From a1880f4ff17c1224f4f56bb78d5b161483de61e7 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 28 Sep 2021 23:31:38 -0400 Subject: more --- andy.conf | 579 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 579 insertions(+) create mode 100644 andy.conf (limited to 'andy.conf') diff --git a/andy.conf b/andy.conf new file mode 100644 index 0000000..39f2337 --- /dev/null +++ b/andy.conf @@ -0,0 +1,579 @@ +# conn andy +# type=tunnel +# auto=add +# +# left=%any +# leftsourceip=%config +# leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz" +# leftid=dd6c:fbfd:eeb8:4709 +# right=%any +# right=68.48.18.140 +# #rightsubnet=2601:401:8200:2d4c::1/64 +# rightsubnet=0::0/0 +# rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt" + +# Section defining IKE connection configurations. +connections { + + # Section for an IKE connection named andy. + andy { + + # IKE major version to use for connection. + # version = 0 + + # Local address(es) to use for IKE communication, comma separated. + local_addrs = %any + + # Remote address(es) to use for IKE communication, comma separated. + remote_addrs = 68.48.18.140 + + # Local UDP port for IKE communication. + # local_port = 500 + + # Remote UDP port for IKE communication. + # remote_port = 500 + + # Comma separated proposals to accept for IKE. + # proposals = default + + # Virtual IPs to request in configuration payload / Mode Config. + vips = :: + + # Use Aggressive Mode in IKEv1. + # aggressive = no + + # Set the Mode Config mode to use. + # pull = yes + + # Differentiated Services Field Codepoint to set on outgoing IKE packets + # (six binary digits). + # dscp = 000000 + + # Enforce UDP encapsulation by faking NAT-D payloads. + # encap = no + + # Enables MOBIKE on IKEv2 connections. + # mobike = yes + + # Interval of liveness checks (DPD). + # dpd_delay = 0s + + # Timeout for DPD checks (IKEV1 only). + # dpd_timeout = 0s + + # Use IKE UDP datagram fragmentation (yes, accept, no or force). + # fragmentation = yes + + # Use childless IKE_SA initiation (allow, force or never). + # childless = allow + + # Send certificate requests payloads (yes or no). + # send_certreq = yes + + # Send certificate payloads (always, never or ifasked). + # send_cert = ifasked + + # String identifying the Postquantum Preshared Key (PPK) to be used. + # ppk_id = + + # Whether a Postquantum Preshared Key (PPK) is required for this + # connection. + # ppk_required = no + + # Number of retransmission sequences to perform during initial connect. + # keyingtries = 1 + + # Connection uniqueness policy (never, no, keep or replace). + # unique = no + + # Time to schedule IKE reauthentication. + # reauth_time = 0s + + # Time to schedule IKE rekeying. + # rekey_time = 4h + + # Hard IKE_SA lifetime if rekey/reauth does not complete, as time. + # over_time = 10% of rekey_time/reauth_time + + # Range of random time to subtract from rekey/reauth times. + # rand_time = over_time + + # Comma separated list of named IP pools. + # pools = + + # Default inbound XFRM interface ID for children. + # if_id_in = 0 + + # Default outbound XFRM interface ID for children. + # if_id_out = 0 + + # Whether this connection is a mediation connection. + # mediation = no + + # The name of the connection to mediate this connection through. + # mediated_by = + + # Identity under which the peer is registered at the mediation server. + # mediation_peer = + + # Section for a local authentication round. + local1 { + + # Optional numeric identifier by which authentication rounds are + # sorted. If not specified rounds are ordered by their position in + # the config file/VICI message. + # round = 0 + + # Comma separated list of certificate candidates to use for + # authentication. + # certs = + + # Section for a certificate candidate to use for authentication. + # cert = + + # Comma separated list of raw public key candidates to use for + # authentication. + pubkeys = ssh_host_rsa_key.pub + + # Authentication to perform locally (pubkey, psk, xauth[-backend] or + # eap[-method]). + auth = pubkey + + # IKE identity to use for authentication round. + id = dd6c:fbfd:eeb8:4709 + + # Client EAP-Identity to use in EAP-Identity exchange and the EAP + # method. + # eap_id = id + + # Server side EAP-Identity to expect in the EAP method. + # aaa_id = remote-id + + # Client XAuth username used in the XAuth exchange. + # xauth_id = id + + # cert { + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the certificate on a token. + # handle = + + # Optional slot number of the token that stores the certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # } + + } + + # Section for a remote authentication round. + remote1 { + + # Optional numeric identifier by which authentication rounds are + # sorted. If not specified rounds are ordered by their position in + # the config file/VICI message. + # round = 0 + + # IKE identity to expect for authentication round. + #id = %any + + # Identity to use as peer identity during EAP authentication. + # eap_id = id + + # Authorization group memberships to require. + # groups = + + # Certificate policy OIDs the peer's certificate must have. + # cert_policy = + + # Comma separated list of certificate to accept for authentication. + # certs = + + # Section for a certificate to accept for authentication. + # cert = + + # Comma separated list of CA certificates to accept for + # authentication. + # cacerts = + + # Section for a CA certificate to accept for authentication. + # cacert = + + # Identity in CA certificate to accept for authentication. + # ca_id = + + # Comma separated list of raw public keys to accept for + # authentication. + pubkeys = andy.pub + + # Certificate revocation policy, (strict, ifuri or relaxed). + # revocation = relaxed + + # Authentication to expect from remote (pubkey, psk, xauth[-backend] + # or eap[-method]). + auth = pubkey + + # cert { + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the certificate on a token. + # handle = + + # Optional slot number of the token that stores the certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # } + + # cacert { + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the CA certificate on a token. + # handle = + + # Optional slot number of the token that stores the CA + # certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # } + + } + + children { + + # CHILD_SA configuration sub-section. + child1 { + + # AH proposals to offer for the CHILD_SA. + # ah_proposals = + + # ESP proposals to offer for the CHILD_SA. + # esp_proposals = default + + # Use incorrect 96-bit truncation for HMAC-SHA-256. + # sha256_96 = no + + # Local traffic selectors to include in CHILD_SA. + local_ts = dynamic + + # Remote selectors to include in CHILD_SA. + remote_ts = 0::0/0 + + # Time to schedule CHILD_SA rekeying. + # rekey_time = 1h + + # Maximum lifetime before CHILD_SA gets closed, as time. + # life_time = rekey_time + 10% + + # Range of random time to subtract from rekey_time. + # rand_time = life_time - rekey_time + + # Number of bytes processed before initiating CHILD_SA rekeying. + # rekey_bytes = 0 + + # Maximum bytes processed before CHILD_SA gets closed. + # life_bytes = rekey_bytes + 10% + + # Range of random bytes to subtract from rekey_bytes. + # rand_bytes = life_bytes - rekey_bytes + + # Number of packets processed before initiating CHILD_SA + # rekeying. + # rekey_packets = 0 + + # Maximum number of packets processed before CHILD_SA gets + # closed. + # life_packets = rekey_packets + 10% + + # Range of random packets to subtract from packets_bytes. + # rand_packets = life_packets - rekey_packets + + # Updown script to invoke on CHILD_SA up and down events. + # updown = + + # Hostaccess variable to pass to updown script. + # hostaccess = no + + # IPsec Mode to establish (tunnel, transport, transport_proxy, + # beet, pass or drop). + mode = tunnel + + # Whether to install IPsec policies or not. + # policies = yes + + # Whether to install outbound FWD IPsec policies or not. + # policies_fwd_out = no + + # Action to perform on DPD timeout (clear, trap or restart). + dpd_action = restart + + # Enable IPComp compression before encryption. + # ipcomp = no + + # Timeout before closing CHILD_SA after inactivity. + # inactivity = 0s + + # Fixed reqid to use for this CHILD_SA. + # reqid = 0 + + # Optional fixed priority for IPsec policies. + # priority = 0 + + # Optional interface name to restrict IPsec policies. + # interface = + + # Netfilter mark and mask for input traffic. + # mark_in = 0/0x00000000 + + # Whether to set *mark_in* on the inbound SA. + # mark_in_sa = no + + # Netfilter mark and mask for output traffic. + # mark_out = 0/0x00000000 + + # Netfilter mark applied to packets after the inbound IPsec SA + # processed them. + # set_mark_in = 0/0x00000000 + + # Netfilter mark applied to packets after the outbound IPsec SA + # processed them. + # set_mark_out = 0/0x00000000 + + # Inbound XFRM interface ID. + # if_id_in = 0 + + # Outbound XFRM interface ID. + # if_id_out = 0 + + # Traffic Flow Confidentiality padding. + # tfc_padding = 0 + + # IPsec replay window to configure for this CHILD_SA. + # replay_window = 32 + + # Enable hardware offload for this CHILD_SA, if supported by the + # IPsec implementation. + # hw_offload = no + + # Whether to copy the DF bit to the outer IPv4 header in tunnel + # mode. + # copy_df = yes + + # Whether to copy the ECN header field to/from the outer IP + # header in tunnel mode. + # copy_ecn = yes + + # Whether to copy the DSCP header field to/from the outer IP + # header in tunnel mode. + # copy_dscp = out + + # Action to perform after loading the configuration (none, trap, + # start). + # start_action = none + + # Action to perform after a CHILD_SA gets closed (none, trap, + # start). + # close_action = none + + } + + } + + } + +} + +# Section defining secrets for IKE/EAP/XAuth authentication and private key +# decryption. +secrets { + + # EAP secret section for a specific secret. + # eap { + + # Value of the EAP/XAuth secret. + # secret = + + # Identity the EAP/XAuth secret belongs to. + # id = + + # } + + # XAuth secret section for a specific secret. + # xauth { + + # } + + # NTLM secret section for a specific secret. + # ntlm { + + # Value of the NTLM secret. + # secret = + + # Identity the NTLM secret belongs to. + # id = + + # } + + # IKE preshared secret section for a specific secret. + # ike { + + # Value of the IKE preshared secret. + # secret = + + # IKE identity the IKE preshared secret belongs to. + # id = + + # } + + # Postquantum Preshared Key (PPK) section for a specific secret. + # ppk { + + # Value of the PPK. + # secret = + + # PPK identity the PPK belongs to. + # id = + + # } + + # Private key decryption passphrase for a key in the private folder. + private1 { + + # File name in the private folder for which this passphrase should be + # used. + file = ssh_host_rsa_key + + # Value of decryption passphrase for private key. + # secret = + + } + + # Private key decryption passphrase for a key in the rsa folder. + # rsa { + + # File name in the rsa folder for which this passphrase should be used. + # file = + + # Value of decryption passphrase for RSA key. + # secret = + + # } + + # Private key decryption passphrase for a key in the ecdsa folder. + # ecdsa { + + # File name in the ecdsa folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for ECDSA key. + # secret = + + # } + + # Private key decryption passphrase for a key in the pkcs8 folder. + # pkcs8 { + + # File name in the pkcs8 folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for PKCS#8 key. + # secret = + + # } + + # PKCS#12 decryption passphrase for a container in the pkcs12 folder. + # pkcs12 { + + # File name in the pkcs12 folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for PKCS#12 container. + # secret = + + # } + + # Definition for a private key that's stored on a token/smartcard. + # token { + + # Hex-encoded CKA_ID of the private key on the token. + # handle = + + # Optional slot number to access the token. + # slot = + + # Optional PKCS#11 module name to access the token. + # module = + + # Optional PIN required to access the key on the token. If none is + # provided the user is prompted during an interactive --load-creds call. + # pin = + + # } + +} + +# Section defining named pools. +# pools { + + # Section defining a single pool with a unique name. + # { + + # Addresses allocated in pool. + # addrs = + + # Comma separated list of additional attributes from type . + # = + + # } + +# } + +# Section defining attributes of certification authorities. +# authorities { + + # Section defining a certification authority with a unique name. + # { + + # CA certificate belonging to the certification authority. + # cacert = + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the CA certificate on a token. + # handle = + + # Optional slot number of the token that stores the CA certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # Comma-separated list of CRL distribution points. + # crl_uris = + + # Comma-separated list of OCSP URIs. + # ocsp_uris = + + # Defines the base URI for the Hash and URL feature supported by IKEv2. + # cert_uri_base = + + # } + +# } -- cgit v1.2.3