000
+
+                # Netfilter mark applied to packets after the inbound IPsec SA
+                # processed them.
+                # set_mark_in = 0/0x00000000
+
+                # Netfilter mark applied to packets after the outbound IPsec SA
+                # processed them.
+                # set_mark_out = 0/0x00000000
+
+                # Inbound XFRM interface ID.
+                # if_id_in = 0
+
+                # Outbound XFRM interface ID.
+                # if_id_out = 0
+
+                # Traffic Flow Confidentiality padding.
+                # tfc_padding = 0
+
+                # IPsec replay window to configure for this CHILD_SA.
+                # replay_window = 32
+
+                # Enable hardware offload for this CHILD_SA, if supported by the
+                # IPsec implementation.
+                # hw_offload = no
+
+                # Whether to copy the DF bit to the outer IPv4 header in tunnel
+                # mode.
+                # copy_df = yes
+
+                # Whether to copy the ECN header field to/from the outer IP
+                # header in tunnel mode.
+                # copy_ecn = yes
+
+                # Whether to copy the DSCP header field to/from the outer IP
+                # header in tunnel mode.
+                # copy_dscp = out
+
+                # Action to perform after loading the configuration (none, trap,
+                # start).
+                # start_action = none
+
+                # Action to perform after a CHILD_SA gets closed (none, trap,
+                # start).
+                # close_action = none
+
+            }
+
+        }
+
+    }
+
+}
+
+# Section defining secrets for IKE/EAP/XAuth authentication and private key
+# decryption.
+secrets {
+
+    # EAP secret section for a specific secret.
+    # eap<suffix> {
+
+        # Value of the EAP/XAuth secret.
+        # secret =
+
+        # Identity the EAP/XAuth secret belongs to.
+        # id<suffix> =
+
+    # }
+
+    # XAuth secret section for a specific secret.
+    # xauth<suffix> {
+
+    # }
+
+    # NTLM secret section for a specific secret.
+    # ntlm<suffix> {
+
+        # Value of the NTLM secret.
+        # secret =
+
+        # Identity the NTLM secret belongs to.
+        # id<suffix> =
+
+    # }
+
+    # IKE preshared secret section for a specific secret.
+    # ike<suffix> {
+
+        # Value of the IKE preshared secret.
+        # secret =
+
+        # IKE identity the IKE preshared secret belongs to.
+        # id<suffix> =
+
+    # }
+
+    # Postquantum Preshared Key (PPK) section for a specific secret.
+    # ppk<suffix> {
+
+        # Value of the PPK.
+        # secret =
+
+        # PPK identity the PPK belongs to.
+        # id<suffix> =
+
+    # }
+
+    # Private key decryption passphrase for a key in the private folder.
+    private1 {
+
+        # File name in the private folder for which this passphrase should be
+        # used.
+        file = ssh_host_rsa_key
+
+        # Value of decryption passphrase for private key.
+        # secret =
+
+    }
+
+    # Private key decryption passphrase for a key in the rsa folder.
+    # rsa<suffix> {
+
+        # File name in the rsa folder for which this passphrase should be used.
+        # file =
+
+        # Value of decryption passphrase for RSA key.
+        # secret =
+
+    # }
+
+    # Private key decryption passphrase for a key in the ecdsa folder.
+    # ecdsa<suffix> {
+
+        # File name in the ecdsa folder for which this passphrase should be
+        # used.
+        # file =
+
+        # Value of decryption passphrase for ECDSA key.
+        # secret =
+
+    # }
+
+    # Private key decryption passphrase for a key in the pkcs8 folder.
+    # pkcs8<suffix> {
+
+        # File name in the pkcs8 folder for which this passphrase should be
+        # used.
+        # file =
+
+        # Value of decryption passphrase for PKCS#8 key.
+        # secret =
+
+    # }
+
+    # PKCS#12 decryption passphrase for a container in the pkcs12 folder.
+    # pkcs12<suffix> {
+
+        # File name in the pkcs12 folder for which this passphrase should be
+        # used.
+        # file =
+
+        # Value of decryption passphrase for PKCS#12 container.
+        # secret =
+
+    # }
+
+    # Definition for a private key that's stored on a token/smartcard.
+    # token<suffix> {
+
+        # Hex-encoded CKA_ID of the private key on the token.
+        # handle =
+
+        # Optional slot number to access the token.
+        # slot =
+
+        # Optional PKCS#11 module name to access the token.
+        # module =
+
+        # Optional PIN required to access the key on the token. If none is
+        # provided the user is prompted during an interactive --load-creds call.
+        # pin =
+
+    # }
+
+}
+
+# Section defining named pools.
+# pools {
+
+    # Section defining a single pool with a unique name.
+    # <name> {
+
+        # Addresses allocated in pool.
+        # addrs =
+
+        # Comma separated list of additional attributes from type <attr>.
+        # <attr> =
+
+    # }
+
+# }
+
+# Section defining attributes of certification authorities.
+# authorities {
+
+    # Section defining a certification authority with a unique name.
+    # <name> {
+
+        # CA certificate belonging to the certification authority.
+        # cacert =
+
+        # Absolute path to the certificate to load.
+        # file =
+
+        # Hex-encoded CKA_ID of the CA certificate on a token.
+        # handle =
+
+        # Optional slot number of the token that stores the CA certificate.
+        # slot =
+
+        # Optional PKCS#11 module name.
+        # module =
+
+        # Comma-separated list of CRL distribution points.
+        # crl_uris =
+
+        # Comma-separated list of OCSP URIs.
+        # ocsp_uris =
+
+        # Defines the base URI for the Hash and URL feature supported by IKEv2.
+        # cert_uri_base =
+
+    # }
+
+# }
diff --git a/notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh b/notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh
new file mode 100644
index 0000000..842cc0f
--- /dev/null
+++ b/notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh
@@ -0,0 +1,26 @@
+#!/bin/bash -xe
+[ "$UID" = 0 ] || exec sudo -- "$0" "$@" || exit
+
+if [ "$1" = delete ]
+then
+        ONLY_DELETE_RULES=y
+fi
+
+ip6tables_add()
+{
+        ip6tables -D "$@" 2>/dev/null || : not deleted
+        ${ONLY_DELETE_RULES:+: not added -- } ip6tables -A "$@"
+}
+ip6rule_add()
+{
+        ip -6 rule delete "$@" 2>/dev/null || : not deleted
+        ${ONLY_DELETE_RULES:+: not added -- } ip -6 rule add "$@"
+}
+
+mark=22
+ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW                 -j MARK --set-mark $mark
+ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW                 -j CONNMARK --save-mark
+ip6tables_add OUTPUT -t mangle -p tcp       -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+ip6rule_add fwmark $mark prohibit
+ip6rule_add fwmark $mark table main
+exit $?
diff --git a/notes/gai.conf b/notes/gai.conf
new file mode 100644
index 0000000..1a1770b
--- /dev/null
+++ b/notes/gai.conf
@@ -0,0 +1,65 @@
+# Configuration for getaddrinfo(3).
+#
+# So far only configuration for the destination address sorting is needed.
+# RFC 3484 governs the sorting.  But the RFC also says that system
+# administrators should be able to overwrite the defaults.  This can be
+# achieved here.
+#
+# All lines have an initial identifier specifying the option followed by
+# up to two values.  Information specified in this file replaces the
+# default information.  Complete absence of data of one kind causes the
+# appropriate default information to be used.  The supported commands include:
+#
+# reload  <yes|no>
+#    If set to yes, each getaddrinfo(3) call will check whether this file
+#    changed and if necessary reload.  This option should not really be
+#    used.  There are possible runtime problems.  The default is no.
+#
+# label   <mask>   <value>
+#    Add another rule to the RFC 3484 label table.  See section 2.1 in
+#    RFC 3484.  The default is:
+#
+#label ::1/128       0
+#label ::/0          1
+#label 2002::/16     2
+#label ::/96         3
+#label ::ffff:0:0/96 4
+#label fec0::/10     5
+#label fc00::/7      6
+#label 2001:0::/32   7
+#
+#    This default differs from the tables given in RFC 3484 by handling
+#    (now obsolete) site-local IPv6 addresses and Unique Local Addresses.
+#    The reason for this difference is that these addresses are never
+#    NATed while IPv4 site-local addresses most probably are.  Given
+#    the precedence of IPv6 over IPv4 (see below) on machines having only
+#    site-local IPv4 and IPv6 addresses a lookup for a global address would
+#    see the IPv6 be preferred.  The result is a long delay because the
+#    site-local IPv6 addresses cannot be used while the IPv4 address is
+#    (at least for the foreseeable future) NATed.  We also treat Teredo
+#    tunnels special.
+#
+# precedence  <mask>   <value>
+#    Add another rule to the RFC 3484 precedence table.  See section 2.1
+#    and 10.3 in RFC 3484.  The default is:
+#
+precedence  ::1/128       50
+precedence  ::/0          40
+precedence  2002::/16     30
+precedence ::/96          20
+#precedence ::ffff:0:0/96  10
+#
+#    For sites which prefer IPv4 connections change the last line to
+#
+precedence ::ffff:0:0/96  100
+
+#
+# scopev4  <mask>  <value>
+#    Add another rule to the RFC 6724 scope table for IPv4 addresses.
+#    By default the scope IDs described in section 3.2 in RFC 6724 are
+#    used.  Changing these defaults should hardly ever be necessary.
+#    The defaults are equivalent to:
+#
+#scopev4 ::ffff:169.254.0.0/112  2
+#scopev4 ::ffff:127.0.0.0/104    2
+#scopev4 ::ffff:0.0.0.0/96       14
diff --git a/notes/ipsec.conf b/notes/ipsec.conf
new file mode 100644
index 0000000..82728d3
--- /dev/null
+++ b/notes/ipsec.conf
@@ -0,0 +1,41 @@
+
+# basic configuration
+
+config setup
+        # strictcrlpolicy=yes
+        # uniqueids = no
+
+conn andy
+  type=tunnel
+  auto=add
+  left=%any
+  leftsourceip=%config
+  leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz"
+  leftid=dd6c:fbfd:eeb8:4709
+  right=%any
+  right=68.48.18.140
+  #rightsubnet=2601:401:8200:2d4c::1/64
+  rightsubnet=0::0/0
+  rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt"
+
+# Add connections here.
+
+# Sample VPN connections
+
+#conn sample-self-signed
+#      leftsubnet=10.1.0.0/16
+#      leftcert=selfCert.der
+#      leftsendcert=never
+#      right=192.168.0.2
+#      rightsubnet=10.2.0.0/16
+#      rightcert=peerCert.der
+#      auto=start
+
+#conn sample-with-ca-cert
+#      leftsubnet=10.1.0.0/16
+#      leftcert=myCert.pem
+#      right=192.168.0.2
+#      rightsubnet=10.2.0.0/16
+#      rightid="C=CH, O=Linux strongSwan CN=peer name"
+#      auto=start
+#include /var/cache/kiki/config/ipsec.conf
diff --git a/notes/ipsec.conf.empty b/notes/ipsec.conf.empty
new file mode 100644
index 0000000..ff9cca2
--- /dev/null
+++ b/notes/ipsec.conf.empty
@@ -0,0 +1,5 @@
+# basic configuration
+
+config setup
+        # strictcrlpolicy=yes
+        # uniqueids = no