# $Id: tunnel_ike.conf,v 1.8 2007/07/20 13:20:32 mk Exp $
# ike tunnel mode (esp) (includes a nat-t tunnel mode initiator side)
remote ike_tun_remote {
	acceptable_kmp { ikev2; ikev1; };
	ikev2 {
		#my_id fqdn "${MY_FQDN}";
		#my_id fqdn "fc7-test2";
		my_id x509_subject "${CERTDIR}/${MY_PUB_KEY}";
		#peers_id fqdn "fc7-test1";
		#peers_id fqdn "${PEERS_FQDN}";
		peers_id x509_subject "${CERTDIR}/${PEERS_PUB_KEY}";
		peers_ipaddr "${PEERS_IPADDRESS}" port 500;
		# kmp_enc_alg { aes192_cbc; aes128_cbc; 3des_cbc; };
		kmp_enc_alg { 3des_cbc; };
		#kmp_prf_alg { hmac_sha1; hmac_md5; aes_xcbc; };
		kmp_prf_alg { hmac_sha1; };
		kmp_hash_alg { hmac_sha1; };
		#kmp_dh_group { modp3072; modp2048; modp1536; modp1024;};
		kmp_dh_group { modp1536; };
		## Use Preshared Key
		#kmp_auth_method { psk; };
		#pre_shared_key "${PSKDIR}/${PRESHRD_KEY}";
		## Use Certificate
		kmp_auth_method { rsasig; };
		#my_public_key x509pem "${CERTDIR}/${MY_PUB_KEY}" "${CERTDIR}/${MY_PRI_KEY}";
		#peers_public_key x509pem "${CERTDIR}/${PEERS_PUB_KEY}" "";
		my_public_key x509pem "${CERTDIR}/west.crt" "${CERTDIR}/west.key";
		peers_public_key x509pem "${CERTDIR}/east.crt" "";
		
	};
	ikev1 {
		my_id ipaddr "${MY_IPADDRESS}";
		peers_id ipaddr "${PEERS_IPADDRESS}";
		peers_ipaddr "${PEERS_IPADDRESS}" port 500;
		kmp_enc_alg { aes192_cbc; aes128_cbc; 3des_cbc; };
		kmp_hash_alg { sha1; };
		kmp_dh_group { modp2048; };
		## Use Preshared Key
		kmp_auth_method { psk; };
		#pre_shared_key "${PSKDIR}/${PRESHRD_KEY}";
		## Use Certificate
		#kmp_auth_method { rsasig; };
		#my_public_key x509pem "${CERTDIR}/${MY_PUB_KEY}" "${CERTDIR}/${MY_PRI_KEY}";
		#peers_public_key x509pem "${CERTDIR}/${PEERS_PUB_KEY}" "";
	};
	selector_index ike_tun_sel_in;
};

selector ike_tun_sel_out {
	direction outbound;
	src "${MY_NET}";
	dst "${PEERS_NET}";
	policy_index ike_tun_policy;
};

selector ike_tun_sel_in {
	direction inbound;
	dst "${MY_NET}";
	src "${PEERS_NET}";
	policy_index ike_tun_policy;
};

policy ike_tun_policy {
	action auto_ipsec;
	remote_index ike_tun_remote;
	ipsec_mode tunnel;
	ipsec_index { ipsec_esp; };
	ipsec_level require;
	peers_sa_ipaddr "${PEERS_GWADDRESS}";
	my_sa_ipaddr "${MY_GWADDRESS}";
};