[General]
Retransmits=		5
Exchange-max-time=	120
Listen-on=		192.168.2.5
Shared-SADB=		Defined


# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
192.168.2.1=		ISAKMP-peer-GNU
192.168.2.10=		ISAKMP-peer-WIN
Default=		ISAKMP-peer-WIN,ISAKMP-peer-GNU


# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them.  This means we can do on-demand keying.
[Phase 2]
Connections=		IPsec-OBSD-GNU
Passive-connections=	IPsec-OBSD-WIN



# The peers
[ISAKMP-peer-GNU]
Phase=		1
Transport=	udp
Local-address=	192.168.2.5
Address=	192.168.2.1
Configuration=	Default-main-mode
Authentication=	this_is_our_badly_chosen_secret_passphrase

[ISAKMP-peer-GNU-aggressive]
Phase=		1
Transport=	udp
Local-address=	192.168.2.5
Address=	192.168.2.1
Configuration=	Default-aggressive-mode
Authentication=	this_is_our_badly_chosen_secret_passphrase

[ISAKMP-peer-WIN]
Phase=		1
Transport=	udp
Local-address=	192.168.2.5
Address=	192.168.2.10
Configuration=	Default-main-mode
Authentication=	this_is_another_badly_chosen_passphrase



# The different connections
[IPsec-OBSD-GNU]
Phase=		2
ISAKMP-peer=	ISAKMP-peer-GNU
Configuration=	Default-quick-mode
Local-ID=	Net-OBSD
Remote-ID=	Net-GNU

[IPsec-OBSD-WIN]
Phase=		2
ISAKMP-peer=	ISAKMP-peer-WIN
Configuration=	Default-quick-mode
Local-ID=	Net-OBSD
Remote-ID=	Net-WIN


# Certificates stored in PEM format
[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key


# Our Networks
[Net-GNU]
ID-type=	IPV4_ADDR_SUBNET
Network=	192.168.2.1
Netmask=	255.255.255.255

[Net-OBSD]
ID-type=	IPV4_ADDR_SUBNET
Network=	192.168.2.5
Netmask=	255.255.255.255

[Net-WIN]
ID-type=	IPV4_ADDR_SUBNET
Network=	192.168.2.10
Netmask=	255.255.255.255



# Phase 1 descriptions
[Default-main-mode]
DOI=		IPSEC
EXCHANGE_TYPE=	ID_PROT
Transforms=	3DES-SHA,3DES-MD5

[Default-aggressive-mode]
DOI=		IPSEC
EXCHANGE_TYPE=	AGGRESSIVE
Transforms=	3DES-SHA,3DES-MD5


# Main mode transforms
########################
# 3DES

[3DES-SHA]
ENCRYPTION_ALGORITHM=	3DES_CBC
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_1024
Life=			LIFE_180_SECS

[3DES-MD5]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         MD5
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_180_SECS


# CAST

[CAST-SHA-1536]
ENCRYPTION_ALGORITHM=	CAST_CBC
HASH_ALGORITHM=		SHA
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_1536
Life=			LIFE_1_DAY

[CAST-MD5-1024]
ENCRYPTION_ALGORITHM=	CAST_CBC
HASH_ALGORITHM=		MD5
AUTHENTICATION_METHOD=	PRE_SHARED
GROUP_DESCRIPTION=	MODP_1024
Life=			LIFE_1_DAY


# Quick mode description
########################

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE


# Quick mode protection suites
##############################
# 3DES

[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols=		QM-ESP-3DES-SHA-PFS

[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols=		QM-ESP-3DES-MD5-PFS

[QM-ESP-3DES-SHA-SUITE]	
Protocols=		QM-ESP-3DES-SHA

[QM-ESP-3DES-MD5-SUITE]
Protocols=		QM-ESP-3DES-MD5

# CAST

[QM-ESP-CAST-SHA-SUITE]
Protocols=		QM-ESP-CAST-SHA

[QM-ESP-CAST-MD5-SUITE]
Protocols=		QM-ESP-CAST-MD5


# Quick mode protocols
#############################    
# 3DES

[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID=	        IPSEC_ESP
Transforms=		QM-ESP-3DES-SHA-PFS-XF

[QM-ESP-3DES-SHA]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-3DES-SHA-XF

[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-3DES-MD5-PFS-XF

[QM-ESP-3DES-MD5]
PROTOCOL_ID=	        IPSEC_ESP
Transforms=		QM-ESP-3DES-MD5-XF


# CAST

[QM-ESP-CAST-SHA]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-CAST-SHA-XF

[QM-ESP-CAST-MD5]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-CAST-MD5-XF


# Quick mode transforms
#############################    
# 3DES

[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID=			3DES
ENCAPSULATION_MODE=		TUNNEL
AUTHENTICATION_ALGORITHM=	HMAC_SHA
GROUP_DESCRIPTION=	        MODP_1024
Life=				LIFE_3600_SECS

[QM-ESP-3DES-SHA-XF]
TRANSFORM_ID=			3DES
ENCAPSULATION_MODE=		TUNNEL
AUTHENTICATION_ALGORITHM=	HMAC_SHA
GROUP_DESCRIPTION=		MODP_1024
Life=				LIFE_3600_SECS

[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID=			3DES
ENCAPSULATION_MODE=		TUNNEL
AUTHENTICATION_ALGORITHM=	HMAC_MD5
GROUP_DESCRIPTION=		MODP_1024
Life=				LIFE_3600_SECS

[QM-ESP-3DES-MD5-XF]
TRANSFORM_ID=			3DES
ENCAPSULATION_MODE=		TUNNEL
AUTHENTICAION_ALGORITHM=	HMAC_MD5
GROUP_DESCRIPTION=		MODP_1024
Life=				LIFE_3600_SECS


# CAST

[QM-ESP-CAST-SHA-XF]
TRANSFORM_ID=			CAST
ENCAPSULATION_MODE=		TUNNEL
GROUP_DESCRIPTION=		MODP_1536
AUTHENTICATION_ALGORITHM=	HMAC_SHA
Life=				LIFE_8_HOURS

[QM-ESP-CAST-MD5-XF]
TRANSFORM_ID=			CAST
ENCAPSULATION_MODE=		TUNNEL
GROUP_DESCRIPTION=		MODP_1024
AUTHENTICATION_ALGORITHM=	HMAC_MD5
Life=				LIFE_8_HOURS

[LIFE_8_HOURS]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		28800,25200:32400

[LIFE_1_DAY]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		86400,79200:93600

[LIFE_180_SECS]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		180,120:240

[LIFE_3600_SECS]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		3600,1800:7200