# The templates used for the # Private Shared Key file use constant PSK_FILE_TMPL => <<'EOF'; @@SERVER_IP@@ @@PSK@@ EOF # The template used for the # racoon.conf file use constant RACOON_HEADER_TMPL => <<'EOF'; log debug2; path pre_shared_key "@@KEY_PATH@@"; path certificate "@@CERT_PATH@@"; padding { randomize off; maximum_length 20; exclusive_tail off; strict_check off; } timer { counter 5; interval 20 seconds; persend 1; phase1 30 seconds; phase2 15 seconds; } EOF use constant RACOON_FOOTER_TMPL => <<'EOF'; listen { isakmp @@CLIENT_IP@@; } EOF use constant PROFILE_TMPL => <<'EOF'; #################### # Connection: @@NAME@@ #################### EOF # The template used for each # SAInfo section of the racoon.conf # file. use constant SAINFO_TMPL => <<'EOF'; sainfo address @@CLIENT_IP@@/32 any address @@NETWORK@@ any { pfs_group @@PFS_GROUP@@; lifetime time @@SA_LIFE@@; encryption_algorithm @@PHASE2@@; authentication_algorithm @@IDENT@@; compression_algorithm deflate; } EOF # The template used for each # Remote Server section of the # racoon.conf file use constant REMOTE_SERVER_TMPL => <<'EOF'; remote @@SERVER_IP@@ { exchange_mode @@EXCHANGE@@; proposal_check @@PROPOSAL@@; initial_contact on; support_mip6 on; generate_policy off; nonce_size 16; doi ipsec_doi; passive off; situation identity_only; @@CONNECTION_METHOD@@ proposal { encryption_algorithm @@PHASE1@@; hash_algorithm @@HASH@@; authentication_method @@AUTH@@; dh_group @@DH_GROUP@@; lifetime time @@PROP_LIFE@@; } } EOF use constant CERT_TMPL => <<'EOF'; verify_identifier off; my_identifier asn1dn; certificate_type x509 "@@CERT@@" "@@KEY@@"; send_cert on; send_cr on; verify_cert off; EOF use constant PSK_TMPL => <<'EOF'; my_identifier user_fqdn "@@USER_FQDN@@"; EOF # The templates used to set # up the tunnels and so forth # in interfaces.sh script use constant SCRIPT_HEADER_TMPL => <<'EOS'; #!/bin/sh setkey -FP setkey -F setkey -c << EOF EOS use constant SCRIPT_FOOTER_TMPL => <<'EOS'; EOF EOS use constant TUNNEL_TMPL => <<'EOF'; spdadd @@CLIENT_IP@@/32 @@NETWORK@@ any -P out ipsec esp/tunnel/@@CLIENT_IP@@-@@SERVER_IP@@/require; spdadd @@NETWORK@@ @@CLIENT_IP@@/32 any -P in ipsec esp/tunnel/@@SERVER_IP@@-@@CLIENT_IP@@/require; EOF 1;