GlobalParameters (
Title = "This LSP was automatically generated by S-Terra Client AdminTool (st) at 2017.07.05 17:18:36"
Version = LSP_4_2
CRLHandlingMode = BEST_EFFORT
)
LDAPSettings (
ResponseTimeout = 200
HoldConnectTimeout = 60
DropConnectTimeout = 5
)
IdentityEntry auth_identity_01(
DistinguishedName *= CertDescription(
Subject *= COMPLETE,"C=RU,O=S-Terra CSP,OU=Research,CN=Client2"
)
)
CertDescription local_cert_dsc_01(
Subject *= COMPLETE,"C=RU,O=S-Terra CSP,OU=Research,CN=Client2"
Issuer *= COMPLETE,"C=RU,L=Moscow,O=S-Terra CSP,OU=Research,CN=Research Root CA"
SerialNumber = "5600000307307DACF5395AB2FE000000000307"
FingerprintMD5 = "9ABACCC8489E67215A6AC39257B8704E"
)
CertDescription partner_cert_dsc_01(
)
AuthMethodGOSTSign auth_method_01(
LocalID = auth_identity_01
LocalCredential = local_cert_dsc_01
RemoteCredential = partner_cert_dsc_01
SendRequestMode = AUTO
SendCertMode = AUTO
)
IKEParameters (
DefaultPort = 500
SendRetries = 5
RetryTimeBase = 1
RetryTimeMax = 30
SessionTimeMax = 60
InitiatorSessionsMax = 30
ResponderSessionsMax = 20
BlacklogSessionsMax = 16
BlacklogSessionsMin = 0
BlacklogSilentSessions = 4
BlacklogRelaxTime = 120
IKECFGPreferDefaultAddress = FALSE
)
IKETransform ike_trf_01(
LifetimeSeconds = 28800
CipherAlg *= "G2814789CPRO1-K256-CBC-65534"
HashAlg *= "GR341112_256TC26-65128"
GroupID *= VKO2_1B
)
IKETransform ike_trf_02(
LifetimeSeconds = 28800
CipherAlg *= "GR341215K-K256-CFB-65528"
HashAlg *= "GR341112_256TC26-65128"
GroupID *= VKO2_1B
)
IKETransform ike_trf_03(
LifetimeSeconds = 28800
CipherAlg *= "G2814789CPRO1-K256-CBC-65534"
HashAlg *= "GR341194CPRO1-65534"
GroupID *= VKO_1B
)
IKETransform ike_trf_04(
LifetimeSeconds = 28800
CipherAlg *= "G2814789CPRO1-K256-CBC-65534"
HashAlg *= "GR341194CPRO1-65534"
GroupID *= MODP_1536
)
ESPTransform esp_trf_01(
CipherAlg *= "G2814789CPRO2-K288-CNTMAC-253"
LifetimeSeconds = 3600
LifetimeKilobytes = 4608000
)
ESPProposal esp_proposal_01(
Transform *=esp_trf_01
)
ESPTransform esp_trf_02(
CipherAlg *= "GR341215K-K256-CFB-248"
IntegrityAlg *= "GR341215K-K256-MAC-65529"
LifetimeSeconds = 3600
LifetimeKilobytes = 4608000
)
ESPProposal esp_proposal_02(
Transform *=esp_trf_02
)
ESPTransform esp_trf_03(
CipherAlg *= "G2814789CPRO1-K256-CBC-254"
IntegrityAlg *= "GR341194CPRO1-H96-HMAC-65534"
LifetimeSeconds = 3600
LifetimeKilobytes = 4608000
)
ESPProposal esp_proposal_03(
Transform *=esp_trf_03
)
ESPTransform esp_trf_04(
CipherAlg *= "G2814789CPRO1-K256-CBC-254"
IntegrityAlg *= "G2814789CPRO1-K256-MAC-65535"
LifetimeSeconds = 3600
LifetimeKilobytes = 4608000
)
ESPProposal esp_proposal_04(
Transform *=esp_trf_04
)
ESPTransform esp_trf_05(
CipherAlg *= "G2814789CPRO1-K256-CBC-254"
LifetimeSeconds = 3600
LifetimeKilobytes = 4608000
)
ESPProposal esp_proposal_05(
Transform *=esp_trf_05
)
IKERule ike_rule_with_ikecfg_01(
DoNotUseDPD = FALSE
DPDIdleDuration = 60
DPDResponseDuration = 5
DPDRetries = 3
MainModeAuthMethod *= auth_method_01
Transform *= ike_trf_01,ike_trf_02,ike_trf_03,ike_trf_04
IKECFGRequestAddress = TRUE
)
IPsecAction ipsec_action_01(
PersistentConnection = TRUE
TunnelingParameters *=
TunnelEntry(
PeerAddress = 10.1.1.2
Assemble = TRUE
ReRoute = FALSE
TCPEncapsulation = FALSE
)
ContainedProposals *= (esp_proposal_01),(esp_proposal_02),(esp_proposal_03),(esp_proposal_04),(esp_proposal_05)
IKERule = ike_rule_with_ikecfg_01
)
FilterChain filter_chain_input(
Filters *= Filter(
ProtocolID *= 17
DestinationPort *= 500
Action = PASS
LogEventID = "pass_action_02_01"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
ProtocolID *= 17
DestinationPort *= 4500
Action = PASS
LogEventID = "pass_action_02_02"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
SourceIP *= 10.1.1.2
ProtocolID *= 50
Action = PASS
LogEventID = "pass_action_03_01"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
SourceIP *= 10.1.1.2
ProtocolID *= 51
Action = PASS
LogEventID = "pass_action_03_02"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
Action = PASS
LogEventID = "pass_action_04"
)
)
FilterChain filter_chain_output(
Filters *= Filter(
ProtocolID *= 17
SourcePort *= 500
Action = PASS
LogEventID = "pass_action_05_01"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
ProtocolID *= 17
SourcePort *= 4500
Action = PASS
LogEventID = "pass_action_05_02"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
DestinationIP *= 10.1.1.2
ProtocolID *= 50
Action = PASS
LogEventID = "pass_action_06_01"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
DestinationIP *= 10.1.1.2
ProtocolID *= 51
Action = PASS
LogEventID = "pass_action_06_02"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
Action = PASS
LogEventID = "pass_action_07"
)
)
FilterChain filter_chain_classification_input(
Filters *= Filter(
Action = PASS
LogEventID = "pass_action_08"
)
)
FilterChain filter_chain_classification_output(
Filters *= Filter(
Action = PASS
LogEventID = "pass_action_09"
)
)
FilterChain filter_chain_ipsec(
Filters *= Filter(
ProtocolID *= 17
SourcePort *= 500
Action = PASS
LogEventID = "pass_action_10_01"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
ProtocolID *= 17
SourcePort *= 4500
Action = PASS
LogEventID = "pass_action_10_02"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
DestinationIP *= 10.1.1.2
ProtocolID *= 50
Action = PASS
LogEventID = "pass_action_11_01"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
DestinationIP *= 10.1.1.2
ProtocolID *= 51
Action = PASS
LogEventID = "pass_action_11_02"
PacketType = LOCAL_UNICAST,LOCAL_MISDIRECTED
),Filter(
DestinationIP *= 192.168.1.0/24
Action = PASS
ExtendedAction *= ipsec<sa=ipsec_action_01>
LogEventID = "ipsec_action_01"
),Filter(
Action = PASS
LogEventID = "pass_action_12"
)
)
NetworkInterface(
InputFilter = filter_chain_input
OutputFilter = filter_chain_output
InputClassification = filter_chain_classification_input
OutputClassification = filter_chain_classification_output
IPsecPolicy = filter_chain_ipsec
)