[General]
#Listen-on=		192.70.106.200, 3ffe:304:11e:3:2e0:fdff:fe00:869
Retransmits=		2
Exchange-max-time=	10

[Phase 1]
# Incoming demultiplexing based on IP address
192.70.106.196=	6wind-p1
3ffe:304:11e:3::196= 6wind-v6-p1
192.70.106.198=	pix-p1
192.70.106.199=	vpn3000-p1
192.70.106.201=	netcelo-p1
192.70.106.202=	ios-p1
192.70.106.205=	freeswan-p1
192.70.106.207=	netasq-p1
192.70.106.209=	netscreen-p1
192.70.106.213=	nortel-p1

[Phase 2]
# Connections to bring up on startup
Connections=	ios-p2, pix-p2, vpn3000-p2, netasq-p2, netscreen-p2, nortel-p2
#Connections=	pix-p2
# Connections for which we only act as responder
Passive-connections=	6wind-p2, 6wind-v6-p2, pix-p2, vpn3000-p2, netcelo-p2, ios-p2, freeswan-p2, netasq-p2, netscreen-p2, nortel-p2

[my-fqdn]
ID-type=		FQDN
Name=			openbsd.ipsec2001.hsc.fr

[my-ipv4-addr]
ID-type=		IPV4_ADDR
Address=		192.70.106.200

[my-ipv4-net]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.200.0.0
Netmask=		255.255.0.0

[my-ipv6-addr]
ID-type=		IPV6_ADDR
Address=		3ffe:304:11e:3:2e0:fdff:fe00:869

[my-ipv6-net]
ID-type=		IPV6_ADDR_SUBNET
Network=		3ffe:304:11e:2::
Netmask=		ffff:ffff:ffff:ffff::

### 6WIND
#########

[6wind-p1]
Phase=			1
Address=		192.70.106.196
Configuration=          main-mode
ID=                     my-fqdn
#Remote-ID=              6wind-fqdn

[6wind-v6-p1]
Phase=			1
Address=		3ffe:304:11e:3::196
Configuration=		main-mode
ID=			my-fqdn
#Remote-ID=              6wind-fqdn

[6wind-fqdn]
ID-type=		FQDN
Name=			6wind.ipsec2001.hsc.fr

[6wind-p2]
Phase=			2
ISAKMP-peer=            6wind-p1
Configuration=          quick-mode
Local-ID=		my-ipv4-net
Remote-ID=		6wind-ipv4-net

[6wind-v6-p2]
Phase=			2
ISAKMP-peer=            6wind-v6-p1
Configuration=          quick-mode
Local-ID=		my-ipv6-net
Remote-ID=		6wind-ipv6-net

[6wind-ipv4-net]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.196.0.0
Netmask=		255.255.0.0

[6wind-ipv6-net]
ID-type=		IPV6_ADDR_SUBNET
Network=		3ffe:304:11e:4::
Netmask=		ffff:ffff:ffff:ffff::

### Cisco PIX
#############

[pix-p1]
Phase=			1
Address=		192.70.106.198
Configuration=          main-mode
ID=                     my-fqdn
Remote-ID=              pix-fqdn

[pix-fqdn]
ID-type=		FQDN
Name=			pix.ipsec2001.hsc.fr

[pix-p2]
Phase=			2
ISAKMP-peer=            pix-p1
# Use this config to see proposal# bug:
#Configuration=          quick-mode
# Use this configuration to avoid bug:
Configuration=		quick-mode-cisco
Local-ID=		my-ipv4-net
Remote-ID=		pix-ipv4-net

[pix-ipv4-net]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.198.0.0
Netmask=		255.255.0.0

### Cisco VPN3000
#################

[vpn3000-p1]
Phase=			1
Address=		192.70.106.199
Configuration=          main-mode
ID=                     my-fqdn
#Remote-ID=              vpn3000-fqdn
# When responding, the VPN 3000 sends an ID of type FQDN (if we sent FQDN), 
# but when initiating, it sends DER_ASN1_DN, which we do not support

[vpn3000-fqdn]
ID-type=		FQDN
Name=			vpn3000.ipsec2001.hsc.fr

[vpn3000-p2]
Phase=			2
ISAKMP-peer=            vpn3000-p1
# Use this config to see proposal# bug:
#Configuration=          quick-mode
# Use this configuration to avoid bug:
Configuration=		quick-mode-cisco
Local-ID=		my-ipv4-net
Remote-ID=		vpn3000-ipv4-net

[vpn3000-ipv4-net]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.199.0.0
Netmask=		255.255.0.0

### Netcelo
###########

[netcelo-p1]
Phase=			1
Address=		192.70.106.201
Configuration=          main-mode
ID=                     my-fqdn
Remote-ID=              netcelo-fqdn

[netcelo-fqdn]
ID-type=		FQDN
Name=			netcelo.ipsec2001.hsc.fr

[netcelo-p2]
Phase=			2
ISAKMP-peer=            netcelo-p1
Configuration=          quick-mode
#Configuration=          quick-mode-noaes
Local-ID=		my-ipv4-net
Remote-ID=		netcelo-ipv4-net

[netcelo-ipv4-net]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.201.0.0
Netmask=		255.255.0.0

### Cisco IOS
#############

[ios-p1]
Phase=			1
Address=		192.70.106.202
Configuration=          main-mode
ID=                     my-fqdn
Remote-ID=              ios-fqdn

[ios-ipv4-addr]
ID-type=		IPV4_ADDR
Address=		192.70.106.202

[ios-fqdn]
ID-type=		FQDN
Name=			ios.ipsec2001.hsc.fr

[ios-p2]
Phase=			2
ISAKMP-peer=            ios-p1
# Use this config to see proposal# bug:
#Configuration=          quick-mode
# Use this configuration to avoid bug:
Configuration=		quick-mode-cisco
Local-ID=		my-ipv4-net
Remote-ID=		ios-ipv4-net

[ios-ipv4-net]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.202.0.0
Netmask=		255.255.0.0

### FreeS/WAN
#############

[freeswan-p1]
Phase=			1
Address=		192.70.106.205
Configuration=          main-mode
ID=                     my-fqdn
Remote-ID=              freeswan-fqdn

[freeswan-fqdn]
ID-type=		FQDN
Name=			freeswan.ipsec2001.hsc.fr

[freeswan-p2]
Phase=			2
ISAKMP-peer=            freeswan-p1
Configuration=          quick-mode
Local-ID=		my-ipv4-net
Remote-ID=		freeswan-ipv4-net

[freeswan-ipv4-net]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.205.0.0
Netmask=		255.255.0.0

### Netasq
##########

[netasq-p1]
Phase=			1
Address=		192.70.106.207
Configuration=          main-mode
ID=                     my-fqdn
#Remote-ID=              netasq-fqdn
# Netasq uses DER_ASN1_DN

[netasq-fqdn]
ID-type=		FQDN
Name=			netasq.ipsec2001.hsc.fr

[netasq-p2]
Phase=			2
ISAKMP-peer=            netasq-p1
Configuration=          quick-mode
Local-ID=		my-ipv4-net
Remote-ID=		netasq-ipv4-net

[netasq-ipv4-net]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.207.0.0
Netmask=		255.255.0.0

### NetScreen
#############

[netscreen-p1]
Phase=			1
Address=		192.70.106.209
Configuration=          main-mode
ID=			my-fqdn
Remote-ID=              netscreen-fqdn
#Remote-ID=              netscreen-ipv4-addr
Authentication=		mekmitasdigoat

[netscreen-fqdn]
ID-type=		FQDN
Name=			netscreen.ipsec2001.hsc.fr

[netscreen-ipv4-addr]
ID-type=		IPV4_ADDR
Address=		192.70.106.209

[netscreen-p2]
Phase=			2
ISAKMP-peer=            netscreen-p1
Configuration=          quick-mode
Local-ID=		my-ipv4-net
Remote-ID=		netscreen-ipv4-net

[netscreen-ipv4-net]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.209.0.0
Netmask=		255.255.0.0

### Nortel
##########

[nortel-p1]
Phase=			1
Address=		192.70.106.213
Configuration=          main-mode
ID=			my-fqdn
Remote-ID=              nortel-fqdn

[nortel-fqdn]
ID-type=		FQDN
Name=			nortel.ipsec2001.hsc.fr

[nortel-p2]
Phase=			2
ISAKMP-peer=            nortel-p1
Configuration=          quick-mode
Local-ID=		my-ipv4-net
Remote-ID=		nortel-ipv4-net

[nortel-ipv4-net]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.213.0.0
Netmask=		255.255.0.0


### Crypto suites
#################

[LIFE_MAIN_MODE]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		3600,120:86400

[LIFE_QUICK_MODE]
LIFE_TYPE=		SECONDS
LIFE_DURATION=		1800,60:28800

[aggressive-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          AGGRESSIVE
Transforms=		3DES-SHA-RSA_SIG

[main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA-RSA_SIG, 3DES-SHA

[quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-AES-SHA-SUITE, QM-ESP-3DES-SHA-SUITE

[quick-mode-noaes]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-3DES-SHA-SUITE

# For Cisco devices, send only one proposal, eventually containing
# several transforms, otherwise Cisco replies with a wrong proposal
# number when not selecting the first proposal.
# Another workaround for this bug could be to make sure that the
# first proposal is the one Cisco will select, but that would be
# less fun ;-)
[quick-mode-cisco]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-AES+3DES-SHA-SUITE

[QM-ESP-AES+3DES-SHA-SUITE]
Protocols=		QM-ESP-AES+3DES-SHA

[QM-ESP-AES+3DES-SHA]
PROTOCOL_ID=		IPSEC_ESP
Transforms=		QM-ESP-AES-SHA-XF, QM-ESP-3DES-SHA-XF