diff options
Diffstat (limited to 'ipsec-tools/src/racoon/samples/racoon.conf.sample-natt')
-rw-r--r-- | ipsec-tools/src/racoon/samples/racoon.conf.sample-natt | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt b/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt new file mode 100644 index 00000000..645b4de7 --- /dev/null +++ b/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt @@ -0,0 +1,97 @@ +# Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp +# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs + +# This file can be used as a template for NAT-Traversal setups. +# Only NAT-T related options are explained here, refer to other +# sample files and manual pages for details about the rest. + +path include "/etc/racoon"; +path certificate "/etc/racoon/cert"; + +# Define addresses and ports where racoon will listen for an incoming +# traffic. Don't forget to open these ports on your firewall! +listen +{ + # First define an address where racoon will listen + # for "normal" IKE traffic. IANA allocated port 500. + isakmp 172.16.0.1[500]; + + # To use NAT-T you must also open port 4500 of + # the same address so that peers can do 'Port floating'. + # The same port will also be used for the UDP-Encapsulated + # ESP traffic. + isakmp_natt 172.16.0.1[4500]; +} + + +timer +{ + # To keep the NAT-mappings on your NAT gateway, there must be + # traffic between the peers. Normally the UDP-Encap traffic + # (i.e. the real data transported over the tunnel) would be + # enough, but to be safe racoon will send a short + # "Keep-alive packet" every few seconds to every peer with + # whom it does NAT-Traversal. + # The default is 20s. Set it to 0s to disable sending completely. + natt_keepalive 10 sec; +} + +# To trigger the SA negotiation there must be an appropriate +# policy in the kernel SPD. For example for traffic between +# networks 192.168.0.0/24 and 192.168.1.0/24 with gateways +# 172.16.0.1 and 172.16.1.1, where the first gateway is behind +# a NAT which translates its address to 172.16.1.3, you need the +# following rules: +# On 172.16.0.1 (e.g. behind the NAT): +# spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \ +# esp/tunnel/172.16.0.1-172.16.1.1/require; +# spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \ +# esp/tunnel/172.16.1.1-172.16.0.1/require; +# On the other side (172.16.1.1) either use a "generate_policy on" +# statement in the remote block, or in case that you know +# the translated address, use the following policy: +# spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \ +# esp/tunnel/172.16.1.1-172.16.1.3/require; +# spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \ +# esp/tunnel/172.16.1.3-172.16.1.1/require; + +# Phase 1 configuration (for ISAKMP SA) +remote anonymous +{ + # NAT-T is supported with all exchange_modes. + exchange_mode main,base,aggressive; + + # With NAT-T you shouldn't use PSK. Let's go on with certs. + my_identifier asn1dn; + certificate_type x509 "your-host.cert.pem" "your-host.key.pem"; + + # This is the main switch that enables NAT-T. + # Possible values are: + # off - NAT-T support is disabled, i.e. neither offered, + # nor accepted. This is the default. + # on - normal NAT-T support, i.e. if NAT is detected + # along the way, NAT-T is used. + # force - if NAT-T is supported by both peers, it is used + # regardless of whether there is a NAT gateway between them + # or not. This is useful for traversing some firewalls. + nat_traversal on; + + proposal { + authentication_method rsasig; + encryption_algorithm 3des; + hash_algorithm sha1; + dh_group 2; + } + + proposal_check strict; +} + +# Phase 2 proposal (for IPsec SA) +sainfo anonymous +{ + pfs_group 2; + lifetime time 12 hour; + encryption_algorithm 3des, rijndael; + authentication_algorithm hmac_sha1; + compression_algorithm deflate; +} |