Sync usage with man page.
[netbsd-mini2440.git] / crypto / dist / ipsec-tools / src / racoon / samples / racoon.conf.in
blob29b7951694272cbf4ad121a17b9edee901872612
1 # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
3 # "path" affects "include" directives.  "path" must be specified before any
4 # "include" directive with relative file path.
5 # you can overwrite "path" directive afterwards, however, doing so may add
6 # more confusion.
7 path include "@sysconfdir_x@/racoon";
8 #include "remote.conf";
10 # the file should contain key ID/key pairs, for pre-shared key authentication.
11 path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
13 # racoon will look for certificate file in the directory,
14 # if the certificate/certificate request payload is received.
15 path certificate "@sysconfdir_x@/cert";
17 # "log" specifies logging level.  It is followed by either "notify", "debug"
18 # or "debug2".
19 #log debug;
21 # "padding" defines some padding parameters.  You should not touch these.
22 padding
24         maximum_length 20;      # maximum padding length.
25         randomize off;          # enable randomize length.
26         strict_check off;       # enable strict check.
27         exclusive_tail off;     # extract last one octet.
30 # if no listen directive is specified, racoon will listen on all
31 # available interface addresses.
32 listen
34         #isakmp ::1 [7000];
35         #isakmp 202.249.11.124 [500];
36         #admin [7002];          # administrative port for racoonctl.
37         #strict_address;        # requires that all addresses must be bound.
40 # Specify various default timers.
41 timer
43         # These value can be changed per remote node.
44         counter 5;              # maximum trying count to send.
45         interval 20 sec;        # maximum interval to resend.
46         persend 1;              # the number of packets per send.
48         # maximum time to wait for completing each phase.
49         phase1 30 sec;
50         phase2 15 sec;
53 remote anonymous
55         exchange_mode main,aggressive;
56         doi ipsec_doi;
57         situation identity_only;
59         my_identifier asn1dn;
60         certificate_type x509 "my.cert.pem" "my.key.pem";
62         nonce_size 16;
63         initial_contact on;
64         proposal_check strict;  # obey, strict, or claim
66         proposal {
67                 encryption_algorithm 3des;
68                 hash_algorithm sha1;
69                 authentication_method rsasig;
70                 dh_group 2;
71         }
74 remote ::1 [8000]
76         #exchange_mode main,aggressive;
77         exchange_mode aggressive,main;
78         doi ipsec_doi;
79         situation identity_only;
81         my_identifier user_fqdn "sakane@kame.net";
82         peers_identifier user_fqdn "sakane@kame.net";
83         #certificate_type x509 "mycert" "mypriv";
85         nonce_size 16;
86         lifetime time 1 min;    # sec,min,hour
88         proposal {
89                 encryption_algorithm 3des;
90                 hash_algorithm sha1;
91                 authentication_method pre_shared_key;
92                 dh_group 2;
93         }
96 sainfo anonymous
98         pfs_group 2;
99         encryption_algorithm 3des;
100         authentication_algorithm hmac_sha1;
101         compression_algorithm deflate;
104 sainfo address 203.178.141.209 any address 203.178.141.218 any
106         pfs_group 2;
107         lifetime time 30 sec;
108         encryption_algorithm des;
109         authentication_algorithm hmac_md5;
110         compression_algorithm deflate;
113 sainfo address ::1 icmp6 address ::1 icmp6
115         pfs_group 3;
116         lifetime time 60 sec;
117         encryption_algorithm 3des, blowfish, aes;
118         authentication_algorithm hmac_sha1, hmac_md5;
119         compression_algorithm deflate;