olegvg · December 13, 2016 18:43
diff --git a/ipsec.conf b/ipsec.conf
 # ipsec.conf - strongSwan IPsec configuration file

 # basic configuration

 config setup
        #charondebug="cfg 3, dmn 3, ike 3, net 3, chd 3, mgr 3"
        #strictcrlpolicy=yes
        uniqueids=no

 # Add connections here.
 conn %default
        ike=aes256-sha256-modp1024
        esp=aes256-sha256
        ikelifetime=600m
        keylife=600m
        reauth=no
        rekey=yes
        #rekeymargin=3m
        keyingtries=%forever
        closeaction=restart
        compress=yes
        dpdaction=restart
        dpddelay=20s
        dpdtimeout=60s
        mobike=yes

 conn xauth-roadwarrior-ipsec-server
        keyexchange=ikev1
        authby=psk
        type=tunnel
        forceencaps=yes       # force all to be nat'ed. because of iOS
        left=%defaultroute
        leftid=@ciscoauth
        leftsubnet=0.0.0.0/0,::/0
        right=%any
        rightauth2=xauth
        rightsourceip=10.31.1.0/24
        rightdns=8.8.8.8,8.8.4.4
        auto=add

 conn kiev
        keyexchange=ikev1

        ike=aes256-sha512-modp4096
        esp=aes256-sha256

        authby=psk
        type=tunnel

        left=xx.xx.xx.xx
        leftsubnet=10.200.0.0/16
        leftsourceip=10.200.255.254

        right=yy.yy.yy.yy
        rightsubnet=192.168.0.0/24
        #rightsourceip=192.168.0.1

        auto=start

 include /var/lib/strongswan/ipsec.conf.inc 
diff --git a/ipsec.secrets b/ipsec.secrets
 # This file holds shared secrets or RSA private keys for authentication.

 # RSA private key for this host, authenticating it to any other host
 # which knows the public part.

 # this file is managed with debconf and will contain the automatically created private key
 include /var/lib/strongswan/ipsec.secrets.inc

 @ciscoauth %any : PSK "keykeykeykeykey"
 test : XAUTH "zzzzzzzzzz"

 xx.xx.xx.xx yy.yy.yy.yy : PSK "keykeykeykeykeykeykeykey"
	# ipsec.conf - strongSwan IPsec configuration file

	# basic configuration

	config setup
	#charondebug="cfg 3, dmn 3, ike 3, net 3, chd 3, mgr 3"
	#strictcrlpolicy=yes
	uniqueids=no

	# Add connections here.
	conn %default
	ike=aes256-sha256-modp1024
	esp=aes256-sha256
	ikelifetime=600m
	keylife=600m
	reauth=no
	rekey=yes
	#rekeymargin=3m
	keyingtries=%forever
	closeaction=restart
	compress=yes
	dpdaction=restart
	dpddelay=20s
	dpdtimeout=60s
	mobike=yes

	conn xauth-roadwarrior-ipsec-server
	keyexchange=ikev1
	authby=psk
	type=tunnel
	forceencaps=yes # force all to be nat'ed. because of iOS
	left=%defaultroute
	leftid=@ciscoauth
	leftsubnet=0.0.0.0/0,::/0
	right=%any
	rightauth2=xauth
	rightsourceip=10.31.1.0/24
	rightdns=8.8.8.8,8.8.4.4
	auto=add

	conn kiev
	keyexchange=ikev1

	ike=aes256-sha512-modp4096
	esp=aes256-sha256

	authby=psk
	type=tunnel

	left=xx.xx.xx.xx
	leftsubnet=10.200.0.0/16
	leftsourceip=10.200.255.254

	right=yy.yy.yy.yy
	rightsubnet=192.168.0.0/24
	#rightsourceip=192.168.0.1

	auto=start

	include /var/lib/strongswan/ipsec.conf.inc
	# This file holds shared secrets or RSA private keys for authentication.

	# RSA private key for this host, authenticating it to any other host
	# which knows the public part.

	# this file is managed with debconf and will contain the automatically created private key
	include /var/lib/strongswan/ipsec.secrets.inc

	@ciscoauth %any : PSK "keykeykeykeykey"
	test : XAUTH "zzzzzzzzzz"

	xx.xx.xx.xx yy.yy.yy.yy : PSK "keykeykeykeykeykeykeykey"