vps_de-home_orange { remote_addrs = 109.210.56.240 # le/les IP VPN client pools = v6_bw-home local { auth = pubkey certs = vpsCert-dilithium5-sign_ca-falcon1024.pem id = vps.zw3b.eu } remote { auth = pubkey id = bw.zw3b.eu } children { vps_de-home_orange { # mode = transport # On declare les networks DU RECEPTEUR ET des autres networks des autres initiateurs # local_ts = fec0::0/16, fc00:41d0:701:1100::/64 local_ts = fec0::0/16, fc00:41d0:701:1100::/64, fec1::/16, fc00:41d0:801:2000::/64 # les networks du client remote_ts = fec2::/16, fc10:11:6:42:1:0::/96 start_action = trap #-------------------------------- # ESP #------- # DEFAUT : no cipher # selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ # My Config ciphers list # ok CHILD_SA net{1} established # esp_proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3 # selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ # ok CHILD_SA net{1} established esp_proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3-ke3_none-ke4_hqc5-ke4_none # selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ #--------------------------------- # rekey_time = 5400 # 90min rekey_time = 180 # 3min rekey_bytes = 500000000 rekey_packets = 1000000 } } #-------------------------------- # IKE #------- version = 2 dpd_delay = 60s # DEFAULT : no cipher config # selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 # ok IKE_SA home[1] established proposals = aes256-sha256-x25519-ke1_kyber3-ke1_frodoa3-ke2_bike3-ke2_hqc3-ke3_hqc3-ke3_none-ke4_hqc5-ke4_none # selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519/KE1_KYBER_L3/KE2_BIKE_L3/KE3_HQC_L3/KE4_HQC_L5 # test # proposals = aes256-sha256-x25519 # proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3 # proposals = aes256-sha256-x25519-modp3072-ke1_kyber3-ke1_frodoa3-ke2_bike3-ke2_hqc3-ke3_hqc3-ke3_none-ke4_hqc5-ke4_none #-------------------------------- }