diff --git a/README.md b/README.md index e2a9d4c..08c8c68 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,6 @@ UniFi: Configure IPsec VTI VPN with dynamic IP on one or both sites ========= -**ATTENTION: The script only works for a bidirectional site-to-site VPN.** - Development & Pull Request ----------- @@ -35,44 +33,127 @@ admin@USG-Pro-4:~$ sudo vi /config/vpn-site-to-site.conf Input the content of the `vpn-site-to-site.conf`. -Change the variables: -| Variable | Description | Values | -|-------------------|--------------------------------------------------------------------|------------------------------| -| THIS_SITE | Letter of current site. Each site must be different from the other | ENUM(A,B) | -| SITE_A_HOST | Hostname of site A | FQDN with final point | -| SITE_B_HOST | Hostname of site B | FQDN with final point | -| SITE_A_NETWORKS | Networks of site A which are to be routed | CIDR format space seperated | -| SITE_B_NETWORKS | Networks of site B which are to be routed | CIDR format space seperated | -| PRE_SHARED_SECRET | Pre shared key | Secret with 24 or more bytes | -| VTI_BIND | Name of Virtual Tunnel Interface | vti[0-255] Default: vti64 | -| ESP_GROUP | Name of ESP Group | ESP[0-255] Default: ESP0 | -| IKE_GROUP | Name of IKE Group | IKE[0-255] Default: IKE0 | +Change these variables: +| Variable | Description | Values | +|-------------------|--------------------------------------------------------------------|-----------------------------------------| +| LOCAL_HOST | Hostname of this site | FQDN with final point | +| REMOTE_HOST | Hostname of the remote site | FQDN with final point | +| REMOTE_NETWORKS | Networks of the remote site which are to be routed | CIDR format space seperated | +| PRE_SHARED_SECRET | Pre shared key | Secret with 24 or more bytes | +| TRANSFER_NETWORK | Transfer network | CIDR format. Default: "10.255.254.0/24" | +| TRANSFER_ADDRESS | Address of this site in the transfer network | CIDR format. Default: "10.255.254.1/32" | + +For more than one IPsec site-to-site setup, further change these variables: +| Variable | Description | Values | +|-------------------------|--------------------------------------------------------------|-----------------------------------------| +| VTI_BIND | Name of Virtual Tunnel Interface | vti[0-255] Default: vti64 | +| ESP_GROUP | Name of ESP Group | ESP[0-255] Default: ESP0 | +| IKE_GROUP | Name of IKE Group | IKE[0-255] Default: IKE0 | + +Further additional variables are documented in the `vpn-site-to-site.conf`. Make sure to convert both files to LF. Execute the script: ``` -admin@USG-Pro-4:~$ /config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh +admin@USG-Pro-4:~$ /config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh -v ``` -Check the logs. Normally you should get an output like the following: +Check the logs: ``` admin@USG-Pro-4:~$ show log | grep 'vpn-site-to-site-reconfigure' -Jan 29 21:06:07 USG-Pro-4 vpn-site-to-site-reconfigure: Remote address does not change. -Jan 29 21:06:07 USG-Pro-4 vpn-site-to-site-reconfigure: Local address does not change. -Jan 29 21:06:07 USG-Pro-4 vpn-site-to-site-reconfigure: Nothing to commit. +``` + +After the first run, your output should look like this: + +``` +Feb 20 10:15:01 USG-Pro-4 vpn-site-to-site-reconfigure: VTI interface vti64 not found in configuration. Create. +Feb 20 10:15:01 USG-Pro-4 vpn-site-to-site-reconfigure: Static route 10.255.254.0/24 not found. Create. +Feb 20 10:15:01 USG-Pro-4 vpn-site-to-site-reconfigure: Static route 10.2.1.0/24/24 not found. Create. +Feb 20 10:15:02 USG-Pro-4 vpn-site-to-site-reconfigure: Firewall group item 10.2.1.0/24/24 not found. Create. +Feb 20 10:15:02 USG-Pro-4 vpn-site-to-site-reconfigure: Static route 10.2.2.0/24/24 not found. Create. +Feb 20 10:15:02 USG-Pro-4 vpn-site-to-site-reconfigure: Firewall group item 10.2.2.0/24/24 not found. Create. +Feb 20 10:15:02 USG-Pro-4 vpn-site-to-site-reconfigure: ESP group ESP0 not found in configuration. Create. +Feb 20 10:15:03 USG-Pro-4 vpn-site-to-site-reconfigure: IKE group IKE0 not found in configuration. Create. +Feb 20 10:15:03 USG-Pro-4 vpn-site-to-site-reconfigure: No site-to-site peer configuration found. +Feb 20 10:15:03 USG-Pro-4 vpn-site-to-site-reconfigure: Set up new site-to-site peer configuration. +Feb 20 10:15:05 USG-Pro-4 vpn-site-to-site-reconfigure: Commit configuration. +``` + +Until an IP address change, your output should normally look like this: + +``` +Feb 20 10:20:03 USG-Pro-4 vpn-site-to-site-reconfigure: Remote address does not change. +Feb 20 10:20:03 USG-Pro-4 vpn-site-to-site-reconfigure: Local address does not change. +Feb 20 10:20:03 USG-Pro-4 vpn-site-to-site-reconfigure: Nothing to commit. ``` ### Edit config.gateway.json -Your `config.gateway.json` needs an addition: -Merge the contents of the `config.gateway.merge.json` in your `config.gateway.json` for both sites. +Your `config.gateway.json` needs an addition. + +#### You have no idea how to find or create the config.gateway.json? -__You have no idea how to find or create the config.gateway.json?__ Check this: [UniFi - USG Advanced Configuration Using config.gateway.json](https://help.ui.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration-Using-config-gateway-json) +#### Set-up (only) one site-to-site VPN IPsec tunnel + +Merge the contents of the `config.gateway.merge.json` in your `config.gateway.json` for both sites. + +#### Set-up multiple site-to-site VPN IPsec tunnels + +Get the content of the `config.gateway.merge.json` and edit the task entry or rather add new task entries in the task scheduler as shown below: + +``` +{ + "system": { + "task-scheduler": { + "task": { + "vpn-site-to-site1": { + "executable": { + "path": "/config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh", + "arguments": "-c/config/vpn-site-to-site1.conf" + }, + "interval": "5m" + }, + "vpn-site-to-site2": { + "executable": { + "path": "/config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh", + "arguments": "-c/config/vpn-site-to-site2.conf" + }, + "interval": "5m" + } + } + } + } +} +``` + +Make sure that each task has a unique name and that different configuration files are specified as arguments. After all, merge it in your `config.gateway.json` for all sites. + +#### Provisioning and testing + +Now the changes in your `config.gateway.json` must be provisioned to the USGs. You have no idea how? Click here: [How to Trigger provisioning after changing config.gateway.json](https://community.ui.com/questions/How-to-Trigger-provisioning-after-changing-config-gateway-json-in-Network-Controller-7-3-76/f105a191-7c2c-47ec-9bd1-9ca2d239d25b) + +To check whether the tasks have been created on the USGs, you can use the following commands: + +``` +admin@USG-Pro-4:~$ /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show system task-scheduler +``` + +Normally you should get an output like the following: + +``` + task vpn-site-to-site { + executable { + path /config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh + } + interval 5m + } +``` + Known Issues ----------- @@ -132,12 +213,11 @@ If the domain can't be resolved, your USG has a problem with the DNS it uses. ### No remote address found. Abort. Same issue as [No local address found. Abort.](#no-local-address-found-abort) See above. - Compatibility ------- Tested and productive in use: -* Ubiquiti UniFi Security Gateway, USG with FW 4.4.57.5578372 +* Ubiquiti UniFi Security Gateway, USG-3P with FW 4.4.57.5578372 * Ubiquiti UniFi Security Gateway, USG-PRO-4 with FW 4.4.57.5578372 License diff --git a/config.gateway.merge.json b/config.gateway.merge.json index ad915a0..43b80ec 100644 --- a/config.gateway.merge.json +++ b/config.gateway.merge.json @@ -2,7 +2,7 @@ "system": { "task-scheduler": { "task": { - "postprovision": { + "vpn-site-to-site": { "executable": { "path": "/config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh" }, diff --git a/config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh b/config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh index 50b599d..2bb086f 100644 --- a/config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh +++ b/config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh @@ -1,8 +1,8 @@ #!/bin/bash # File: vpn-site-to-site-reconfigure.sh # Author: ufozone -# Date: 2023-01-29 -# Version: 2.2.1 +# Date: 2024-02-20 +# Version: 3.0.0 # Desc: UniFi Site-to-Site IPsec VTI VPN does not detect a change of WAN IP address. # This script checks periodically the current WAN IP addresses of both sites and # updates the configuration. @@ -18,7 +18,7 @@ Log() fi if [[ $DEBUG == FALSE ]] then - logger -t $NAME -- "$@" + logger -t "$NAME" -- "$@" fi } @@ -104,12 +104,13 @@ Help() echo "UniFi Site-to-Site IPsec VTI VPN does not detect a change of WAN IP address." echo "This script checks periodically the current WAN IP addresses of both sites and updates the configuration." echo - echo "Syntax: ${NAME}.sh [-d|h|v]" + echo "Syntax: ${0##*/} [-d|-v|-c]|-r|-h]" echo "Options:" - echo "d Debug mode. Does not make any changes to the configuration, but displays them." - echo "h Print this Help." - echo "r Reset all configuration changes." - echo "v Verbose mode. It provides additional details." + echo " -d Debug mode. Does not make any changes to the configuration, but displays them." + echo " -v Verbose mode. It provides additional details." + echo " -c Config file. Default: /config/vpn-site-to-site.conf" + echo " -r Reset all configuration changes." + echo " -h Print this Help." echo } @@ -122,39 +123,88 @@ fi VERBOSE=FALSE DEBUG=FALSE +RESET=FALSE CONFIG_CHANGED=FALSE -CONFIG_FILE="/config/vpn-site-to-site.conf" -PEER_FILE="/config/vpn-site-to-site.peer" NAME="vpn-site-to-site-reconfigure" WR="/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper" +CONFIG_FILE="/config/vpn-site-to-site.conf" -if [[ ! -e $CONFIG_FILE ]] +while getopts ":dvc:rh" option +do + case $option in + d) # -d -- Debug + DEBUG=TRUE + ;; + v) # -v -- Verbose + VERBOSE=TRUE + ;; + c) # -c -- Config file + CONFIG_FILE=${OPTARG} + NAME="${NAME}(${CONFIG_FILE##*/})" + ;; + r) # -r -- Reset + RESET=TRUE + ;; + h) # -h -- Help + Help + exit;; + :) # Argument required + echo "Option -${OPTARG} requires an argument." + echo "" + Help + exit;; + ?) # Invalid option + echo "Invalid option: -${OPTARG}" + echo "" + Help + exit;; + esac +done + +if [[ ! -n $CONFIG_FILE ]] +then + Log "No configuration file given. Abort." + exit 1 +elif [[ ! -e $CONFIG_FILE ]] then - Log "File vpn-site-to-site.conf not found. Abort." + Log "Configuration file ${CONFIG_FILE} not found. Abort." exit 1 fi + +PEER_FILE="${CONFIG_FILE##*/}" +PEER_FILE="/config/${PEER_FILE%.*}.peer" + +# Load the configuration source $CONFIG_FILE -if [[ ( ( $THIS_SITE != "A" ) && ( $THIS_SITE != "B" ) ) || ( $SITE_A_HOST == "" ) || ( $SITE_B_HOST == "" ) || ( $PRE_SHARED_SECRET == "" ) ]] +if [[ ! -n $DESCRIPTION ]] +then + DESCRIPTION="CUSTOM_BY_SCRIPT" +fi + +if [[ ! -n $LOCAL_HOST || ! -n $REMOTE_HOST || ! -n $PRE_SHARED_SECRET ]] then - Log "Configuration in vpn-site-to-site.conf is invalid. Abort." + Log "Configuration in ${CONFIG_FILE} is invalid. Abort." exit 1 fi -TRANSFER_NETWORK="10.255.254.0/24" -if [[ $THIS_SITE == "A" ]] +# Transfer Network Details +if [[ ! -n $TRANSFER_NETWORK ]] +then + TRANSFER_NETWORK="10.255.254.0/24" +fi +if [[ ! -n $TRANSFER_ADDRESS ]] then TRANSFER_ADDRESS="10.255.254.1/32" - LOCAL_HOST=$SITE_A_HOST - REMOTE_HOST=$SITE_B_HOST - REMOTE_NETWORKS=$SITE_B_NETWORKS -else - TRANSFER_ADDRESS="10.255.254.2/32" - LOCAL_HOST=$SITE_B_HOST - REMOTE_HOST=$SITE_A_HOST - REMOTE_NETWORKS=$SITE_A_NETWORKS fi +# Route Distance +if [[ ! -n $DISTANCE ]] +then + DISTANCE=30 +fi + +# Name of Virtual Tunnel Interface if [[ ! -n $VTI_BIND ]] then VTI_BIND="vti64" @@ -170,17 +220,83 @@ then IKE_GROUP="IKE0" fi -while getopts ":dhrv" option -do - case $option in - d) DEBUG=TRUE;; - h) Help - exit;; - r) Reset - exit;; - v) VERBOSE=TRUE;; - esac -done +# Connection type +if [[ ! -n $CONNECTION_TYPE ]] +then + CONNECTION_TYPE="initiate" +fi + +# ESP Settings +if [[ ! -n $ESP_COMPRESSION ]] +then + ESP_COMPRESSION="disable" +fi +if [[ ! -n $ESP_LIFETIME ]] +then + ESP_LIFETIME=3600 +fi +if [[ ! -n $ESP_MODE ]] +then + ESP_MODE="tunnel" +fi +if [[ ! -n $ESP_PFS ]] +then + ESP_PFS="enable" +fi +if [[ ! -n $ESP_ENCRYPTION ]] +then + ESP_ENCRYPTION="aes256" +fi +if [[ ! -n $ESP_HASH ]] +then + ESP_HASH="sha1" +fi + +# IKE Settings +if [[ ! -n $IKE_DPD_ACTION ]] +then + IKE_DPD_ACTION="restart" +fi +if [[ ! -n $IKE_DPD_INTERVAL ]] +then + IKE_DPD_INTERVAL=20 +fi +if [[ ! -n $IKE_DPD_TIMEOUT ]] +then + IKE_DPD_TIMEOUT=120 +fi +if [[ ! -n $IKE_IKEV2_REAUTH ]] +then + IKE_IKEV2_REAUTH="no" +fi +if [[ ! -n $IKE_KEYEXCHANGE ]] +then + IKE_KEYEXCHANGE="ikev1" +fi +if [[ ! -n $IKE_LIFETIME ]] +then + IKE_LIFETIME=28800 +fi +if [[ ! -n $IKE_DHGROUP ]] +then + IKE_DHGROUP=14 +fi +if [[ ! -n $IKE_ENCRYPTION ]] +then + IKE_ENCRYPTION="aes256" +fi +if [[ ! -n $IKE_HASH ]] +then + IKE_HASH="sha1" +fi + +# Reset +if [[ $RESET == TRUE ]] +then + Reset + exit +fi + # Get local and remote addresses via DDNS lookup GET_LOCAL_ADDRESS=$(host -st A $LOCAL_HOST) @@ -236,7 +352,7 @@ do if [[ $(echo "${VALIDATE_REMOTE_ROUTE}" | grep -i 'empty') ]] then Log "Static route ${REMOTE_NETWORK} not found. Create." - Command set protocols static interface-route $REMOTE_NETWORK next-hop-interface $VTI_BIND distance 30 + Command set protocols static interface-route $REMOTE_NETWORK next-hop-interface $VTI_BIND distance $DISTANCE CONFIG_CHANGED=TRUE else @@ -260,12 +376,12 @@ if [[ $(echo "${VALIDATE_ESP_GROUP}" | grep -i 'empty') ]] then Log "ESP group ${ESP_GROUP} not found in configuration. Create." - Command set vpn ipsec esp-group $ESP_GROUP compression disable - Command set vpn ipsec esp-group $ESP_GROUP lifetime 3600 - Command set vpn ipsec esp-group $ESP_GROUP mode tunnel - Command set vpn ipsec esp-group $ESP_GROUP pfs enable - Command set vpn ipsec esp-group $ESP_GROUP proposal 1 encryption aes256 - Command set vpn ipsec esp-group $ESP_GROUP proposal 1 hash sha1 + Command set vpn ipsec esp-group $ESP_GROUP compression $ESP_COMPRESSION + Command set vpn ipsec esp-group $ESP_GROUP lifetime $ESP_LIFETIME + Command set vpn ipsec esp-group $ESP_GROUP mode $ESP_MODE + Command set vpn ipsec esp-group $ESP_GROUP pfs $ESP_PFS + Command set vpn ipsec esp-group $ESP_GROUP proposal 1 encryption $ESP_ENCRYPTION + Command set vpn ipsec esp-group $ESP_GROUP proposal 1 hash $ESP_HASH CONFIG_CHANGED=TRUE else @@ -276,15 +392,15 @@ if [[ $(echo "${VALIDATE_IKE_GROUP}" | grep -i 'empty') ]] then Log "IKE group ${IKE_GROUP} not found in configuration. Create." - Command set vpn ipsec ike-group $IKE_GROUP dead-peer-detection action restart - Command set vpn ipsec ike-group $IKE_GROUP dead-peer-detection interval 20 - Command set vpn ipsec ike-group $IKE_GROUP dead-peer-detection timeout 120 - Command set vpn ipsec ike-group $IKE_GROUP ikev2-reauth no - Command set vpn ipsec ike-group $IKE_GROUP key-exchange ikev1 - Command set vpn ipsec ike-group $IKE_GROUP lifetime 28800 - Command set vpn ipsec ike-group $IKE_GROUP proposal 1 dh-group 14 - Command set vpn ipsec ike-group $IKE_GROUP proposal 1 encryption aes256 - Command set vpn ipsec ike-group $IKE_GROUP proposal 1 hash sha1 + Command set vpn ipsec ike-group $IKE_GROUP dead-peer-detection action $IKE_DPD_ACTION + Command set vpn ipsec ike-group $IKE_GROUP dead-peer-detection interval $IKE_DPD_INTERVAL + Command set vpn ipsec ike-group $IKE_GROUP dead-peer-detection timeout $IKE_DPD_TIMEOUT + Command set vpn ipsec ike-group $IKE_GROUP ikev2-reauth $IKE_IKEV2_REAUTH + Command set vpn ipsec ike-group $IKE_GROUP key-exchange $IKE_KEYEXCHANGE + Command set vpn ipsec ike-group $IKE_GROUP lifetime $IKE_LIFETIME + Command set vpn ipsec ike-group $IKE_GROUP proposal 1 dh-group $IKE_DHGROUP + Command set vpn ipsec ike-group $IKE_GROUP proposal 1 encryption $IKE_ENCRYPTION + Command set vpn ipsec ike-group $IKE_GROUP proposal 1 hash $IKE_HASH CONFIG_CHANGED=TRUE else @@ -328,12 +444,12 @@ then (echo "${REMOTE_ADDRESS}" > $PEER_FILE) &> /dev/null Verbose "Write remote address ${REMOTE_ADDRESS} to ${PEER_FILE}." - Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS description "CUSTOM_BY_SCRIPT" + Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS description $DESCRIPTION Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS authentication id $LOCAL_HOST Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS authentication remote-id $REMOTE_HOST Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS authentication mode pre-shared-secret Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS authentication pre-shared-secret $PRE_SHARED_SECRET - Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS connection-type initiate + Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS connection-type $CONNECTION_TYPE Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS ike-group $IKE_GROUP Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS ikev2-reauth inherit Command set vpn ipsec site-to-site peer $REMOTE_ADDRESS local-address $LOCAL_ADDRESS diff --git a/config/vpn-site-to-site.conf b/config/vpn-site-to-site.conf index d7cb55c..b681f0c 100644 --- a/config/vpn-site-to-site.conf +++ b/config/vpn-site-to-site.conf @@ -2,25 +2,127 @@ # Configuration for Site-to-Site VPN # ###################################### -# Which site is this? A or B? -THIS_SITE="A" +# (OPTIONAL) Description +#DESCRIPTION="" -# Hostnames of both sites as FQDN with final point -SITE_A_HOST="site-a.ddns.com." -SITE_B_HOST="site-b.ddns.com." +# (REQUIRED) Hostnames of both sites as FQDN with final point +LOCAL_HOST="site-a.ddns.com." +REMOTE_HOST="site-b.ddns.com." -# Networks of both sites in CIDR format seperated with spaces -SITE_A_NETWORKS="10.1.1.0/24 10.1.2.0/24 10.1.3.0/24" -SITE_B_NETWORKS="10.2.1.0/24 10.2.2.0/24" +# (REQUIRED) Networkw of remote site in CIDR format seperated with spaces +REMOTE_NETWORKS="10.1.1.0/24 10.1.2.0/24 10.1.3.0/24" # e.g. 10.2.1.0/24 10.2.2.0/24 for the other site -# Pre shared secret must be the same on both sites +# (REQUIRED) Transfer network information in CIDR format +TRANSFER_NETWORK="10.255.254.0/24" +TRANSFER_ADDRESS="10.255.254.1/32" # e.g. 10.255.254.2/32 for the other site + +# (REQUIRED) Pre shared secret must be the same on both sites PRE_SHARED_SECRET="e72abd600a90eb0e733b7c8c856690c95d02819e" -# Name of Virtual Tunnel Interface +# (OPTIONAL) Name of Virtual Tunnel Interface #VTI_BIND="vti64" -# Name of ESP Group +# (OPTIONAL) Name of IKE Group +#IKE_GROUP="IKE0" + +# (OPTIONAL) Name of ESP Group #ESP_GROUP="ESP0" -# Name of IKE Group -#IKE_GROUP="IKE0" + +# +# Additional Settings +# + +# Route distance +#DISTANCE=30 + +# ESP Settings +#ESP_COMPRESSION=disable +# enable Enable ESP compression +# disable Disable ESP compression (default) +#ESP_LIFETIME=3600 +# <30-86400> ESP lifetime in seconds (default 3600) +#ESP_MODE=tunnel +# tunnel Tunnel mode (default) +# transport Transport mode +#ESP_PFS=enable +# enable Enable PFS. Use ike-group's dh-group (default) +# dh-group2 Enable PFS. Use Diffie-Hellman group 2 (modp1024) +# dh-group5 Enable PFS. Use Diffie-Hellman group 5 (modp1536) +# dh-group14 Enable PFS. Use Diffie-Hellman group 14 (modp2048) +# dh-group15 Enable PFS. Use Diffie-Hellman group 15 (modp3072) +# dh-group16 Enable PFS. Use Diffie-Hellman group 16 (modp4096) +# dh-group17 Enable PFS. Use Diffie-Hellman group 17 (modp6144) +# dh-group18 Enable PFS. Use Diffie-Hellman group 18 (modp8192) +# dh-group19 Enable PFS. Use Diffie-Hellman group 19 (ecp256) +# dh-group20 Enable PFS. Use Diffie-Hellman group 20 (ecp384) +# dh-group21 Enable PFS. Use Diffie-Hellman group 21 (ecp521) +# dh-group22 Enable PFS. Use Diffie-Hellman group 22 (modp1024s160) +# dh-group23 Enable PFS. Use Diffie-Hellman group 23 (modp2048s224) +# dh-group24 Enable PFS. Use Diffie-Hellman group 24 (modp2048s256) +# dh-group25 Enable PFS. Use Diffie-Hellman group 25 (ecp192) +# dh-group26 Enable PFS. Use Diffie-Hellman group 26 (ecp224) +# disable Disable PFS +#ESP_ENCRYPTION=aes256 +# aes128 AES-128 encryption +# aes256 AES-256 encryption (default) +# aes128gcm128 AES-128 encryption with Galois Counter Mode 128-bit +# aes256gcm128 AES-256 encryption with Galois Counter Mode 128-bit +# 3des 3DES encryption +#ESP_HASH=sha1 +# md5 MD5 hash +# sha1 SHA1 hash (default) +# sha256 SHA2-256 hash +# sha384 SHA2-384 hash +# sha512 SHA2-512 hash + +# IKE Settings +#IKE_DPD_ACTION=restart +# hold Set action to hold +# clear Set action to clear +# restart Set action to restart (default) +#IKE_DPD_INTERVAL=20 +# <15-86400> Keep-alive interval in seconds (default 20) +#IKE_DPD_TIMEOUT=120 +# <30-86400> Keep-alive timeout in seconds (default 120) +#IKE_IKEV2_REAUTH=no +# yes Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug +# no Disable remote host re-authenticaton during an IKE rekey. (default) +#IKE_KEYEXCHANGE=ikev1 +# ikev1 Use IKEv1 for Key Exchange (default) +# ikev2 Use IKEv2 for Key Exchange +#IKE_LIFETIME=28800 +# <30-86400> IKE lifetime in seconds (default 28800) +#IKE_DHGROUP=14 +# 2 DH group 2 (modp1024) +# 5 DH group 5 (modp1536) +# 14 DH group 14 (modp2048) (default) +# 15 DH group 15 (modp3072) +# 16 DH group 16 (modp4096) +# 17 DH group 17 (modp6144) +# 18 DH group 18 (modp8192) +# 19 DH group 19 (ecp256) +# 20 DH group 20 (ecp384) +# 21 DH group 21 (ecp521) +# 22 DH group 22 (modp1024s160) +# 23 DH group 23 (modp2048s224) +# 24 DH group 24 (modp2048s256) +# 25 DH group 25 (ecp192) +# 26 DH group 26 (ecp224) +#IKE_ENCRYPTION=aes256 +# aes128 AES-128 encryption +# aes256 AES-256 encryption (default) +# aes128gcm128 AES-128 encryption with Galois Counter Mode 128-bit +# aes256gcm128 AES-256 encryption with Galois Counter Mode 128-bit +# 3des 3DES encryption +#IKE_HASH=sha1 +# md5 MD5 hash +# sha1 SHA1 hash (default) +# sha256 SHA2-256 hash +# sha384 SHA2-384 hash +# sha512 SHA2-512 hash + +# Connection type +#CONNECTION_TYPE=initiate +# initiate This endpoint can initiate or respond to a connection (default) +# respond This endpoint will only respond to a connection