1 # $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $ 2 3 # "path" affects "include" directives. "path" must be specified before any 4 # "include" directive with relative file path. 5 # you can overwrite "path" directive afterwards, however, doing so may add 6 # more confusion. 7 #path include "/usr/local/v6/etc" ; 8 #include "remote.conf" ; 9 10 # the file should contain key ID/key pairs, for pre-shared key authentication. 11 path pre_shared_key "/usr/local/v6/etc/psk.txt" ; 12 13 # racoon will look for certificate file in the directory, 14 # if the certificate/certificate request payload is received. 15 #path certificate "/usr/local/openssl/certs" ; 16 17 # "log" specifies logging level. It is followed by either "notify", "debug" 18 # or "debug2". 19 #log debug; 20 21 remote anonymous 22 { 23 #exchange_mode main,aggressive,base; 24 exchange_mode main,base; 25 26 #my_identifier fqdn "server.kame.net"; 27 #certificate_type x509 "foo (a] kame.net.cert" "foo (a] kame.net.priv" ; 28 29 lifetime time 24 hour ; # sec,min,hour 30 31 #initial_contact off ; 32 #passive on ; 33 34 # phase 1 proposal (for ISAKMP SA) 35 proposal { 36 encryption_algorithm 3des; 37 hash_algorithm sha1; 38 authentication_method pre_shared_key ; 39 dh_group 2 ; 40 } 41 42 # the configuration could makes racoon (as a responder) 43 # to obey the initiator's lifetime and PFS group proposal, 44 # by setting proposal_check to obey. 45 # this would makes testing "so much easier", but is really 46 # *not* secure !!! 47 proposal_check strict; 48 } 49 50 # phase 2 proposal (for IPsec SA). 51 # actual phase 2 proposal will obey the following items: 52 # - kernel IPsec policy configuration (like "esp/transport//use) 53 # - permutation of the crypto/hash/compression algorithms presented below 54 sainfo anonymous 55 { 56 pfs_group 2; 57 lifetime time 12 hour ; 58 encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; 59 authentication_algorithm hmac_sha1, hmac_md5 ; 60 compression_algorithm deflate ; 61 } 62