#	$OpenBSD: VPN-3way-template.conf,v 1.11 2004/02/11 08:55:22 jmc Exp $
#	$EOM: VPN-3way-template.conf,v 1.8 2000/10/09 22:08:30 angelos Exp $
#
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# This is a template file of a VPN setup between three nodes in
# a fully meshed 'three-way' configuration. Suggested use is to copy
# this file to all three nodes and then edit them accordingly.
#
# These nodes are initially called XXX, YYY and ZZZ.
#
# In pseudographics:   XXX --- YYY
#                         \   /
#                          ZZZ
#
# In cases where IP/network addresses should be defined values like
# 192.168.XXX.nnn have been used.
#

# Incoming phase 1 negotiations are multiplexed on the source IP
# address. In the three-way VPN, we have two possible peers.

[Phase 1]
192.168.YYY.nnn=	ISAKMP-peer-node-YYY
192.168.ZZZ.nnn=	ISAKMP-peer-node-ZZZ

# These connections are walked over after config file parsing and
# told to the application layer so that it will inform us when
# traffic wants to pass over them.  This means we can do on-demand
# keying. In the three-way VPN, each node knows two connections.

[Phase 2]
Connections=		IPsec-Conn-XXX-YYY,IPsec-Conn-XXX-ZZZ

# ISAKMP Phase 1 peer sections
##############################

[ISAKMP-peer-node-YYY]
Phase=			1
Transport=		udp
Address=		192.168.YYY.nnn
Configuration=		Default-main-mode
Authentication=		yoursharedsecretwithYYY

[ISAKMP-peer-node-ZZZ]
Phase=			1
Transport=		udp
Address=		192.168.ZZZ.nnn
Configuration=		Default-main-mode
Authentication=		yoursharedsecretwithZZZ

# IPsec Phase 2 sections
########################

[IPsec-Conn-XXX-YYY]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-node-YYY
Configuration=		Default-quick-mode
Local-ID=		MyNet-XXX
Remote-ID=		OtherNet-YYY

[IPsec-Conn-XXX-ZZZ]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-node-ZZZ
Configuration=		Default-quick-mode
Local-ID=		MyNet-XXX
Remote-ID=		OtherNet-ZZZ

# Client ID sections
####################

[MyNet-XXX]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.XXX.0
Netmask=		255.255.255.0

[OtherNet-YYY]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.YYY.0
Netmask=		255.255.255.0

[OtherNet-ZZZ]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.ZZZ.0
Netmask=		255.255.255.0

#
# There is no more node-specific configuration below this point.
#

# Main mode descriptions

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA,3DES-MD5

[Blowfish-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		BLF-SHA-M1024

# Quick mode description
########################

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-AES-SHA-PFS-SUITE

[Blowfish-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-BLF-SHA-PFS-SUITE
#Suites=			QM-ESP-BLF-SHA-SUITE