1 # Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp 2 # Contributed by: Michal Ludvig <mludvig (a] suse.cz>, SUSE Labs 3 4 # This file can be used as a template for NAT-Traversal setups. 5 # Only NAT-T related options are explained here, refer to other 6 # sample files and manual pages for details about the rest. 7 8 path include "/etc/racoon"; 9 path certificate "/etc/racoon/cert"; 10 11 # Define addresses and ports where racoon will listen for an incoming 12 # traffic. Don't forget to open these ports on your firewall! 13 listen 14 { 15 # First define an address where racoon will listen 16 # for "normal" IKE traffic. IANA allocated port 500. 17 isakmp 172.16.0.1[500]; 18 19 # To use NAT-T you must also open port 4500 of 20 # the same address so that peers can do 'Port floating'. 21 # The same port will also be used for the UDP-Encapsulated 22 # ESP traffic. 23 isakmp_natt 172.16.0.1[4500]; 24 } 25 26 27 timer 28 { 29 # To keep the NAT-mappings on your NAT gateway, there must be 30 # traffic between the peers. Normally the UDP-Encap traffic 31 # (i.e. the real data transported over the tunnel) would be 32 # enough, but to be safe racoon will send a short 33 # "Keep-alive packet" every few seconds to every peer with 34 # whom it does NAT-Traversal. 35 # The default is 20s. Set it to 0s to disable sending completely. 36 natt_keepalive 10 sec; 37 } 38 39 # To trigger the SA negotiation there must be an appropriate 40 # policy in the kernel SPD. For example for traffic between 41 # networks 192.168.0.0/24 and 192.168.1.0/24 with gateways 42 # 172.16.0.1 and 172.16.1.1, where the first gateway is behind 43 # a NAT which translates its address to 172.16.1.3, you need the 44 # following rules: 45 # On 172.16.0.1 (e.g. behind the NAT): 46 # spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \ 47 # esp/tunnel/172.16.0.1-172.16.1.1/require; 48 # spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \ 49 # esp/tunnel/172.16.1.1-172.16.0.1/require; 50 # On the other side (172.16.1.1) either use a "generate_policy on" 51 # statement in the remote block, or in case that you know 52 # the translated address, use the following policy: 53 # spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \ 54 # esp/tunnel/172.16.1.1-172.16.1.3/require; 55 # spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \ 56 # esp/tunnel/172.16.1.3-172.16.1.1/require; 57 58 # Phase 1 configuration (for ISAKMP SA) 59 remote anonymous 60 { 61 # NAT-T is supported with all exchange_modes. 62 exchange_mode main,base,aggressive; 63 64 # With NAT-T you shouldn't use PSK. Let's go on with certs. 65 my_identifier asn1dn; 66 certificate_type x509 "your-host.cert.pem" "your-host.key.pem"; 67 68 # This is the main switch that enables NAT-T. 69 # Possible values are: 70 # off - NAT-T support is disabled, i.e. neither offered, 71 # nor accepted. This is the default. 72 # on - normal NAT-T support, i.e. if NAT is detected 73 # along the way, NAT-T is used. 74 # force - if NAT-T is supported by both peers, it is used 75 # regardless of whether there is a NAT gateway between them 76 # or not. This is useful for traversing some firewalls. 77 nat_traversal on; 78 79 proposal { 80 authentication_method rsasig; 81 encryption_algorithm 3des; 82 hash_algorithm sha1; 83 dh_group 2; 84 } 85 86 proposal_check strict; 87 } 88 89 # Phase 2 proposal (for IPsec SA) 90 sainfo anonymous 91 { 92 pfs_group 2; 93 lifetime time 12 hour; 94 encryption_algorithm 3des, rijndael; 95 authentication_algorithm hmac_sha1; 96 compression_algorithm deflate; 97 } 98