1 # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ 2 3 # "path" affects "include" directives. "path" must be specified before any 4 # "include" directive with relative file path. 5 # you can overwrite "path" directive afterwards, however, doing so may add 6 # more confusion. 7 path include "@sysconfdir_x@/racoon"; 8 #include "remote.conf"; 9 10 # the file should contain key ID/key pairs, for pre-shared key authentication. 11 path pre_shared_key "@sysconfdir_x@/racoon/psk.txt"; 12 13 # racoon will look for certificate file in the directory, 14 # if the certificate/certificate request payload is received. 15 path certificate "@sysconfdir_x@/cert"; 16 17 # "log" specifies logging level. It is followed by either "notify", "debug" 18 # or "debug2". 19 #log debug; 20 21 # "padding" defines some padding parameters. You should not touch these. 22 padding 23 { 24 maximum_length 20; # maximum padding length. 25 randomize off; # enable randomize length. 26 strict_check off; # enable strict check. 27 exclusive_tail off; # extract last one octet. 28 } 29 30 # if no listen directive is specified, racoon will listen on all 31 # available interface addresses. 32 listen 33 { 34 #isakmp ::1 [7000]; 35 #isakmp 202.249.11.124 [500]; 36 #admin [7002]; # administrative port for racoonctl. 37 #strict_address; # requires that all addresses must be bound. 38 } 39 40 # Specify various default timers. 41 timer 42 { 43 # These value can be changed per remote node. 44 counter 5; # maximum trying count to send. 45 interval 20 sec; # maximum interval to resend. 46 persend 1; # the number of packets per send. 47 48 # maximum time to wait for completing each phase. 49 phase1 30 sec; 50 phase2 15 sec; 51 } 52 53 remote anonymous 54 { 55 exchange_mode main,aggressive; 56 doi ipsec_doi; 57 situation identity_only; 58 59 my_identifier asn1dn; 60 certificate_type x509 "my.cert.pem" "my.key.pem"; 61 62 nonce_size 16; 63 initial_contact on; 64 proposal_check strict; # obey, strict, or claim 65 66 proposal { 67 encryption_algorithm 3des; 68 hash_algorithm sha1; 69 authentication_method rsasig; 70 dh_group 2; 71 } 72 } 73 74 remote ::1 [8000] 75 { 76 #exchange_mode main,aggressive; 77 exchange_mode aggressive,main; 78 doi ipsec_doi; 79 situation identity_only; 80 81 my_identifier user_fqdn "sakane (a] kame.net"; 82 peers_identifier user_fqdn "sakane (a] kame.net"; 83 #certificate_type x509 "mycert" "mypriv"; 84 85 nonce_size 16; 86 lifetime time 1 min; # sec,min,hour 87 88 proposal { 89 encryption_algorithm 3des; 90 hash_algorithm sha1; 91 authentication_method pre_shared_key; 92 dh_group 2; 93 } 94 } 95 96 sainfo anonymous 97 { 98 pfs_group 2; 99 encryption_algorithm 3des; 100 authentication_algorithm hmac_sha1; 101 compression_algorithm deflate; 102 } 103 104 sainfo address 203.178.141.209 any address 203.178.141.218 any 105 { 106 pfs_group 2; 107 lifetime time 30 sec; 108 encryption_algorithm des; 109 authentication_algorithm hmac_md5; 110 compression_algorithm deflate; 111 } 112 113 sainfo address ::1 icmp6 address ::1 icmp6 114 { 115 pfs_group 3; 116 lifetime time 60 sec; 117 encryption_algorithm 3des, blowfish, aes; 118 authentication_algorithm hmac_sha1, hmac_md5; 119 compression_algorithm deflate; 120 } 121 122
