Home | History | Annotate | Download | only in samples
      1 # $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $
      2 
      3 # "path" affects "include" directives.  "path" must be specified before any
      4 # "include" directive with relative file path.
      5 # you can overwrite "path" directive afterwards, however, doing so may add
      6 # more confusion.
      7 #path include "/usr/local/v6/etc" ;
      8 #include "remote.conf" ;
      9 
     10 # the file should contain key ID/key pairs, for pre-shared key authentication.
     11 path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
     12 
     13 # racoon will look for certificate file in the directory,
     14 # if the certificate/certificate request payload is received.
     15 #path certificate "/usr/local/openssl/certs" ;
     16 
     17 # "log" specifies logging level.  It is followed by either "notify", "debug"
     18 # or "debug2".
     19 #log debug;
     20 
     21 remote anonymous
     22 {
     23 	#exchange_mode main,aggressive,base;
     24 	exchange_mode main,base;
     25 
     26 	#my_identifier fqdn "server.kame.net";
     27 	#certificate_type x509 "foo (a] kame.net.cert" "foo (a] kame.net.priv" ;
     28 
     29 	lifetime time 24 hour ;	# sec,min,hour
     30 
     31 	#initial_contact off ;
     32 	#passive on ;
     33 
     34 	# phase 1 proposal (for ISAKMP SA)
     35 	proposal {
     36 		encryption_algorithm 3des;
     37 		hash_algorithm sha1;
     38 		authentication_method pre_shared_key ;
     39 		dh_group 2 ;
     40 	}
     41 
     42 	# the configuration could makes racoon (as a responder)
     43 	# to obey the initiator's lifetime and PFS group proposal,
     44 	# by setting proposal_check to obey.
     45 	# this would makes testing "so much easier", but is really
     46 	# *not* secure !!!
     47 	proposal_check strict;
     48 }
     49 
     50 # phase 2 proposal (for IPsec SA).
     51 # actual phase 2 proposal will obey the following items:
     52 # - kernel IPsec policy configuration (like "esp/transport//use)
     53 # - permutation of the crypto/hash/compression algorithms presented below
     54 sainfo anonymous
     55 {
     56 	pfs_group 2;
     57 	lifetime time 12 hour ;
     58 	encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
     59 	authentication_algorithm hmac_sha1, hmac_md5 ;
     60 	compression_algorithm deflate ;
     61 }
     62