diff options
Diffstat (limited to 'ipsec-tools/src/racoon/samples/racoon.conf.in')
-rw-r--r-- | ipsec-tools/src/racoon/samples/racoon.conf.in | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/samples/racoon.conf.in b/ipsec-tools/src/racoon/samples/racoon.conf.in new file mode 100644 index 00000000..29b79516 --- /dev/null +++ b/ipsec-tools/src/racoon/samples/racoon.conf.in @@ -0,0 +1,121 @@ +# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ + +# "path" affects "include" directives. "path" must be specified before any +# "include" directive with relative file path. +# you can overwrite "path" directive afterwards, however, doing so may add +# more confusion. +path include "@sysconfdir_x@/racoon"; +#include "remote.conf"; + +# the file should contain key ID/key pairs, for pre-shared key authentication. +path pre_shared_key "@sysconfdir_x@/racoon/psk.txt"; + +# racoon will look for certificate file in the directory, +# if the certificate/certificate request payload is received. +path certificate "@sysconfdir_x@/cert"; + +# "log" specifies logging level. It is followed by either "notify", "debug" +# or "debug2". +#log debug; + +# "padding" defines some padding parameters. You should not touch these. +padding +{ + maximum_length 20; # maximum padding length. + randomize off; # enable randomize length. + strict_check off; # enable strict check. + exclusive_tail off; # extract last one octet. +} + +# if no listen directive is specified, racoon will listen on all +# available interface addresses. +listen +{ + #isakmp ::1 [7000]; + #isakmp 202.249.11.124 [500]; + #admin [7002]; # administrative port for racoonctl. + #strict_address; # requires that all addresses must be bound. +} + +# Specify various default timers. +timer +{ + # These value can be changed per remote node. + counter 5; # maximum trying count to send. + interval 20 sec; # maximum interval to resend. + persend 1; # the number of packets per send. + + # maximum time to wait for completing each phase. + phase1 30 sec; + phase2 15 sec; +} + +remote anonymous +{ + exchange_mode main,aggressive; + doi ipsec_doi; + situation identity_only; + + my_identifier asn1dn; + certificate_type x509 "my.cert.pem" "my.key.pem"; + + nonce_size 16; + initial_contact on; + proposal_check strict; # obey, strict, or claim + + proposal { + encryption_algorithm 3des; + hash_algorithm sha1; + authentication_method rsasig; + dh_group 2; + } +} + +remote ::1 [8000] +{ + #exchange_mode main,aggressive; + exchange_mode aggressive,main; + doi ipsec_doi; + situation identity_only; + + my_identifier user_fqdn "sakane@kame.net"; + peers_identifier user_fqdn "sakane@kame.net"; + #certificate_type x509 "mycert" "mypriv"; + + nonce_size 16; + lifetime time 1 min; # sec,min,hour + + proposal { + encryption_algorithm 3des; + hash_algorithm sha1; + authentication_method pre_shared_key; + dh_group 2; + } +} + +sainfo anonymous +{ + pfs_group 2; + encryption_algorithm 3des; + authentication_algorithm hmac_sha1; + compression_algorithm deflate; +} + +sainfo address 203.178.141.209 any address 203.178.141.218 any +{ + pfs_group 2; + lifetime time 30 sec; + encryption_algorithm des; + authentication_algorithm hmac_md5; + compression_algorithm deflate; +} + +sainfo address ::1 icmp6 address ::1 icmp6 +{ + pfs_group 3; + lifetime time 60 sec; + encryption_algorithm 3des, blowfish, aes; + authentication_algorithm hmac_sha1, hmac_md5; + compression_algorithm deflate; +} + |