conn l2tp-X.509 # # Configuration for one user with any type of IPsec/L2TP client # including the updated Windows 2000/XP (MS KB Q818043), but # excluding the non-updated Windows 2000/XP. # # # Use a certificate. Disable Perfect Forward Secrecy. # authby=rsasig pfs=no auto=add # we cannot rekey for %any, let client rekey rekey=no # Apple iOS doesn't send delete notify so we need dead peer detection # to detect vanishing clients dpddelay=10 dpdtimeout=90 dpdaction=clear # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h # l2tp-over-ipsec is transport mode # See http://bugs.xelerance.com/view.php?id=466 type=transport # left=YourServerIP leftid=%fromcert leftrsasigkey=%cert leftcert=/etc/ipsec.d/certs/YourGatewayCertHere.pem leftprotoport=17/1701 # # The remote user. # right=%any rightca=%same rightrsasigkey=%cert # Using the magic port of "%any" means "any one single port". This is # a work around required for Apple OSX clients that use a randomly # high port. rightprotoport=17/%any rightsubnet=vhost:%priv,%no # Normally, KLIPS drops all plaintext traffic from IP's it has a crypted # connection with. With L2TP clients behind NAT, that's not really what # you want. The connection below allows both l2tp/ipsec and plaintext # connections from behind the same NAT router. # The l2tpd use a leftprotoport, so they are more specific and will be used # first. Then, packets for the host on different ports and protocols (eg ssh) # will match this passthrough conn. conn passthrough-for-non-l2tp type=passthrough left=YourServerIP leftnexthop=YourGwIP right=0.0.0.0 rightsubnet=0.0.0.0/0 auto=route