network_cmds-176.4.1.tar.gz

[apple/network_cmds.git] / racoon.tproj / racoon.conf

# $KAME: racoon.conf.in,v 1.17 2001/08/14 12:10:22 sakane Exp $

# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/etc/racoon" ;

# Allow third parties the ability to specify remote and sainfo entries
# by including all files matching /etc/racoon/remote/*.conf
include "/etc/racoon/remote/*.conf" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/etc/cert" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
        #isakmp ::1 [7000];
        #isakmp 202.249.11.124 [500];
        #admin [7002];          # administrative's port by kmpstat.
        #strict_address;        # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 10;             # maximum trying count to send.
        interval 3 sec; # interval to resend (retransmit)
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 30 sec;
}

#
# anonymous entry is defined in /etc/racoon/remote/anonymous.conf
#
#remote anonymous
#{
#       #exchange_mode main,aggressive;
#       exchange_mode aggressive,main;
#       doi ipsec_doi;
#       situation identity_only;
#
#       #my_identifier address;
#       my_identifier user_fqdn "macuser@localhost";
#       peers_identifier user_fqdn "macuser@localhost";
#       #certificate_type x509 "mycert" "mypriv";
#
#       nonce_size 16;
#       lifetime time 1 min;    # sec,min,hour
#       initial_contact on;
#       support_mip6 on;
#       proposal_check obey;    # obey, strict or claim
#
#       proposal {
#               encryption_algorithm 3des;
#               hash_algorithm sha1;
#               authentication_method pre_shared_key ;
#               dh_group 2 ;
#       }
#}

remote ::1 [8000]
{
        #exchange_mode main,aggressive;
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;

        my_identifier user_fqdn "macuser@localhost";
        peers_identifier user_fqdn "macuser@localhost";
        #certificate_type x509 "mycert" "mypriv";

        nonce_size 16;
        lifetime time 1 min;    # sec,min,hour

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

#
# anonymous entry is defined in /etc/racoon/remote/anonymous.conf
#
#sainfo anonymous
#{
#       pfs_group 1;
#       lifetime time 30 sec;
#       encryption_algorithm aes, 3des ;
#       authentication_algorithm hmac_sha1;
#       compression_algorithm deflate ;
#}

# sainfo address 203.178.141.209 any address 203.178.141.218 any
# {
#       pfs_group 1;
#       lifetime time 30 sec;
#       encryption_algorithm des ;
#       authentication_algorithm hmac_md5;
#       compression_algorithm deflate ;
# }

sainfo address ::1 icmp6 address ::1 icmp6
{
        pfs_group 1;
        lifetime time 60 sec;
        encryption_algorithm 3des, cast128, blowfish 448, des ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}