# sample connections
# This file is RCSID $Id: examples,v 1.3 1999/04/05 21:27:10 henry Exp $


# sample tunnel (manually or automatically keyed)
# Here we just use ESP for both encryption and authentication, which is
# the simplest and often the best method.
conn sample
	type=tunnel
	# left security gateway (public-network address)
	left=10.0.0.1
	# next hop to reach right
	leftnexthop=10.44.55.66
	# subnet behind left (omit if left end of the tunnel is just the s.g.)
	leftsubnet=172.16.0.0/24
	# right s.g., subnet behind it, and next hop to reach left
	right=10.12.12.1
	rightnexthop=10.88.77.66
	rightsubnet=192.168.0.0/24
	# (manual) base for SPI numbering; must end in 0
	spibase=0x200
	# (manual) encryption/authentication algorithm and parameters to it
	esp=3des-md5-96
	espenckey=[192 bits]
	espauthkey=[128 bits]
	# (auto) key-exchange type
	keyexchange=ike
	# (auto) key lifetime (before automatic rekeying)
	keylife=8h
	# (auto) how persistent to be in (re)keying negotiations (0 means very)
	keyingtries=0

# In the remaining examples, deviations from the sample-tunnel configuration
# are marked with ###.

# sample host-to-host tunnel (no subnets)
# Here we assume (for purposes of illustration) that the hosts talk directly
# to each other, so we don't need next-hop settings.
conn samplehth
	type=tunnel
	### left host (public-network address)
	left=10.0.0.1
	### right host
	right=10.12.12.1
	# (manual) base for SPI numbering; must end in 0
	spibase=0x200
	# (manual) encryption/authentication algorithm and parameters to it
	esp=3des-md5-96
	espenckey=[192 bits]
	espauthkey=[128 bits]
	# (auto) key-exchange type
	keyexchange=ike
	# (auto) key lifetime (before automatic rekeying)
	keylife=8h
	# (auto) how persistent to be in (re)keying negotiations (0 means very)
	keyingtries=0

# sample hybrid tunnel, with a host on one end and a subnet (behind a
# security gateway) on the other
# This case is also sometimes called "road warrior".
conn samplehyb
	type=tunnel
	### left host (public-network address)
	left=10.0.0.1
	# next hop to reach right
	leftnexthop=10.44.55.66
	# subnet behind left
	leftsubnet=172.16.0.0/24
	### right host, and next hop to reach left
	right=10.12.12.1
	rightnexthop=10.88.77.66
	# (manual) base for SPI numbering; must end in 0
	spibase=0x200
	# (manual) encryption/authentication algorithm and parameters to it
	esp=3des-md5-96
	espenckey=[192 bits]
	espauthkey=[128 bits]
	# (auto) key-exchange type
	keyexchange=ike
	# (auto) key lifetime (before automatic rekeying)
	keylife=8h
	# (auto) how persistent to be in (re)keying negotiations (0 means very)
	keyingtries=0

# sample firewall-penetrating tunnel
# Here we assume that firewalling is being done on the left side.
conn samplefire
	type=tunnel
	# left security gateway (public-network address)
	left=10.0.0.1
	# next hop to reach right
	leftnexthop=10.44.55.66
	# subnet behind left (omit if left end of the tunnel is just the s.g.)
	leftsubnet=172.16.0.0/24
	### left is firewalling for its subnet
	leftfirewall=yes
	# right s.g., subnet behind it, and next hop to reach left
	right=10.12.12.1
	rightnexthop=10.88.77.66
	rightsubnet=192.168.0.0/24
	# (manual) base for SPI numbering; must end in 0
	spibase=0x200
	# (manual) encryption/authentication algorithm and parameters to it
	esp=3des-md5-96
	espenckey=[192 bits]
	espauthkey=[128 bits]
	# (auto) key-exchange type
	keyexchange=ike
	# (auto) key lifetime (before automatic rekeying)
	keylife=8h
	# (auto) how persistent to be in (re)keying negotiations (0 means very)
	keyingtries=0

# sample transport-mode connection (which can only be host-to-host)
# Here we use the whole nine yards, with encryption done by ESP and
# authentication by AH; this perhaps is slightly preferable for transport
# mode, where the IP headers are exposed.
conn sampletm
	type=transport
	### left host (public-network address)
	left=10.0.0.1
	# next hop to reach right
	leftnexthop=10.44.55.66
	### right host, and next hop to reach left
	right=10.12.12.1
	rightnexthop=10.88.77.66
	# (manual) base for SPI numbering; must end in 0
	spibase=0x200
	### (manual) encryption algorithm and parameters to it
	esp=3des
	espenckey=[192 bits]
	### (manual) authentication algorithm and parameters to it
	ah=hmac-md5
	ahkey=[128 bits]
	# (auto) key-exchange type
	keyexchange=ike
	### (auto) authentication control
	auth=ah
	# (auto) key lifetime (before automatic rekeying)
	keylife=8h
	# (auto) how persistent to be in (re)keying negotiations (0 means very)
	keyingtries=0

# sample description with keys split out into a separate section
# Normally the key section would go in a separate file, with tighter
# permissions set on it.
conn samplesep
	type=tunnel
	# left security gateway (public-network address)
	left=10.0.0.1
	# next hop to reach right
	leftnexthop=10.44.55.66
	# subnet behind left (omit if left end of the tunnel is just the s.g.)
	leftsubnet=172.16.0.0/24
	# right s.g., subnet behind it, and next hop to reach left
	right=10.12.12.1
	rightnexthop=10.88.77.66
	rightsubnet=192.168.0.0/24
	# (manual) base for SPI numbering; must end in 0
	spibase=0x200
	# (manual) encryption/authentication algorithm and parameters to it
	esp=3des-md5-96
	also=samplesep-keys
	# (auto) key-exchange type
	keyexchange=ike
	# (auto) key lifetime (before automatic rekeying)
	keylife=8h
	# (auto) how persistent to be in (re)keying negotiations (0 means very)
	keyingtries=0

# keys for the previous section
# Normally this would go in a separate file, picked up using an include line,
# to allow keeping the keys confidential.
conn samplesep-keys
	espenckey=[192 bits]
	espauthkey=[128 bits]
