options         IPSEC               #IP security
options         IPSEC_ESP           #IP security (szyfrowanie; definiowane wraz z IPSEC)
options         IPSEC_DEBUG         #debugowanie IP security
-------------------------
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
remote anonymous
{
        exchange_mode aggressive,main;
        my_identifier user_fqdn "user1@domain.com";
        lifetime time 1 hour;
        initial_contact on;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}
sainfo anonymous
{
        pfs_group 1;
        lifetime time 30 min;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}
-------------------------
# spdadd 192.168.0.104/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.0.104-192.168.0.1/require ; 
# spdadd 0.0.0.0/0 192.168.0.104/32 any -P in ipsec esp/tunnel/192.168.0.1-192.168.0.104/require ;
-------------------------
# setkey -f client.spd
-------------------------
uytkownik1@domena.com      wielkatajemnica
uytkownik2@domena.com      jeszczewikszatajemnica
uytkownik3@domena.com      nietakawielkatajemnica
-------------------------
# spdadd 0.0.0.0/0 192.168.0.104/32 any -P out ipsec esp/tunnel/192.168.0.1-192.168.0.104/require ; 
# spdadd 192.168.0.104/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.0.104-192.168.0.1/require ; 
# spdadd 0.0.0.0/0 192.168.0.105/32 any -P in ipsec esp/tunnel/192.168.0.1-192.168.0.105/require ; 
# spdadd 192.168.0.105/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.0.105-192.168.0.1/require ; 
# spdadd 0.0.0.0/0 192.168.0.106/32 any -P in ipsec esp/tunnel/192.168.0.1-192.168.0.106/require ; 
# spdadd 192.168.0.106/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.0.106-192.168.0.1/require ; 
-------------------------
path certificate "/etc/ssl";
remote anonymous
{
        exchange_mode main;
        lifetime time 1 hour;
        certificate_type x509 "cletus.crt" "cletus.key";
        verify_cert on;
        my_identifier asn1dn;
        peers_identifier asn1dn;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo anonymous
{
        pfs_group 1;
        lifetime time 30 min;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}
-------------------------
# ln -s CA.crt `openssl x509 -noout -hash < CA.crt`.0
-------------------------
# tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lnc0, link-type EN10MB (Ethernet), capture size 96 bytes
03:35:57.481254 IP 192.168.0.40 > 192.168.0.41: ESP(spi=0x05d628a3,seq=0xd)
03:35:57.483451 IP 192.168.0.41 > 192.168.0.40: ESP(spi=0x0c53fadb,seq=0xd)
03:35:58.490287 IP 192.168.0.40 > 192.168.0.41: ESP(spi=0x05d628a3,seq=0xe)
03:35:58.491160 IP 192.168.0.41 > 192.168.0.40: ESP(spi=0x0c53fadb,seq=0xe)
03:35:59.500509 IP 192.168.0.40 > 192.168.0.41: ESP(spi=0x05d628a3,seq=0xf)
03:35:59.501289 IP 192.168.0.41 > 192.168.0.40: ESP(spi=0x0c53fadb,seq=0xf)
