# One anonymous hash for each
# VPN appliance to which to connect.
#
# Note the notation for the networks
# behind the VPN -- you cannot connect
# to the same subnet behind two different
# firewalls.
#
# This script will not currently enable
# you to set up your Mac as one end of a
# router. You can probably hack it to do
# this by changing the '/32' in the 
# interface template (in Templates.pm) 
# to be a '/24', but not having a dual-card 
# desktop with which to test this out I 
# can't say for sure.
# 
# On Certificates
#
# You may need to massage the certificates into the
# correct format. VPN-1 exports certificates in a PKCS#12 format, and
# racoon wants them in PEM format. Using OSX's OpenSSL utilities
# you should be able to convert them.
#
# To extract your private key:
# openssl pkcs12 -in cert.p12 -nodes -nocerts -out key.pem
#
# To extract your certificate:
# openssl pkcs12 -in cert.p12 -nokeys -clcerts -out cert.pem
#
# After this, you may still need to edit the certificate by hand, 
# in the case of the VPN-1 racoon didn't like the format of the 
# Check Point certificate. It exported both the CA cert and the
# the user cert. You may need to remove the CA cert by hand,
#               -- kudos and credit to Todd Ignasiak for this tip
#
PROFILES  => [
   {    
        # A sample profile using
        # a private shared key 
	NAME      => 'Profile 1',
	SERVER_IP => '1.2.3.4',
	USER_FQDN => 'foo@bar.com',
	NETWORKS  => ['192.168.0.0/24', '192.168.1.0/24'],
	PSK       => '1234567890',
   }, 
   { 
        # A second sample profile using
        # a private shared key 
	NAME      => 'Profile 2',
	SERVER_IP => '4.5.6.7',
	USER_FQDN => 'bar@baz.com',
	NETWORKS  => ['10.0.0.0/24'],
	PSK       => '0987654321',
   }, 
   {
        # A third sample profile using
        # a certificate and overriding
        # some of the default parameters
        NAME      => 'Profile 3',
        SERVER_IP => '8.9.0.1',
        CERT      => 'cert.pm',
        KEY       => 'key.pm',
        NETWORKS  => ['10.0.1.0/24'],
        IDENT     => 'hmac_sha1, hmac_md5',
        PHASE1    => '3des',
        PHASE2    => '3des, aes128, aes256',
        PROPOSAL  => 'claim',
        EXCHANGE  => 'main',
        SA_LIFE   => '3660 seconds',
        PROP_LIFE => '1450 minutes',
        AUTH      => 'rsasig',
    },
];

# The interface on which to
# run racoon. Typically, en0
# is the Ethernet NIC and 
# en1 is for WiFi/Airport
INTERFACE => 'en1';

# Where to find the Private Shared
# Key file. There is one already in
# set up for you in /etc/racoon, but
# you'll need to set up the keys for
# each VPN appliance before connecting
KEY_PATH  => '/etc/racoon/psk.txt';

# Where the user's Certificate and 
# Private Key are stored.
CERT_PATH => '/etc/racoon/certs';

# These are default connection parameters.
# You should work these out with
# your sysadmin. The defaults below
# work with a properly-configured
# NetScreen VPN appliance.
# All of them can be overridden on
# a profile-by-profile basis
PFS_GROUP => 'modp1024';
DH_GROUP  => 'modp1024';
HASH      => 'sha1';
IDENT     => 'hmac_sha1, hmac_md5';
EXCHANGE  => 'aggressive, main';
PROPOSAL  => 'obey';
SA_LIFE   => '3660 seconds';
PROP_LIFE => '1450 minutes';
PHASE1    => '3des';
PHASE2    => '3des';
AUTH      => 'pre_shared_key';