1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" affects "include" directives. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
path include "@sysconfdir_x@/racoon";
#include "remote.conf";
# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "@sysconfdir_x@/cert";
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
# "padding" defines some padding parameters. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}
# Specify various default timers.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier asn1dn;
certificate_type x509 "my.cert.pem" "my.key.pem";
nonce_size 16;
initial_contact on;
proposal_check strict; # obey, strict, or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
remote ::1 [8000]
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier user_fqdn "sakane@kame.net";
peers_identifier user_fqdn "sakane@kame.net";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 1 min; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 203.178.141.209 any address 203.178.141.218 any
{
pfs_group 2;
lifetime time 30 sec;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
sainfo address ::1 icmp6 address ::1 icmp6
{
pfs_group 3;
lifetime time 60 sec;
encryption_algorithm 3des, blowfish, aes;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
|
