# /etc/ipsec.conf - Libreswan IPsec configuration file

# This file:  /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of libreswan
#version 2
#
# Manual:     ipsec.conf.5

# basic configuration
config setup
	# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
	# For MacOSX use "bsd"
	protostack=klips
	#
	# The interfaces= line is only required for the klips/mast stack
	#interfaces="%defaultroute"
	#interfaces="ipsec0=eth0 ipsec1=ppp0"
	#
	# If you want to limit listening on a single IP - not required for
	# normal operation
	#listen=127.0.0.1
	#
	# Do not set debug options to debug configuration issues!
	#
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
	#  private".
	# Note: "crypt" is not included with "all", as it can show confidential
	#       information. It must be specifically specified 
	# examples:
	# plutodebug="control parsing"
	# plutodebug="all crypt"
	# Again: only enable plutodebug or klipsdebug when asked by a developer
	#plutodebug=none
	#klipsdebug=none
	#
	# Normally, pluto logs via syslog. If you want to log to a file,
	# specify below or to disable logging, eg for embedded systems, use
	# the file name /dev/null
	# Note: SElinux policies might prevent pluto writing to a log file at
	#       an unusual location.
	#plutostderrlog=/var/log/pluto.log
	#
	# Enable core dumps (might require system changes, like ulimit -C)
	# This is required for abrtd to work properly
	# Note: SElinux policies might prevent pluto writing the core at
	#       unusual locations
	dumpdir=/var/run/pluto/
	#
	# NAT-TRAVERSAL support
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	# It seems that T-Mobile in the US and Rogers/Fido in Canada are
	# using 25/8 as "private" address space on their wireless networks.
	# This range has not been announced via BGP (at least upto 2010-12-21)
	interfaces="ipsec0=ens224"
	nat_traversal=yes
	oe=off
	virtual_private=%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

# Add connections here

# For example connections, see your distribution's documentation directory,
# or the documentation which could be located at
#  /usr/share/docs/libreswan-3.*/ or look at https://www.libreswan.org/
#
# There is also a lot of information in the manual page, "man ipsec.conf"

# You may put your configuration (.conf) file in the "/etc/ipsec.d/" directory
# by uncommenting this line
#include /etc/ipsec.d/*.conf

conn State-Secrets
    type=tunnel
    authby=secret
    auto=start
    pfs=no
    ike=aes256-sha1;modp1024!
    phase2alg=aes256-sha1;modp1024
    aggrmode=no
    left=10.0.0.3
    right=10.0.0.2