openwrt/package/strongswan/files/ipsec.conf

version 2.0

config setup
        interfaces=%defaultroute
        nat_traversal=yes		# required on both ends
        uniqueids=yes			# makes sense on client, not server
        hidetos=no

conn %default
        authby=rsasig
        keyingtries=3
        keyexchange=ike
        left=%defaultroute
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        dpdtimeout=30			# keepalive must arrive within
        dpddelay=5			# secs before keepalives start
        compress=no			# breaks double nat installations
        pfs=yes

conn sample
        leftca=%same
        leftcert=my.certificate.crt
        leftsourceip=192.168.10.1
        leftsubnet=192.168.10.0/24
        right=my.vpn.concentrator.net.
        rightca=%same
        rightid="C=??, ST=??, O=??, OU=??, CN=my.vpn.concentrator.net, [email protected]"
        rightsourceip=192.168.11.1
        rightsubnet=192.168.11.0/24
        dpdaction=hold
        auto=start