certidude/certidude/templates/strongswan-site-to-client.conf

# /etc/ipsec.conf - strongSwan IPsec configuration file

# left/local = gateway
# right/remote = client

config setup
    cachecrls=yes
    strictcrlpolicy=yes

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2

conn site-to-clients
	auto=ignore
	right=%any # Allow connecting from any IP address
	rightsourceip={{subnet}} # Serve virtual IP-s from this pool
	left={{common_name}} # Gateway IP address
	leftcert={{certificate_path}} # Gateway certificate
{% if route %}
{% if route | length == 1 %}
	leftsubnet={{route[0]}} # Advertise routes via this connection
{% else %}
	leftsubnet={ {{ route | join(', ') }} }
{% endif %}
{% endif %}
Released 0.1.17 2015-08-13 08:11:08 +00:00			`# /etc/ipsec.conf - strongSwan IPsec configuration file`

			`# left/local = gateway`
			`# right/remote = client`

			`config setup`
Make /api/revoked conform to RFC5280 2016-03-29 10:28:58 +00:00			`cachecrls=yes`
			`strictcrlpolicy=yes`
Released 0.1.17 2015-08-13 08:11:08 +00:00
			`conn %default`
			`ikelifetime=60m`
			`keylife=20m`
			`rekeymargin=3m`
			`keyingtries=1`
			`keyexchange=ikev2`

Cleaned up ipsec.conf templates 2015-10-17 17:36:12 +00:00			`conn site-to-clients`
Refactor codebase * Replace PyOpenSSL with cryptography.io * Rename constants to const * Drop support for uwsgi * Use systemd to launch certidude server * Signer automatically spawned as part of server * Update requirements.txt * Clean up certidude client configuration handling * Add automatic enroll with Kerberos machine cerdentials 2016-09-17 21:00:14 +00:00			`auto=ignore`
Released 0.1.17 2015-08-13 08:11:08 +00:00			`right=%any # Allow connecting from any IP address`
Added preliminary Kerberos authentication support 2015-08-16 14:21:42 +00:00			`rightsourceip={{subnet}} # Serve virtual IP-s from this pool`
Use common name instead of IP address as listening address for IPSec gateway 2016-03-29 09:28:10 +00:00			`left={{common_name}} # Gateway IP address`
Released 0.1.17 2015-08-13 08:11:08 +00:00			`leftcert={{certificate_path}} # Gateway certificate`
api: Added signed certificate tagging mechanism 2015-12-16 17:41:49 +00:00			`{% if route %}`
			`{% if route \| length == 1 %}`
Released 0.1.17 2015-08-13 08:11:08 +00:00			`leftsubnet={{route[0]}} # Advertise routes via this connection`
api: Added signed certificate tagging mechanism 2015-12-16 17:41:49 +00:00			`{% else %}`
Released 0.1.17 2015-08-13 08:11:08 +00:00			`leftsubnet={ {{ route \| join(', ') }} }`
api: Added signed certificate tagging mechanism 2015-12-16 17:41:49 +00:00			`{% endif %}`
			`{% endif %}`
Released 0.1.17 2015-08-13 08:11:08 +00:00