1#	$OpenBSD: VPN-3way-template.conf,v 1.12 2005/05/28 18:38:30 ho Exp $
2#
3# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
4#
5# This is a template file of a VPN setup between three nodes in
6# a fully meshed 'three-way' configuration. Suggested use is to copy
7# this file to all three nodes and then edit them accordingly.
8#
9# These nodes are initially called XXX, YYY and ZZZ.
10#
11# In pseudographics:   XXX --- YYY
12#                         \   /
13#                          ZZZ
14#
15# In cases where IP/network addresses should be defined values like
16# 192.168.XXX.nnn have been used.
17#
18
19# Incoming phase 1 negotiations are multiplexed on the source IP
20# address. In the three-way VPN, we have two possible peers.
21
22[Phase 1]
23192.168.YYY.nnn=	ISAKMP-peer-node-YYY
24192.168.ZZZ.nnn=	ISAKMP-peer-node-ZZZ
25
26# These connections are walked over after config file parsing and
27# told to the application layer so that it will inform us when
28# traffic wants to pass over them.  This means we can do on-demand
29# keying. In the three-way VPN, each node knows two connections.
30
31[Phase 2]
32Connections=		IPsec-Conn-XXX-YYY,IPsec-Conn-XXX-ZZZ
33
34# ISAKMP Phase 1 peer sections
35
36[ISAKMP-peer-node-YYY]
37Phase=			1
38Address=		192.168.YYY.nnn
39Configuration=		Default-main-mode
40Authentication=		yoursharedsecretwithYYY
41
42[ISAKMP-peer-node-ZZZ]
43Phase=			1
44Address=		192.168.ZZZ.nnn
45Configuration=		Default-main-mode
46Authentication=		yoursharedsecretwithZZZ
47
48# IPsec Phase 2 sections
49
50[IPsec-Conn-XXX-YYY]
51Phase=			2
52ISAKMP-peer=		ISAKMP-peer-node-YYY
53Configuration=		Default-quick-mode
54Local-ID=		MyNet-XXX
55Remote-ID=		OtherNet-YYY
56
57[IPsec-Conn-XXX-ZZZ]
58Phase=			2
59ISAKMP-peer=		ISAKMP-peer-node-ZZZ
60Configuration=		Default-quick-mode
61Local-ID=		MyNet-XXX
62Remote-ID=		OtherNet-ZZZ
63
64# Client ID sections
65
66[MyNet-XXX]
67ID-type=		IPV4_ADDR_SUBNET
68Network=		192.168.XXX.0
69Netmask=		255.255.255.0
70
71[OtherNet-YYY]
72ID-type=		IPV4_ADDR_SUBNET
73Network=		192.168.YYY.0
74Netmask=		255.255.255.0
75
76[OtherNet-ZZZ]
77ID-type=		IPV4_ADDR_SUBNET
78Network=		192.168.ZZZ.0
79Netmask=		255.255.255.0
80
81# Main mode description
82
83[Default-main-mode]
84EXCHANGE_TYPE=		ID_PROT
85Transforms=		AES-SHA,3DES-SHA
86
87# Quick mode description
88
89[Default-quick-mode]
90EXCHANGE_TYPE=		QUICK_MODE
91Suites=			QM-ESP-AES-SHA-PFS-SUITE
92