[apple/ipsec.git] / ipsec-tools / racoon / Sample / racoon.conf

# $KAME: racoon.conf.in,v 1.17 2001/08/14 12:10:22 sakane Exp $

# "path" must be placed before it is used.
# You can overwrite what you defined, but it should not be used due to confusion.
path include "/etc/racoon" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/etc/cert" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
	#isakmp ::1 [7000];
	#isakmp 202.249.11.124 [500];
	#admin [7002];		# administrative's port by kmpstat.
	#strict_address; 	# required all addresses must be bound.
}

# Specification of default various timer.
timer
{
	# These value can be changed per remote node.
	counter 10;		# maximum trying count to send.
	interval 3 sec;	# interval to resend (retransmit)
	persend 1;		# the number of packets per a send.

	# timer for waiting to complete each phase.
	phase1 30 sec;
	phase2 30 sec;
	
	# Auto exit delay timer - for use when controlled by VPN socket
	auto_exit_delay 3 sec;
}

#
# anonymous entry is defined in /etc/racoon/remote/anonymous.conf
#
#remote anonymous
#{
#	#exchange_mode main,aggressive;
#	exchange_mode aggressive,main;
#	doi ipsec_doi;
#	situation identity_only;
#
#	#my_identifier address;
#	my_identifier user_fqdn "macuser@localhost";
#	peers_identifier user_fqdn "macuser@localhost";
#	#certificate_type x509 "mycert" "mypriv";
#
#	nonce_size 16;
#	lifetime time 1 min;	# sec,min,hour
#	initial_contact on;
#	support_mip6 on;
#	proposal_check obey;	# obey, strict or claim
#
#	proposal {
#		encryption_algorithm 3des;
#		hash_algorithm sha1;
#		authentication_method pre_shared_key ;
#		dh_group 2 ;
#	}
#}

remote ::1 [8000]
{
	#exchange_mode main,aggressive;
	exchange_mode aggressive,main;
	doi ipsec_doi;
	situation identity_only;

	my_identifier user_fqdn "macuser@localhost";
	peers_identifier user_fqdn "macuser@localhost";
	#certificate_type x509 "mycert" "mypriv";

	nonce_size 16;
	lifetime time 1 min;	# sec,min,hour

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		dh_group 2 ;
	}
}

#
# anonymous entry is defined in /etc/racoon/remote/anonymous.conf
#
#sainfo anonymous
#{
#	pfs_group 1;
#	lifetime time 30 sec;
#	encryption_algorithm aes, 3des ;
#	authentication_algorithm hmac_sha1;
#	compression_algorithm deflate ;
#}

# sainfo address 203.178.141.209 any address 203.178.141.218 any
# {
#	pfs_group 1;
#	lifetime time 30 sec;
#	encryption_algorithm des ;
#	authentication_algorithm hmac_md5;
#	compression_algorithm deflate ;
# }

sainfo address ::1 icmp6 address ::1 icmp6
{
	pfs_group 1;
	lifetime time 60 sec;
	encryption_algorithm 3des, aes ;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
}

# Allow third parties the ability to specify remote and sainfo entries
# by including all files matching /var/run/racoon/*.conf
# This line should be added at the end of the racoon.conf file
# so that settings such as timer values will be appropriately applied.
include "/var/run/racoon/*.conf" ;
Commit	Line	Data
52b7d2ce A	1	# $KAME: racoon.conf.in,v 1.17 2001/08/14 12:10:22 sakane Exp $
52b7d2ce A	2
d1e348cf A	3	# "path" must be placed before it is used.
d1e348cf A	4	# You can overwrite what you defined, but it should not be used due to confusion.
52b7d2ce A	5	path include "/etc/racoon" ;
52b7d2ce A	6
52b7d2ce A	7	# search this file for pre_shared_key with various ID key.
	8	path pre_shared_key "/etc/racoon/psk.txt" ;
	9
	10	# racoon will look for certificate file in the directory,
	11	# if the certificate/certificate request payload is received.
	12	path certificate "/etc/cert" ;
	13
	14	# "log" specifies logging level. It is followed by either "notify", "debug"
	15	# or "debug2".
	16	#log debug;
	17
	18	# "padding" defines some parameter of padding. You should not touch these.
	19	padding
	20	{
	21	maximum_length 20; # maximum padding length.
	22	randomize off; # enable randomize length.
	23	strict_check off; # enable strict check.
	24	exclusive_tail off; # extract last one octet.
	25	}
	26
	27	# if no listen directive is specified, racoon will listen to all
	28	# available interface addresses.
	29	listen
	30	{
	31	#isakmp ::1 [7000];
	32	#isakmp 202.249.11.124 [500];
	33	#admin [7002]; # administrative's port by kmpstat.
	34	#strict_address; # required all addresses must be bound.
	35	}
	36
	37	# Specification of default various timer.
	38	timer
	39	{
	40	# These value can be changed per remote node.
	41	counter 10; # maximum trying count to send.
	42	interval 3 sec; # interval to resend (retransmit)
	43	persend 1; # the number of packets per a send.
	44
	45	# timer for waiting to complete each phase.
	46	phase1 30 sec;
	47	phase2 30 sec;
	48
	49	# Auto exit delay timer - for use when controlled by VPN socket
	50	auto_exit_delay 3 sec;
	51	}
	52
	53	#
	54	# anonymous entry is defined in /etc/racoon/remote/anonymous.conf
	55	#
	56	#remote anonymous
	57	#{
	58	# #exchange_mode main,aggressive;
	59	# exchange_mode aggressive,main;
	60	# doi ipsec_doi;
	61	# situation identity_only;
	62	#
	63	# #my_identifier address;
	64	# my_identifier user_fqdn "macuser@localhost";
	65	# peers_identifier user_fqdn "macuser@localhost";
	66	# #certificate_type x509 "mycert" "mypriv";
	67	#
	68	# nonce_size 16;
	69	# lifetime time 1 min; # sec,min,hour
	70	# initial_contact on;
71	# support_mip6 on;
72	# proposal_check obey; # obey, strict or claim
73	#
74	# proposal {
75	# encryption_algorithm 3des;
76	# hash_algorithm sha1;
77	# authentication_method pre_shared_key ;
78	# dh_group 2 ;
79	# }
80	#}
81
82	remote ::1 [8000]
83	{
84	#exchange_mode main,aggressive;
85	exchange_mode aggressive,main;
86	doi ipsec_doi;
87	situation identity_only;
88
89	my_identifier user_fqdn "macuser@localhost";
90	peers_identifier user_fqdn "macuser@localhost";
91	#certificate_type x509 "mycert" "mypriv";
92
93	nonce_size 16;
94	lifetime time 1 min; # sec,min,hour
95
96	proposal {
65c25746	97	encryption_algorithm 3des;
52b7d2ce A	98	hash_algorithm sha1;
	99	authentication_method pre_shared_key ;
	100	dh_group 2 ;
	101	}
	102	}
	103
	104	#
	105	# anonymous entry is defined in /etc/racoon/remote/anonymous.conf
	106	#
	107	#sainfo anonymous
	108	#{
	109	# pfs_group 1;
	110	# lifetime time 30 sec;
	111	# encryption_algorithm aes, 3des ;
	112	# authentication_algorithm hmac_sha1;
	113	# compression_algorithm deflate ;
	114	#}
	115
	116	# sainfo address 203.178.141.209 any address 203.178.141.218 any
	117	# {
	118	# pfs_group 1;
	119	# lifetime time 30 sec;
	120	# encryption_algorithm des ;
	121	# authentication_algorithm hmac_md5;
	122	# compression_algorithm deflate ;
	123	# }
	124
	125	sainfo address ::1 icmp6 address ::1 icmp6
	126	{
	127	pfs_group 1;
	128	lifetime time 60 sec;
85f41bec	129	encryption_algorithm 3des, aes ;
52b7d2ce A	130	authentication_algorithm hmac_sha1, hmac_md5 ;
	131	compression_algorithm deflate ;
	132	}
	133
d1e348cf A	134	# Allow third parties the ability to specify remote and sainfo entries
	135	# by including all files matching /var/run/racoon/*.conf
	136	# This line should be added at the end of the racoon.conf file
	137	# so that settings such as timer values will be appropriately applied.
	138	include "/var/run/racoon/*.conf" ;