1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
# Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
# This file can be used as a template for NAT-Traversal setups.
# Only NAT-T related options are explained here, refer to other
# sample files and manual pages for details about the rest.
path include "/etc/racoon";
path certificate "/etc/racoon/cert";
# Define addresses and ports where racoon will listen for an incoming
# traffic. Don't forget to open these ports on your firewall!
listen
{
# First define an address where racoon will listen
# for "normal" IKE traffic. IANA allocated port 500.
isakmp 172.16.0.1[500];
# To use NAT-T you must also open port 4500 of
# the same address so that peers can do 'Port floating'.
# The same port will also be used for the UDP-Encapsulated
# ESP traffic.
isakmp_natt 172.16.0.1[4500];
}
timer
{
# To keep the NAT-mappings on your NAT gateway, there must be
# traffic between the peers. Normally the UDP-Encap traffic
# (i.e. the real data transported over the tunnel) would be
# enough, but to be safe racoon will send a short
# "Keep-alive packet" every few seconds to every peer with
# whom it does NAT-Traversal.
# The default is 20s. Set it to 0s to disable sending completely.
natt_keepalive 10 sec;
}
# To trigger the SA negotiation there must be an appropriate
# policy in the kernel SPD. For example for traffic between
# networks 192.168.0.0/24 and 192.168.1.0/24 with gateways
# 172.16.0.1 and 172.16.1.1, where the first gateway is behind
# a NAT which translates its address to 172.16.1.3, you need the
# following rules:
# On 172.16.0.1 (e.g. behind the NAT):
# spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
# esp/tunnel/172.16.0.1-172.16.1.1/require;
# spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
# esp/tunnel/172.16.1.1-172.16.0.1/require;
# On the other side (172.16.1.1) either use a "generate_policy on"
# statement in the remote block, or in case that you know
# the translated address, use the following policy:
# spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
# esp/tunnel/172.16.1.1-172.16.1.3/require;
# spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
# esp/tunnel/172.16.1.3-172.16.1.1/require;
# Phase 1 configuration (for ISAKMP SA)
remote anonymous
{
# NAT-T is supported with all exchange_modes.
exchange_mode main,base,aggressive;
# With NAT-T you shouldn't use PSK. Let's go on with certs.
my_identifier asn1dn;
certificate_type x509 "your-host.cert.pem" "your-host.key.pem";
# This is the main switch that enables NAT-T.
# Possible values are:
# off - NAT-T support is disabled, i.e. neither offered,
# nor accepted. This is the default.
# on - normal NAT-T support, i.e. if NAT is detected
# along the way, NAT-T is used.
# force - if NAT-T is supported by both peers, it is used
# regardless of whether there is a NAT gateway between them
# or not. This is useful for traversing some firewalls.
nat_traversal on;
proposal {
authentication_method rsasig;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
}
proposal_check strict;
}
# Phase 2 proposal (for IPsec SA)
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour;
encryption_algorithm 3des, rijndael;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
|
