libreswan: backport deprecating KLIPS

remove building kernel module, it is not used and is not working with 4.19 rework the ready to use l2tp-ipsec example Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
2026-04-30 07:28:39 +01:00 · 2019-04-21 16:47:51 +03:00
parent 50e017f7df
commit b4b98e2922
5 changed files with 1020 additions and 69 deletions
@@ -1,46 +1,25 @@
-# /etc/ipsec.conf - Libreswan IPsec configuration file
-#
-# see 'man ipsec.conf' and 'man pluto' for more information
-#
-# For example configurations and documentation, see https://libreswan.org/wiki/
-
 config setup
-        # Normally, pluto logs via syslog.
-        #logfile=/var/log/pluto.log
-        #
-        # Do not enable debug options to debug configuration issues!
-        #
-        # plutodebug="control parsing"
-        # plutodebug="all crypt"
-        plutodebug=none
-        #
-        # NAT-TRAVERSAL support
-        # exclude networks used on server side by adding %v4:!a.b.c.0/24
-        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
-        # using 25/8 as "private" address space on their wireless networks.
-        # This range has never been announced via BGP (at least up to 2015)
-        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
+    # needed when using PSK only. Not needed for X.509 based servers
+    uniqueids=no
+    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24

-# if it exists, include system wide crypto-policy defaults
-# include /etc/crypto-policies/back-ends/libreswan.config
-
-# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
-
-conn L2TP-PSK-NAT
-    rightsubnet=vhost:%priv
-    also=L2TP-PSK-noNAT
-
-conn L2TP-PSK-noNAT
+conn ikev1
    authby=secret
    pfs=no
    auto=add
-    keyingtries=8
-    ikelifetime=8h
-    keylife=1h
-    type=transport
-    left=A.B.C.D
-    leftprotoport=17/1701
+    rekey=no
+    left=%defaultroute
    right=%any
+    ikev2=never
+    type=transport
+    leftprotoport=17/1701
    rightprotoport=17/%any
+    dpddelay=15
+    dpdtimeout=30
+    dpdaction=clear

-include /etc/ipsec.d/*.conf
+conn ikev1-nat
+    also=ikev1
+    rightsubnet=vhost:%priv
+
+# include /etc/ipsec.d/*.conf