1 files changed, 97 insertions, 0 deletions

diff --git a/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt b/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt
new file mode 100644
index 00000000..645b4de7
--- /dev/null
+++ b/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt
@@ -0,0 +1,97 @@
+# Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
+# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
+
+# This file can be used as a template for NAT-Traversal setups.
+# Only NAT-T related options are explained here, refer to other 
+# sample files and manual pages for details about the rest.
+
+path include "/etc/racoon";
+path certificate "/etc/racoon/cert";
+
+# Define addresses and ports where racoon will listen for an incoming
+# traffic. Don't forget to open these ports on your firewall!
+listen
+{
+	# First define an address where racoon will listen 
+	# for "normal" IKE traffic. IANA allocated port 500.
+	isakmp 172.16.0.1[500];
+
+	# To use NAT-T you must also open port 4500 of 
+	# the same address so that peers can do 'Port floating'.
+	# The same port will also be used for the UDP-Encapsulated 
+	# ESP traffic.
+	isakmp_natt 172.16.0.1[4500];
+}
+
+
+timer
+{
+	# To keep the NAT-mappings on your NAT gateway, there must be
+	# traffic between the peers. Normally the UDP-Encap traffic
+	# (i.e. the real data transported over the tunnel) would be
+	# enough, but to be safe racoon will send a short
+	# "Keep-alive packet" every few seconds to every peer with
+	# whom it does NAT-Traversal.
+	# The default is 20s. Set it to 0s to disable sending completely.
+	natt_keepalive 10 sec;
+}
+
+# To trigger the SA negotiation there must be an appropriate 
+# policy in the kernel SPD. For example for traffic between 
+# networks 192.168.0.0/24 and 192.168.1.0/24 with gateways 
+# 172.16.0.1 and 172.16.1.1, where the first gateway is behind 
+# a NAT which translates its address to 172.16.1.3, you need the 
+# following rules:
+# On 172.16.0.1 (e.g. behind the NAT):
+#     spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
+#            esp/tunnel/172.16.0.1-172.16.1.1/require;
+#     spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
+#            esp/tunnel/172.16.1.1-172.16.0.1/require;
+# On the other side (172.16.1.1) either use a "generate_policy on"
+# statement in the remote block, or in case that you know 
+# the translated address, use the following policy:
+#     spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
+#            esp/tunnel/172.16.1.1-172.16.1.3/require;
+#     spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
+#            esp/tunnel/172.16.1.3-172.16.1.1/require;
+
+# Phase 1 configuration (for ISAKMP SA)
+remote anonymous
+{
+	# NAT-T is supported with all exchange_modes.
+	exchange_mode main,base,aggressive;
+
+	# With NAT-T you shouldn't use PSK. Let's go on with certs.
+	my_identifier asn1dn;
+	certificate_type x509 "your-host.cert.pem" "your-host.key.pem";
+
+	# This is the main switch that enables NAT-T.
+	# Possible values are:
+	#   off - NAT-T support is disabled, i.e. neither offered,
+	#         nor accepted. This is the default.
+	#    on - normal NAT-T support, i.e. if NAT is detected 
+	#         along the way, NAT-T is used.
+	# force - if NAT-T is supported by both peers, it is used
+	#         regardless of whether there is a NAT gateway between them
+	#         or not. This is useful for traversing some firewalls.
+	nat_traversal on;
+	
+	proposal {
+		authentication_method rsasig;
+		encryption_algorithm 3des;
+		hash_algorithm sha1;
+		dh_group 2;
+	}
+
+	proposal_check strict;
+}
+
+# Phase 2 proposal (for IPsec SA)
+sainfo anonymous
+{
+	pfs_group 2;
+	lifetime time 12 hour;
+	encryption_algorithm 3des, rijndael;
+	authentication_algorithm hmac_sha1;
+	compression_algorithm deflate;
+}