#
# 192.168.1.27		-> vpn-client-ip (e.g. laptop)
# 192.168.21.0/24	-> target-subnet (e.g. internal company ips)
# 207.46.199.30		-> vpn-server-ip (e.g. checkpoint-firewall vpn-id)
# my_identifier user_fqdn "CN=fejf,OU=users,O=fw.microsoft.com.rytez3"
# 			-> user-id-string: get it from the subject-line of the client-certificate ATTENTION: use it backwards!
# 			   e.g.: subject=/O=fw.microsoft.com.rytez3/OU=users/CN=fejf becomes the user_fqdn shown above
#


path include "/etc/racoon";

path certificate "/etc/racoon/certs";

# Alternative: instead of x.509 certificate use a passkey stored in plain text here
# path pre_shared_key "/etc/racoon/certs/fw.netlogix.de-key.psk";


log notify;

	remote 207.46.199.30
	{
		exchange_mode main,aggressive,base ;
		my_identifier user_fqdn "CN=fejf,OU=users,O=fw.microsoft.com.rytez3";
		lifetime time 24 hour ;

		nonce_size 16;
		support_mip6 on;
		proposal_check obey;		# obey, strict or claim

		doi ipsec_doi;
		nat_traversal on;

		ca_type x509 "/etc/racoon/certs/fw.microsoft.com-cacert.pem";
		certificate_type x509 "/etc/racoon/certs/fw.microsoft.com-cert.pem" "/etc/racoon/certs/fw.microsoft.com-key.pem";

		proposal {
			encryption_algorithm 3des;
			hash_algorithm sha1;
			authentication_method rsasig ;
			dh_group modp1024;
		}
	}

	sainfo address 192.168.1.27/32 any address 192.168.21.0/24 any {
	{
		lifetime time 1 hour ;
		encryption_algorithm 3des;
		authentication_algorithm hmac_sha1;
		pfs_group modp1024;
		compression_algorithm deflate ;
	}