Hello,

is it possible to create a peer template that is used everytime I connect via the L2TP transport tunnel?
Via the "auto IPSec" fuction the peer generated is quite useless:
The upper peer is what I want to have, the lower one is generated everytime the l2tp tunnel is brought up.
I cannot enter them statically as the IP Address will be changing on one side outside the lab.

0 address=10.0.0.11/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret="1234" generate-policy=no
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha512
enc-algorithm="" dh-group=modp4096 lifetime=1d dpd-interval=2m
dpd-maximum-failures=5

1 D address=10.0.0.11/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret="1234" generate-policy=port-strict
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1
enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5

The autogenerated one has to many weak parameters that I do not want to use.
Is there any possibility to change the default peer parameters?

Best Regards!

Hello,
I believe the answer to your question is to create a peer with address 0.0.0.0/0 (or ::/0). As far as I know (and my own setup shows) it catches every client address (consequently no dynamic peer is generated) and thus you have all the settings (cipher, hash strength, etc.) in your hands.

Moreover, it does not block creating IPsec tunnels to fixed locations (those with fully qualified address) because peers with more specific addresses are considered first (and their settings are applied) and 0.0.0.0/0 serves as "catch the rest".