summaryrefslogtreecommitdiffstats
path: root/ipsec-tools/src/racoon/samples/racoon.conf.sample
diff options
context:
space:
mode:
Diffstat (limited to 'ipsec-tools/src/racoon/samples/racoon.conf.sample')
-rw-r--r--ipsec-tools/src/racoon/samples/racoon.conf.sample61
1 files changed, 61 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/samples/racoon.conf.sample b/ipsec-tools/src/racoon/samples/racoon.conf.sample
new file mode 100644
index 00000000..631910f2
--- /dev/null
+++ b/ipsec-tools/src/racoon/samples/racoon.conf.sample
@@ -0,0 +1,61 @@
+# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $
+
+# "path" affects "include" directives. "path" must be specified before any
+# "include" directive with relative file path.
+# you can overwrite "path" directive afterwards, however, doing so may add
+# more confusion.
+#path include "/usr/local/v6/etc" ;
+#include "remote.conf" ;
+
+# the file should contain key ID/key pairs, for pre-shared key authentication.
+path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
+
+# racoon will look for certificate file in the directory,
+# if the certificate/certificate request payload is received.
+#path certificate "/usr/local/openssl/certs" ;
+
+# "log" specifies logging level. It is followed by either "notify", "debug"
+# or "debug2".
+#log debug;
+
+remote anonymous
+{
+ #exchange_mode main,aggressive,base;
+ exchange_mode main,base;
+
+ #my_identifier fqdn "server.kame.net";
+ #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;
+
+ lifetime time 24 hour ; # sec,min,hour
+
+ #initial_contact off ;
+ #passive on ;
+
+ # phase 1 proposal (for ISAKMP SA)
+ proposal {
+ encryption_algorithm 3des;
+ hash_algorithm sha1;
+ authentication_method pre_shared_key ;
+ dh_group 2 ;
+ }
+
+ # the configuration could makes racoon (as a responder)
+ # to obey the initiator's lifetime and PFS group proposal,
+ # by setting proposal_check to obey.
+ # this would makes testing "so much easier", but is really
+ # *not* secure !!!
+ proposal_check strict;
+}
+
+# phase 2 proposal (for IPsec SA).
+# actual phase 2 proposal will obey the following items:
+# - kernel IPsec policy configuration (like "esp/transport//use)
+# - permutation of the crypto/hash/compression algorithms presented below
+sainfo anonymous
+{
+ pfs_group 2;
+ lifetime time 12 hour ;
+ encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
+ authentication_algorithm hmac_sha1, hmac_md5 ;
+ compression_algorithm deflate ;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-03 22:22:17 +0000