userapps/opensource/ipsec-tools/src/racoon/samples/racoon.conf.in

   1 # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
   2
   3 # "path" must be placed before it should be used.
   4 # You can overwrite which you defined, but it should not use due to confusing.
   5 path include "@sysconfdir_x@/racoon";
   6 #include "remote.conf";
   7
   8 # search this file for pre_shared_key with various ID key.
   9 path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
  10
  11 # racoon will look for certificate file in the directory,
  12 # if the certificate/certificate request payload is received.
  13 path certificate "@sysconfdir_x@/cert";
  14
  15 # "log" specifies logging level.  It is followed by either "notify", "debug"
  16 # or "debug2".
  17 #log debug;
  18
  19 # "padding" defines some parameter of padding.  You should not touch these.
  20 padding
  21 {
  22         maximum_length 20;      # maximum padding length.
  23         randomize off;          # enable randomize length.
  24         strict_check off;       # enable strict check.
  25         exclusive_tail off;     # extract last one octet.
  26 }
  27
  28 # if no listen directive is specified, racoon will listen to all
  29 # available interface addresses.
  30 listen
  31 {
  32         #isakmp ::1 [7000];
  33         #isakmp 202.249.11.124 [500];
  34         #admin [7002];          # administrative's port by kmpstat.
  35         #strict_address;        # required all addresses must be bound.
  36 }
  37
  38 # Specification of default various timer.
  39 timer
  40 {
  41         # These value can be changed per remote node.
  42         counter 5;              # maximum trying count to send.
  43         interval 20 sec;        # maximum interval to resend.
  44         persend 1;              # the number of packets per a send.
  45
  46         # timer for waiting to complete each phase.
  47         phase1 30 sec;
  48         phase2 15 sec;
  49 }
  50
  51 remote anonymous
  52 {
  53         exchange_mode main,aggressive;
  54         doi ipsec_doi;
  55         situation identity_only;
  56
  57         my_identifier asn1dn;
  58         certificate_type x509 "my.cert.pem" "my.key.pem";
  59
  60         nonce_size 16;
  61         initial_contact on;
  62         proposal_check obey;    # obey, strict or claim
  63
  64         proposal {
  65                 encryption_algorithm 3des;
  66                 hash_algorithm sha1;
  67                 authentication_method rsasig;
  68                 dh_group 2;
  69         }
  70 }
  71
  72 remote ::1 [8000]
  73 {
  74         #exchange_mode main,aggressive;
  75         exchange_mode aggressive,main;
  76         doi ipsec_doi;
  77         situation identity_only;
  78
  79         my_identifier user_fqdn "sakane@kame.net";
  80         peers_identifier user_fqdn "sakane@kame.net";
  81         #certificate_type x509 "mycert" "mypriv";
  82
  83         nonce_size 16;
  84         lifetime time 1 min;    # sec,min,hour
  85
  86         proposal {
  87                 encryption_algorithm 3des;
  88                 hash_algorithm sha1;
  89                 authentication_method pre_shared_key;
  90                 dh_group 2;
  91         }
  92 }
  93
  94 sainfo anonymous
  95 {
  96         pfs_group 2;
  97         encryption_algorithm 3des;
  98         authentication_algorithm hmac_sha1;
  99         compression_algorithm deflate;
 100 }
 101
 102 sainfo address 203.178.141.209 any address 203.178.141.218 any
 103 {
 104         pfs_group 2;
 105         lifetime time 30 sec;
 106         encryption_algorithm des;
 107         authentication_algorithm hmac_md5;
 108         compression_algorithm deflate;
 109 }
 110
 111 sainfo address ::1 icmp6 address ::1 icmp6
 112 {
 113         pfs_group 3;
 114         lifetime time 60 sec;
 115         encryption_algorithm 3des, blowfish, aes;
 116         authentication_algorithm hmac_sha1, hmac_md5;
 117         compression_algorithm deflate;
 118 }
 119