ipsec.conf

Host "foo"

ike esp from 10.1.1.0/24 to 10.2.2.0/24 peer 192.168.10.2
ike esp from 192.168.10.1 to 10.2.2.0/24 peer 192.168.10.2
ike esp from 192.168.10.1 to 192.168.10.2


Host "bar"

ike passive esp from 10.2.2.0/24 to 10.1.1.0/24 peer 192.168.10.1
ike passive esp from 192.168.10.2 to 10.1.1.0/24 peer 192.168.10.1
ike passive esp from 192.168.10.2 to 192.168.10.1


If no mode is chosen, the mode is "active"

"dynamic" mode enables Dead-Peer-Detection (DPD)

Pitfall: with "dynamic" isakmpd(8) uses fqdn instead of IPs