1 files changed, 580 insertions, 0 deletions
diff --git a/notes/andy.conf b/notes/andy.conf
new file mode 100644
index 0000000..ea5e71a
--- /dev/null
+++ b/notes/andy.conf
@@ -0,0 +1,580 @@
+# conn andy
+#   type=tunnel
+#   auto=add
+#
+#   left=%any
+#   leftsourceip=%config
+#   leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz"
+#   leftid=dd6c:fbfd:eeb8:4709
+#   right=%any
+#   right=68.48.18.140
+#   #rightsubnet=2601:401:8200:2d4c::1/64
+#   rightsubnet=0::0/0
+#   rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt"
+# Section defining IKE connection configurations.
+connections {
+    # Section for an IKE connection named andy.
+    andy {
+        # IKE major version to use for connection.
+        # version = 0
+        # Local address(es) to use for IKE communication, comma separated.
+        # local_addrs = %any
+        # Remote address(es) to use for IKE communication, comma separated.
+        remote_addrs = 68.48.18.140
+        # Local UDP port for IKE communication.
+        # local_port = 500
+        # Remote UDP port for IKE communication.
+        # remote_port = 500
+        # Comma separated proposals to accept for IKE.
+        # proposals = default
+        # Virtual IPs to request in configuration payload / Mode Config.
+        vips = ::
+        # Use Aggressive Mode in IKEv1.
+        # aggressive = no
+        # Set the Mode Config mode to use.
+        # pull = yes
+        # Differentiated Services Field Codepoint to set on outgoing IKE packets
+        # (six binary digits).
+        # dscp = 000000
+        # Enforce UDP encapsulation by faking NAT-D payloads.
+        # encap = no
+        # Enables MOBIKE on IKEv2 connections.
+        # mobike = yes
+        # Interval of liveness checks (DPD).
+        # dpd_delay = 0s
+        # Timeout for DPD checks (IKEV1 only).
+        # dpd_timeout = 0s
+        # Use IKE UDP datagram fragmentation (yes, accept, no or force).
+        # fragmentation = yes
+        # Use childless IKE_SA initiation (allow, force or never).
+        # childless = allow
+        # Send certificate requests payloads (yes or no).
+        # send_certreq = yes
+        # Send certificate payloads (always, never or ifasked).
+        # send_cert = ifasked
+        # String identifying the Postquantum Preshared Key (PPK) to be used.
+        # ppk_id =
+        # Whether a Postquantum Preshared Key (PPK) is required for this
+        # connection.
+        # ppk_required = no
+        # Number of retransmission sequences to perform during initial connect.
+        # keyingtries = 1
+        # Connection uniqueness policy (never, no, keep or replace).
+        # unique = no
+        # Time to schedule IKE reauthentication.
+        # reauth_time = 0s
+        # Time to schedule IKE rekeying.
+        # rekey_time = 4h
+        # Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
+        # over_time = 10% of rekey_time/reauth_time
+        # Range of random time to subtract from rekey/reauth times.
+        # rand_time = over_time
+        # Comma separated list of named IP pools.
+        # pools =
+        # Default inbound XFRM interface ID for children.
+        # if_id_in = 0
+        # Default outbound XFRM interface ID for children.
+        # if_id_out = 0
+        # Whether this connection is a mediation connection.
+        # mediation = no
+        # The name of the connection to mediate this connection through.
+        # mediated_by =
+        # Identity under which the peer is registered at the mediation server.
+        # mediation_peer =
+        # Section for a local authentication round.
+        local1 {
+            # Optional numeric identifier by which authentication rounds are
+            # sorted.  If not specified rounds are ordered by their position in
+            # the config file/VICI message.
+            # round = 0
+            # Comma separated list of certificate candidates to use for
+            # authentication.
+            # certs =
+            # Section for a certificate candidate to use for authentication.
+            # cert<suffix> =
+            # Comma separated list of raw public key candidates to use for
+            # authentication.
+            pubkeys = ssh_host_rsa_key.pub
+            # Authentication to perform locally (pubkey, psk, xauth[-backend] or
+            # eap[-method]).
+            auth = pubkey
+            # IKE identity to use for authentication round.
+            id = dd6c:fbfd:eeb8:4709
+            # Client EAP-Identity to use in EAP-Identity exchange and the EAP
+            # method.
+            # eap_id = id
+            # Server side EAP-Identity to expect in the EAP method.
+            # aaa_id = remote-id
+            # Client XAuth username used in the XAuth exchange.
+            # xauth_id = id
+            # cert<suffix> {
+                # Absolute path to the certificate to load.
+                # file =
+                # Hex-encoded CKA_ID of the certificate on a token.
+                # handle =
+                # Optional slot number of the token that stores the certificate.
+                # slot =
+                # Optional PKCS#11 module name.
+                # module =
+            # }
+        }
+        # Section for a remote authentication round.
+        remote1 {
+            # Optional numeric identifier by which authentication rounds are
+            # sorted.  If not specified rounds are ordered by their position in
+            # the config file/VICI message.
+            # round = 0
+            # IKE identity to expect for authentication round.
+            #id = %any
+            id = "68.48.18.140"
+            # Identity to use as peer identity during EAP authentication.
+            # eap_id = id
+            # Authorization group memberships to require.
+            # groups =
+            # Certificate policy OIDs the peer's certificate must have.
+            # cert_policy =
+            # Comma separated list of certificate to accept for authentication.
+            # certs =
+            # Section for a certificate to accept for authentication.
+            # cert<suffix> =
+            # Comma separated list of CA certificates to accept for
+            # authentication.
+            # cacerts =
+            # Section for a CA certificate to accept for authentication.
+            # cacert<suffix> =
+            # Identity in CA certificate to accept for authentication.
+            # ca_id =
+            # Comma separated list of raw public keys to accept for
+            # authentication.
+            pubkeys = andy.pub
+            # Certificate revocation policy, (strict, ifuri or relaxed).
+            # revocation = relaxed
+            # Authentication to expect from remote (pubkey, psk, xauth[-backend]
+            # or eap[-method]).
+            auth = pubkey
+            # cert<suffix> {
+                # Absolute path to the certificate to load.
+                # file =
+                # Hex-encoded CKA_ID of the certificate on a token.
+                # handle =
+                # Optional slot number of the token that stores the certificate.
+                # slot =
+                # Optional PKCS#11 module name.
+                # module =
+            # }
+            # cacert<suffix> {
+                # Absolute path to the certificate to load.
+                # file =
+                # Hex-encoded CKA_ID of the CA certificate on a token.
+                # handle =
+                # Optional slot number of the token that stores the CA
+                # certificate.
+                # slot =
+                # Optional PKCS#11 module name.
+                # module =
+            # }
+        }
+        children {
+            # CHILD_SA configuration sub-section.
+            child1 {
+                # AH proposals to offer for the CHILD_SA.
+                # ah_proposals =
+                # ESP proposals to offer for the CHILD_SA.
+                # esp_proposals = default
+                # Use incorrect 96-bit truncation for HMAC-SHA-256.
+                # sha256_96 = no
+                # Local traffic selectors to include in CHILD_SA.
+                # local_ts = dynamic
+                # Remote selectors to include in CHILD_SA.
+                remote_ts = 0::0/0
+                # Time to schedule CHILD_SA rekeying.
+                # rekey_time = 1h
+                # Maximum lifetime before CHILD_SA gets closed, as time.
+                # life_time = rekey_time + 10%
+                # Range of random time to subtract from rekey_time.
+                # rand_time = life_time - rekey_time
+                # Number of bytes processed before initiating CHILD_SA rekeying.
+                # rekey_bytes = 0
+                # Maximum bytes processed before CHILD_SA gets closed.
+                # life_bytes = rekey_bytes + 10%
+                # Range of random bytes to subtract from rekey_bytes.
+                # rand_bytes = life_bytes - rekey_bytes
+                # Number of packets processed before initiating CHILD_SA
+                # rekeying.
+                # rekey_packets = 0
+                # Maximum number of packets processed before CHILD_SA gets
+                # closed.
+                # life_packets = rekey_packets + 10%
+                # Range of random packets to subtract from packets_bytes.
+                # rand_packets = life_packets - rekey_packets
+                # Updown script to invoke on CHILD_SA up and down events.
+                # updown =
+                # Hostaccess variable to pass to updown script.
+                # hostaccess = no
+                # IPsec Mode to establish (tunnel, transport, transport_proxy,
+                # beet, pass or drop).
+                mode = tunnel
+                # Whether to install IPsec policies or not.
+                # policies = yes
+                # Whether to install outbound FWD IPsec policies or not.
+                # policies_fwd_out = no
+                # Action to perform on DPD timeout (clear, trap or restart).
+                dpd_action = restart
+                # Enable IPComp compression before encryption.
+                # ipcomp = no
+                # Timeout before closing CHILD_SA after inactivity.
+                # inactivity = 0s
+                # Fixed reqid to use for this CHILD_SA.
+                # reqid = 0
+                # Optional fixed priority for IPsec policies.
+                # priority = 0
+                # Optional interface name to restrict IPsec policies.
+                # interface =
+                # Netfilter mark and mask for input traffic.
+                # mark_in = 0/0x00000000
+                # Whether to set *mark_in* on the inbound SA.
+                # mark_in_sa = no
+                # Netfilter mark and mask for output traffic.
+                # mark_out = 0/0x00000000
+                # Netfilter mark applied to packets after the inbound IPsec SA
+                # processed them.
+                # set_mark_in = 0/0x00000000
+                # Netfilter mark applied to packets after the outbound IPsec SA
+                # processed them.
+                # set_mark_out = 0/0x00000000
+                # Inbound XFRM interface ID.
+                # if_id_in = 0
+                # Outbound XFRM interface ID.
+                # if_id_out = 0
+                # Traffic Flow Confidentiality padding.
+                # tfc_padding = 0
+                # IPsec replay window to configure for this CHILD_SA.
+                # replay_window = 32
+                # Enable hardware offload for this CHILD_SA, if supported by the
+                # IPsec implementation.
+                # hw_offload = no
+                # Whether to copy the DF bit to the outer IPv4 header in tunnel
+                # mode.
+                # copy_df = yes
+                # Whether to copy the ECN header field to/from the outer IP
+                # header in tunnel mode.
+                # copy_ecn = yes
+                # Whether to copy the DSCP header field to/from the outer IP
+                # header in tunnel mode.
+                # copy_dscp = out
+                # Action to perform after loading the configuration (none, trap,
+                # start).
+                # start_action = none
+                # Action to perform after a CHILD_SA gets closed (none, trap,
+                # start).
+                # close_action = none
+            }
+        }
+    }
+}
+# Section defining secrets for IKE/EAP/XAuth authentication and private key
+# decryption.
+secrets {
+    # EAP secret section for a specific secret.
+    # eap<suffix> {
+        # Value of the EAP/XAuth secret.
+        # secret =
+        # Identity the EAP/XAuth secret belongs to.
+        # id<suffix> =
+    # }
+    # XAuth secret section for a specific secret.
+    # xauth<suffix> {
+    # }
+    # NTLM secret section for a specific secret.
+    # ntlm<suffix> {
+        # Value of the NTLM secret.
+        # secret =
+        # Identity the NTLM secret belongs to.
+        # id<suffix> =
+    # }
+    # IKE preshared secret section for a specific secret.
+    # ike<suffix> {
+        # Value of the IKE preshared secret.
+        # secret =
+        # IKE identity the IKE preshared secret belongs to.
+        # id<suffix> =
+    # }
+    # Postquantum Preshared Key (PPK) section for a specific secret.
+    # ppk<suffix> {
+        # Value of the PPK.
+        # secret =
+        # PPK identity the PPK belongs to.
+        # id<suffix> =
+    # }
+    # Private key decryption passphrase for a key in the private folder.
+    private1 {
+        # File name in the private folder for which this passphrase should be
+        # used.
+        file = ssh_host_rsa_key
+        # Value of decryption passphrase for private key.
+        # secret =
+    }
+    # Private key decryption passphrase for a key in the rsa folder.
+    # rsa<suffix> {
+        # File name in the rsa folder for which this passphrase should be used.
+        # file =
+        # Value of decryption passphrase for RSA key.
+        # secret =
+    # }
+    # Private key decryption passphrase for a key in the ecdsa folder.
+    # ecdsa<suffix> {
+        # File name in the ecdsa folder for which this passphrase should be
+        # used.
+        # file =
+        # Value of decryption passphrase for ECDSA key.
+        # secret =
+    # }
+    # Private key decryption passphrase for a key in the pkcs8 folder.
+    # pkcs8<suffix> {
+        # File name in the pkcs8 folder for which this passphrase should be
+        # used.
+        # file =
+        # Value of decryption passphrase for PKCS#8 key.
+        # secret =
+    # }
+    # PKCS#12 decryption passphrase for a container in the pkcs12 folder.
+    # pkcs12<suffix> {
+        # File name in the pkcs12 folder for which this passphrase should be
+        # used.
+        # file =
+        # Value of decryption passphrase for PKCS#12 container.
+        # secret =
+    # }
+    # Definition for a private key that's stored on a token/smartcard.
+    # token<suffix> {
+        # Hex-encoded CKA_ID of the private key on the token.
+        # handle =
+        # Optional slot number to access the token.
+        # slot =
+        # Optional PKCS#11 module name to access the token.
+        # module =
+        # Optional PIN required to access the key on the token. If none is
+        # provided the user is prompted during an interactive --load-creds call.
+        # pin =
+    # }
+}
+# Section defining named pools.
+# pools {
+    # Section defining a single pool with a unique name.
+    # <name> {
+        # Addresses allocated in pool.
+        # addrs =
+        # Comma separated list of additional attributes from type <attr>.
+        # <attr> =
+    # }
+# }
+# Section defining attributes of certification authorities.
+# authorities {
+    # Section defining a certification authority with a unique name.
+    # <name> {
+        # CA certificate belonging to the certification authority.
+        # cacert =
+        # Absolute path to the certificate to load.
+        # file =
+        # Hex-encoded CKA_ID of the CA certificate on a token.
+        # handle =
+        # Optional slot number of the token that stores the CA certificate.
+        # slot =
+        # Optional PKCS#11 module name.
+        # module =
+        # Comma-separated list of CRL distribution points.
+        # crl_uris =
+        # Comma-separated list of OCSP URIs.
+        # ocsp_uris =
+        # Defines the base URI for the Hash and URL feature supported by IKEv2.
+        # cert_uri_base =
+    # }
+# }

diff --git a/notes/andy.conf b/notes/andy.conf new file mode 100644 index 0000000..ea5e71a --- /dev/null +++ b/notes/andy.conf
@@ -0,0 +1,580 @@
	1	# conn andy
	2	# type=tunnel
	3	# auto=add
	4	#
	5	# left=%any
	6	# leftsourceip=%config
	7	# leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz"
	8	# leftid=dd6c:fbfd:eeb8:4709
	9	# right=%any
	10	# right=68.48.18.140
	11	# #rightsubnet=2601:401:8200:2d4c::1/64
	12	# rightsubnet=0::0/0
	13	# rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt"
	14
	15	# Section defining IKE connection configurations.
	16	connections {
	17
	18	# Section for an IKE connection named andy.
	19	andy {
	20
	21	# IKE major version to use for connection.
	22	# version = 0
	23
	24	# Local address(es) to use for IKE communication, comma separated.
	25	# local_addrs = %any
	26
	27	# Remote address(es) to use for IKE communication, comma separated.
	28	remote_addrs = 68.48.18.140
	29
	30	# Local UDP port for IKE communication.
	31	# local_port = 500
	32
	33	# Remote UDP port for IKE communication.
	34	# remote_port = 500
	35
	36	# Comma separated proposals to accept for IKE.
	37	# proposals = default
	38
	39	# Virtual IPs to request in configuration payload / Mode Config.
	40	vips = ::
	41
	42	# Use Aggressive Mode in IKEv1.
	43	# aggressive = no
	44
	45	# Set the Mode Config mode to use.
	46	# pull = yes
	47
	48	# Differentiated Services Field Codepoint to set on outgoing IKE packets
	49	# (six binary digits).
	50	# dscp = 000000
	51
	52	# Enforce UDP encapsulation by faking NAT-D payloads.
	53	# encap = no
	54
	55	# Enables MOBIKE on IKEv2 connections.
	56	# mobike = yes
	57
	58	# Interval of liveness checks (DPD).
	59	# dpd_delay = 0s
	60
	61	# Timeout for DPD checks (IKEV1 only).
	62	# dpd_timeout = 0s
	63
	64	# Use IKE UDP datagram fragmentation (yes, accept, no or force).
	65	# fragmentation = yes
	66
	67	# Use childless IKE_SA initiation (allow, force or never).
	68	# childless = allow
	69
	70	# Send certificate requests payloads (yes or no).
	71	# send_certreq = yes
	72
	73	# Send certificate payloads (always, never or ifasked).
	74	# send_cert = ifasked
	75
	76	# String identifying the Postquantum Preshared Key (PPK) to be used.
	77	# ppk_id =
	78
	79	# Whether a Postquantum Preshared Key (PPK) is required for this
	80	# connection.
	81	# ppk_required = no
	82
	83	# Number of retransmission sequences to perform during initial connect.
	84	# keyingtries = 1
	85
	86	# Connection uniqueness policy (never, no, keep or replace).
	87	# unique = no
	88
	89	# Time to schedule IKE reauthentication.
	90	# reauth_time = 0s
	91
	92	# Time to schedule IKE rekeying.
	93	# rekey_time = 4h
	94
	95	# Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
	96	# over_time = 10% of rekey_time/reauth_time
	97
	98	# Range of random time to subtract from rekey/reauth times.
	99	# rand_time = over_time
	100
	101	# Comma separated list of named IP pools.
	102	# pools =
	103
	104	# Default inbound XFRM interface ID for children.
	105	# if_id_in = 0
	106
	107	# Default outbound XFRM interface ID for children.
	108	# if_id_out = 0
	109
	110	# Whether this connection is a mediation connection.
	111	# mediation = no
	112
	113	# The name of the connection to mediate this connection through.
	114	# mediated_by =
	115
	116	# Identity under which the peer is registered at the mediation server.
	117	# mediation_peer =
	118
	119	# Section for a local authentication round.
	120	local1 {
	121
	122	# Optional numeric identifier by which authentication rounds are
	123	# sorted. If not specified rounds are ordered by their position in
	124	# the config file/VICI message.
	125	# round = 0
	126
	127	# Comma separated list of certificate candidates to use for
	128	# authentication.
	129	# certs =
	130
	131	# Section for a certificate candidate to use for authentication.
	132	# cert<suffix> =
	133
	134	# Comma separated list of raw public key candidates to use for
	135	# authentication.
	136	pubkeys = ssh_host_rsa_key.pub
	137
	138	# Authentication to perform locally (pubkey, psk, xauth[-backend] or
	139	# eap[-method]).
	140	auth = pubkey
	141
	142	# IKE identity to use for authentication round.
	143	id = dd6c:fbfd:eeb8:4709
	144
	145	# Client EAP-Identity to use in EAP-Identity exchange and the EAP
	146	# method.
	147	# eap_id = id
	148
	149	# Server side EAP-Identity to expect in the EAP method.
	150	# aaa_id = remote-id
	151
	152	# Client XAuth username used in the XAuth exchange.
	153	# xauth_id = id
	154
	155	# cert<suffix> {
	156
	157	# Absolute path to the certificate to load.
	158	# file =
	159
	160	# Hex-encoded CKA_ID of the certificate on a token.
	161	# handle =
	162
	163	# Optional slot number of the token that stores the certificate.
	164	# slot =
	165
	166	# Optional PKCS#11 module name.
	167	# module =
	168
	169	# }
	170
	171	}
	172
	173	# Section for a remote authentication round.
	174	remote1 {
	175
	176	# Optional numeric identifier by which authentication rounds are
	177	# sorted. If not specified rounds are ordered by their position in
	178	# the config file/VICI message.
	179	# round = 0
	180
	181	# IKE identity to expect for authentication round.
	182	#id = %any
	183	id = "68.48.18.140"
	184
	185	# Identity to use as peer identity during EAP authentication.
	186	# eap_id = id
	187
	188	# Authorization group memberships to require.
	189	# groups =
	190
	191	# Certificate policy OIDs the peer's certificate must have.
	192	# cert_policy =
	193
	194	# Comma separated list of certificate to accept for authentication.
	195	# certs =
	196
	197	# Section for a certificate to accept for authentication.
	198	# cert<suffix> =
	199
	200	# Comma separated list of CA certificates to accept for
	201	# authentication.
	202	# cacerts =
	203
	204	# Section for a CA certificate to accept for authentication.
	205	# cacert<suffix> =
	206
	207	# Identity in CA certificate to accept for authentication.
	208	# ca_id =
	209
	210	# Comma separated list of raw public keys to accept for
	211	# authentication.
	212	pubkeys = andy.pub
	213
	214	# Certificate revocation policy, (strict, ifuri or relaxed).
	215	# revocation = relaxed
	216
	217	# Authentication to expect from remote (pubkey, psk, xauth[-backend]
	218	# or eap[-method]).
	219	auth = pubkey
	220
	221	# cert<suffix> {
	222
	223	# Absolute path to the certificate to load.
	224	# file =
	225
	226	# Hex-encoded CKA_ID of the certificate on a token.
	227	# handle =
	228
	229	# Optional slot number of the token that stores the certificate.
	230	# slot =
	231
	232	# Optional PKCS#11 module name.
	233	# module =
	234
	235	# }
	236
	237	# cacert<suffix> {
	238
	239	# Absolute path to the certificate to load.
	240	# file =
	241
	242	# Hex-encoded CKA_ID of the CA certificate on a token.
	243	# handle =
	244
	245	# Optional slot number of the token that stores the CA
	246	# certificate.
	247	# slot =
	248
	249	# Optional PKCS#11 module name.
	250	# module =
	251
	252	# }
	253
	254	}
	255
	256	children {
	257
	258	# CHILD_SA configuration sub-section.
	259	child1 {
	260
	261	# AH proposals to offer for the CHILD_SA.
	262	# ah_proposals =
	263
	264	# ESP proposals to offer for the CHILD_SA.
	265	# esp_proposals = default
	266
	267	# Use incorrect 96-bit truncation for HMAC-SHA-256.
	268	# sha256_96 = no
	269
	270	# Local traffic selectors to include in CHILD_SA.
	271	# local_ts = dynamic
	272
	273	# Remote selectors to include in CHILD_SA.
	274	remote_ts = 0::0/0
	275
	276	# Time to schedule CHILD_SA rekeying.
	277	# rekey_time = 1h
	278
	279	# Maximum lifetime before CHILD_SA gets closed, as time.
	280	# life_time = rekey_time + 10%
	281
	282	# Range of random time to subtract from rekey_time.
	283	# rand_time = life_time - rekey_time
	284
	285	# Number of bytes processed before initiating CHILD_SA rekeying.
	286	# rekey_bytes = 0
	287
	288	# Maximum bytes processed before CHILD_SA gets closed.
	289	# life_bytes = rekey_bytes + 10%
	290
	291	# Range of random bytes to subtract from rekey_bytes.
	292	# rand_bytes = life_bytes - rekey_bytes
	293
	294	# Number of packets processed before initiating CHILD_SA
	295	# rekeying.
	296	# rekey_packets = 0
	297
	298	# Maximum number of packets processed before CHILD_SA gets
	299	# closed.
	300	# life_packets = rekey_packets + 10%
	301
	302	# Range of random packets to subtract from packets_bytes.
	303	# rand_packets = life_packets - rekey_packets
	304
	305	# Updown script to invoke on CHILD_SA up and down events.
	306	# updown =
	307
	308	# Hostaccess variable to pass to updown script.
	309	# hostaccess = no
	310
	311	# IPsec Mode to establish (tunnel, transport, transport_proxy,
	312	# beet, pass or drop).
	313	mode = tunnel
	314
	315	# Whether to install IPsec policies or not.
	316	# policies = yes
	317
	318	# Whether to install outbound FWD IPsec policies or not.
	319	# policies_fwd_out = no
	320
	321	# Action to perform on DPD timeout (clear, trap or restart).
	322	dpd_action = restart
	323
	324	# Enable IPComp compression before encryption.
	325	# ipcomp = no
	326
	327	# Timeout before closing CHILD_SA after inactivity.
	328	# inactivity = 0s
	329
	330	# Fixed reqid to use for this CHILD_SA.
	331	# reqid = 0
	332
	333	# Optional fixed priority for IPsec policies.
	334	# priority = 0
	335
	336	# Optional interface name to restrict IPsec policies.
	337	# interface =
	338
	339	# Netfilter mark and mask for input traffic.
	340	# mark_in = 0/0x00000000
	341
	342	# Whether to set mark_in on the inbound SA.
	343	# mark_in_sa = no
	344
	345	# Netfilter mark and mask for output traffic.
	346	# mark_out = 0/0x00000000
	347
	348	# Netfilter mark applied to packets after the inbound IPsec SA
	349	# processed them.
	350	# set_mark_in = 0/0x00000000
	351
	352	# Netfilter mark applied to packets after the outbound IPsec SA
	353	# processed them.
	354	# set_mark_out = 0/0x00000000
	355
	356	# Inbound XFRM interface ID.
	357	# if_id_in = 0
	358
	359	# Outbound XFRM interface ID.
	360	# if_id_out = 0
	361
	362	# Traffic Flow Confidentiality padding.
	363	# tfc_padding = 0
	364
	365	# IPsec replay window to configure for this CHILD_SA.
	366	# replay_window = 32
	367
	368	# Enable hardware offload for this CHILD_SA, if supported by the
	369	# IPsec implementation.
	370	# hw_offload = no
	371
	372	# Whether to copy the DF bit to the outer IPv4 header in tunnel
	373	# mode.
	374	# copy_df = yes
	375
	376	# Whether to copy the ECN header field to/from the outer IP
	377	# header in tunnel mode.
	378	# copy_ecn = yes
	379
	380	# Whether to copy the DSCP header field to/from the outer IP
	381	# header in tunnel mode.
	382	# copy_dscp = out
	383
	384	# Action to perform after loading the configuration (none, trap,
	385	# start).
	386	# start_action = none
	387
	388	# Action to perform after a CHILD_SA gets closed (none, trap,
	389	# start).
	390	# close_action = none
	391
	392	}
	393
	394	}
	395
	396	}
	397
	398	}
	399
	400	# Section defining secrets for IKE/EAP/XAuth authentication and private key
	401	# decryption.
	402	secrets {
	403
	404	# EAP secret section for a specific secret.
	405	# eap<suffix> {
	406
	407	# Value of the EAP/XAuth secret.
	408	# secret =
	409
	410	# Identity the EAP/XAuth secret belongs to.
	411	# id<suffix> =
	412
	413	# }
	414
	415	# XAuth secret section for a specific secret.
	416	# xauth<suffix> {
	417
	418	# }
	419
	420	# NTLM secret section for a specific secret.
	421	# ntlm<suffix> {
	422
	423	# Value of the NTLM secret.
	424	# secret =
	425
	426	# Identity the NTLM secret belongs to.
	427	# id<suffix> =
	428
	429	# }
	430
	431	# IKE preshared secret section for a specific secret.
	432	# ike<suffix> {
	433
	434	# Value of the IKE preshared secret.
	435	# secret =
	436
	437	# IKE identity the IKE preshared secret belongs to.
	438	# id<suffix> =
	439
	440	# }
	441
	442	# Postquantum Preshared Key (PPK) section for a specific secret.
	443	# ppk<suffix> {
	444
	445	# Value of the PPK.
	446	# secret =
	447
	448	# PPK identity the PPK belongs to.
	449	# id<suffix> =
	450
	451	# }
	452
	453	# Private key decryption passphrase for a key in the private folder.
	454	private1 {
	455
	456	# File name in the private folder for which this passphrase should be
	457	# used.
	458	file = ssh_host_rsa_key
	459
	460	# Value of decryption passphrase for private key.
	461	# secret =
	462
	463	}
	464
	465	# Private key decryption passphrase for a key in the rsa folder.
	466	# rsa<suffix> {
	467
	468	# File name in the rsa folder for which this passphrase should be used.
	469	# file =
	470
	471	# Value of decryption passphrase for RSA key.
	472	# secret =
	473
	474	# }
	475
	476	# Private key decryption passphrase for a key in the ecdsa folder.
	477	# ecdsa<suffix> {
	478
	479	# File name in the ecdsa folder for which this passphrase should be
	480	# used.
	481	# file =
	482
	483	# Value of decryption passphrase for ECDSA key.
	484	# secret =
	485
	486	# }
	487
	488	# Private key decryption passphrase for a key in the pkcs8 folder.
	489	# pkcs8<suffix> {
	490
	491	# File name in the pkcs8 folder for which this passphrase should be
	492	# used.
	493	# file =
	494
	495	# Value of decryption passphrase for PKCS#8 key.
	496	# secret =
	497
	498	# }
	499
	500	# PKCS#12 decryption passphrase for a container in the pkcs12 folder.
	501	# pkcs12<suffix> {
	502
	503	# File name in the pkcs12 folder for which this passphrase should be
	504	# used.
	505	# file =
	506
	507	# Value of decryption passphrase for PKCS#12 container.
	508	# secret =
	509
	510	# }
	511
	512	# Definition for a private key that's stored on a token/smartcard.
	513	# token<suffix> {
	514
	515	# Hex-encoded CKA_ID of the private key on the token.
	516	# handle =
	517
	518	# Optional slot number to access the token.
	519	# slot =
	520
	521	# Optional PKCS#11 module name to access the token.
	522	# module =
	523
	524	# Optional PIN required to access the key on the token. If none is
	525	# provided the user is prompted during an interactive --load-creds call.
	526	# pin =
	527
	528	# }
	529
	530	}
	531
	532	# Section defining named pools.
	533	# pools {
	534
	535	# Section defining a single pool with a unique name.
	536	# <name> {
	537
	538	# Addresses allocated in pool.
	539	# addrs =
	540
	541	# Comma separated list of additional attributes from type <attr>.
	542	# <attr> =
	543
	544	# }
	545
	546	# }
	547
	548	# Section defining attributes of certification authorities.
	549	# authorities {
	550
	551	# Section defining a certification authority with a unique name.
	552	# <name> {
	553
	554	# CA certificate belonging to the certification authority.
	555	# cacert =
	556
	557	# Absolute path to the certificate to load.
	558	# file =
	559
	560	# Hex-encoded CKA_ID of the CA certificate on a token.
	561	# handle =
	562
	563	# Optional slot number of the token that stores the CA certificate.
	564	# slot =
	565
	566	# Optional PKCS#11 module name.
	567	# module =
	568
	569	# Comma-separated list of CRL distribution points.
	570	# crl_uris =
	571
	572	# Comma-separated list of OCSP URIs.
	573	# ocsp_uris =
	574
	575	# Defines the base URI for the Hash and URL feature supported by IKEv2.
	576	# cert_uri_base =
	577
	578	# }
	579
	580	# }