On Mon, May 05 2008 at 20:14, Prabhu Gurumurthy wrote:
> All,
>
> I have a question regarding ipsec.conf.
>
> Example:
>
> IPsec peers: 3.3.3.3, 3.3.3.2
> Interesting traffic: 1.1.1.1 -> 192.168.100.2
> 2.2.2.2 -> 192.168.100.0/24
>
> Main/Quick mode crypto/groups being: aes, sha1 and group2
> PSK being "test123"
>
> How can I define the above concisely?
>
> I can, for example, do the following:
>
> ike esp from 1.1.1.1 to 192.168.100.2 \
> local 3.3.3.3 peer 3.3.3.2 \
> main auth hmac-sha1 enc aes group modp1024 \
> quick auth hmac-sha1 enc aes group modp1024 \
> psk "test123"
>
> ike esp from 2.2.2.2 to 192.168.100.0/24 \
> local 3.3.3.3 peer 3.3.3.2 \
> main auth hmac-sha1 enc aes group modp1024 \
> quick auth hmac-sha1 enc aes group modp1024 \
> psk "test123"
>
> Is there any way to shorten it? since most of it seem to be redundant
> except for the interesting traffic part.
You can simply use macro as in pf.conf. For example :
LAN_priv = "192.168.100.0/24"
Our_PSK = "test123"
IPSEC_peers = "local 3.3.3.3 peer 3.3.3.2"
IPSEC_crypto = "main auth hmac-sha1 enc aes group modp1024 quick auth
hmac-sha1 enc aes group modp1024"
ike esp from $IP_pub_1 to $IP_priv $IPSEC_peers $IPSEC_crypto \
psk $Our_PSK
ike esp from $IP_pub_2 to $LAN_priv $IPSEC_peers $IPSEC_crypto \
psk $Our_PSK
With 4.3-current you can use includes. Sample from man page :
Additional configuration files can be included with the include
keyword, for example:
include "/etc/macros.conf"
Claer
