| blob | 29b7951694272cbf4ad121a17b9edee901872612 |
1 # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
3 # "path" affects "include" directives. "path" must be specified before any
4 # "include" directive with relative file path.
5 # you can overwrite "path" directive afterwards, however, doing so may add
6 # more confusion.
7 path include "@sysconfdir_x@/racoon";
8 #include "remote.conf";
10 # the file should contain key ID/key pairs, for pre-shared key authentication.
11 path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
13 # racoon will look for certificate file in the directory,
14 # if the certificate/certificate request payload is received.
15 path certificate "@sysconfdir_x@/cert";
17 # "log" specifies logging level. It is followed by either "notify", "debug"
18 # or "debug2".
19 #log debug;
21 # "padding" defines some padding parameters. You should not touch these.
22 padding
23 {
24 maximum_length 20; # maximum padding length.
25 randomize off; # enable randomize length.
26 strict_check off; # enable strict check.
27 exclusive_tail off; # extract last one octet.
28 }
30 # if no listen directive is specified, racoon will listen on all
31 # available interface addresses.
32 listen
33 {
34 #isakmp ::1 [7000];
35 #isakmp 202.249.11.124 [500];
36 #admin [7002]; # administrative port for racoonctl.
37 #strict_address; # requires that all addresses must be bound.
38 }
40 # Specify various default timers.
41 timer
42 {
43 # These value can be changed per remote node.
44 counter 5; # maximum trying count to send.
45 interval 20 sec; # maximum interval to resend.
46 persend 1; # the number of packets per send.
48 # maximum time to wait for completing each phase.
49 phase1 30 sec;
50 phase2 15 sec;
51 }
53 remote anonymous
54 {
55 exchange_mode main,aggressive;
56 doi ipsec_doi;
57 situation identity_only;
59 my_identifier asn1dn;
60 certificate_type x509 "my.cert.pem" "my.key.pem";
62 nonce_size 16;
63 initial_contact on;
64 proposal_check strict; # obey, strict, or claim
66 proposal {
67 encryption_algorithm 3des;
68 hash_algorithm sha1;
69 authentication_method rsasig;
70 dh_group 2;
71 }
72 }
74 remote ::1 [8000]
75 {
76 #exchange_mode main,aggressive;
77 exchange_mode aggressive,main;
78 doi ipsec_doi;
79 situation identity_only;
81 my_identifier user_fqdn "sakane@kame.net";
82 peers_identifier user_fqdn "sakane@kame.net";
83 #certificate_type x509 "mycert" "mypriv";
85 nonce_size 16;
86 lifetime time 1 min; # sec,min,hour
88 proposal {
89 encryption_algorithm 3des;
90 hash_algorithm sha1;
91 authentication_method pre_shared_key;
92 dh_group 2;
93 }
94 }
96 sainfo anonymous
97 {
98 pfs_group 2;
99 encryption_algorithm 3des;
100 authentication_algorithm hmac_sha1;
101 compression_algorithm deflate;
102 }
104 sainfo address 203.178.141.209 any address 203.178.141.218 any
105 {
106 pfs_group 2;
107 lifetime time 30 sec;
108 encryption_algorithm des;
109 authentication_algorithm hmac_md5;
110 compression_algorithm deflate;
111 }
113 sainfo address ::1 icmp6 address ::1 icmp6
114 {
115 pfs_group 3;
116 lifetime time 60 sec;
117 encryption_algorithm 3des, blowfish, aes;
118 authentication_algorithm hmac_sha1, hmac_md5;
119 compression_algorithm deflate;
120 }