ipsec-tools/racoon/Sample/racoon.conf

   1 # $KAME: racoon.conf.in,v 1.17 2001/08/14 12:10:22 sakane Exp $
   2
   3 # "path" must be placed before it is used.
   4 # You can overwrite what you defined, but it should not be used due to confusion.
   5 path include "/etc/racoon" ;
   6
   7 # search this file for pre_shared_key with various ID key.
   8 path pre_shared_key "/etc/racoon/psk.txt" ;
   9
  10 # racoon will look for certificate file in the directory,
  11 # if the certificate/certificate request payload is received.
  12 path certificate "/etc/cert" ;
  13
  14 # "log" specifies logging level.  It is followed by either "notify", "debug"
  15 # or "debug2".
  16 #log debug;
  17
  18 # "padding" defines some parameter of padding.  You should not touch these.
  19 padding
  20 {
  21         maximum_length 20;      # maximum padding length.
  22         randomize off;          # enable randomize length.
  23         strict_check off;       # enable strict check.
  24         exclusive_tail off;     # extract last one octet.
  25 }
  26
  27 # if no listen directive is specified, racoon will listen to all
  28 # available interface addresses.
  29 listen
  30 {
  31         #isakmp ::1 [7000];
  32         #isakmp 202.249.11.124 [500];
  33         #admin [7002];          # administrative's port by kmpstat.
  34         #strict_address;        # required all addresses must be bound.
  35 }
  36
  37 # Specification of default various timer.
  38 timer
  39 {
  40         # These value can be changed per remote node.
  41         counter 10;             # maximum trying count to send.
  42         interval 3 sec; # interval to resend (retransmit)
  43         persend 1;              # the number of packets per a send.
  44
  45         # timer for waiting to complete each phase.
  46         phase1 30 sec;
  47         phase2 30 sec;
  48
  49         # Auto exit delay timer - for use when controlled by VPN socket
  50         auto_exit_delay 3 sec;
  51 }
  52
  53 #
  54 # anonymous entry is defined in /etc/racoon/remote/anonymous.conf
  55 #
  56 #remote anonymous
  57 #{
  58 #       #exchange_mode main,aggressive;
  59 #       exchange_mode aggressive,main;
  60 #       doi ipsec_doi;
  61 #       situation identity_only;
  62 #
  63 #       #my_identifier address;
  64 #       my_identifier user_fqdn "macuser@localhost";
  65 #       peers_identifier user_fqdn "macuser@localhost";
  66 #       #certificate_type x509 "mycert" "mypriv";
  67 #
  68 #       nonce_size 16;
  69 #       lifetime time 1 min;    # sec,min,hour
  70 #       initial_contact on;
  71 #       support_mip6 on;
  72 #       proposal_check obey;    # obey, strict or claim
  73 #
  74 #       proposal {
  75 #               encryption_algorithm 3des;
  76 #               hash_algorithm sha1;
  77 #               authentication_method pre_shared_key ;
  78 #               dh_group 2 ;
  79 #       }
  80 #}
  81
  82 remote ::1 [8000]
  83 {
  84         #exchange_mode main,aggressive;
  85         exchange_mode aggressive,main;
  86         doi ipsec_doi;
  87         situation identity_only;
  88
  89         my_identifier user_fqdn "macuser@localhost";
  90         peers_identifier user_fqdn "macuser@localhost";
  91         #certificate_type x509 "mycert" "mypriv";
  92
  93         nonce_size 16;
  94         lifetime time 1 min;    # sec,min,hour
  95
  96         proposal {
  97                 encryption_algorithm 3des;
  98                 hash_algorithm sha1;
  99                 authentication_method pre_shared_key ;
 100                 dh_group 2 ;
 101         }
 102 }
 103
 104 #
 105 # anonymous entry is defined in /etc/racoon/remote/anonymous.conf
 106 #
 107 #sainfo anonymous
 108 #{
 109 #       pfs_group 1;
 110 #       lifetime time 30 sec;
 111 #       encryption_algorithm aes, 3des ;
 112 #       authentication_algorithm hmac_sha1;
 113 #       compression_algorithm deflate ;
 114 #}
 115
 116 # sainfo address 203.178.141.209 any address 203.178.141.218 any
 117 # {
 118 #       pfs_group 1;
 119 #       lifetime time 30 sec;
 120 #       encryption_algorithm des ;
 121 #       authentication_algorithm hmac_md5;
 122 #       compression_algorithm deflate ;
 123 # }
 124
 125 sainfo address ::1 icmp6 address ::1 icmp6
 126 {
 127         pfs_group 1;
 128         lifetime time 60 sec;
 129         encryption_algorithm 3des, aes ;
 130         authentication_algorithm hmac_sha1, hmac_md5 ;
 131         compression_algorithm deflate ;
 132 }
 133
 134 # Allow third parties the ability to specify remote and sainfo entries
 135 # by including all files matching /var/run/racoon/*.conf
 136 # This line should be added at the end of the racoon.conf file
 137 # so that settings such as timer values will be appropriately applied.
 138 include "/var/run/racoon/*.conf" ;