1# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ 2 3# "path" affects "include" directives. "path" must be specified before any 4# "include" directive with relative file path. 5# you can overwrite "path" directive afterwards, however, doing so may add 6# more confusion. 7path include "@sysconfdir_x@/racoon"; 8#include "remote.conf"; 9 10# the file should contain key ID/key pairs, for pre-shared key authentication. 11path pre_shared_key "@sysconfdir_x@/racoon/psk.txt"; 12 13# racoon will look for certificate file in the directory, 14# if the certificate/certificate request payload is received. 15path certificate "@sysconfdir_x@/cert"; 16 17# "log" specifies logging level. It is followed by either "notify", "debug" 18# or "debug2". 19#log debug; 20 21# "padding" defines some padding parameters. You should not touch these. 22padding 23{ 24 maximum_length 20; # maximum padding length. 25 randomize off; # enable randomize length. 26 strict_check off; # enable strict check. 27 exclusive_tail off; # extract last one octet. 28} 29 30# if no listen directive is specified, racoon will listen on all 31# available interface addresses. 32listen 33{ 34 #isakmp ::1 [7000]; 35 #isakmp 202.249.11.124 [500]; 36 #admin [7002]; # administrative port for racoonctl. 37 #strict_address; # requires that all addresses must be bound. 38} 39 40# Specify various default timers. 41timer 42{ 43 # These value can be changed per remote node. 44 counter 5; # maximum trying count to send. 45 interval 20 sec; # maximum interval to resend. 46 persend 1; # the number of packets per send. 47 48 # maximum time to wait for completing each phase. 49 phase1 30 sec; 50 phase2 15 sec; 51} 52 53remote anonymous 54{ 55 exchange_mode main,aggressive; 56 doi ipsec_doi; 57 situation identity_only; 58 59 my_identifier asn1dn; 60 certificate_type x509 "my.cert.pem" "my.key.pem"; 61 62 nonce_size 16; 63 initial_contact on; 64 proposal_check strict; # obey, strict, or claim 65 66 proposal { 67 encryption_algorithm 3des; 68 hash_algorithm sha1; 69 authentication_method rsasig; 70 dh_group 2; 71 } 72} 73 74remote ::1 [8000] 75{ 76 #exchange_mode main,aggressive; 77 exchange_mode aggressive,main; 78 doi ipsec_doi; 79 situation identity_only; 80 81 my_identifier user_fqdn "sakane@kame.net"; 82 peers_identifier user_fqdn "sakane@kame.net"; 83 #certificate_type x509 "mycert" "mypriv"; 84 85 nonce_size 16; 86 lifetime time 1 min; # sec,min,hour 87 88 proposal { 89 encryption_algorithm 3des; 90 hash_algorithm sha1; 91 authentication_method pre_shared_key; 92 dh_group 2; 93 } 94} 95 96sainfo anonymous 97{ 98 pfs_group 2; 99 encryption_algorithm 3des; 100 authentication_algorithm hmac_sha1; 101 compression_algorithm deflate; 102} 103 104sainfo address 203.178.141.209 any address 203.178.141.218 any 105{ 106 pfs_group 2; 107 lifetime time 30 sec; 108 encryption_algorithm des; 109 authentication_algorithm hmac_md5; 110 compression_algorithm deflate; 111} 112 113sainfo address ::1 icmp6 address ::1 icmp6 114{ 115 pfs_group 3; 116 lifetime time 60 sec; 117 encryption_algorithm 3des, blowfish, aes; 118 authentication_algorithm hmac_sha1, hmac_md5; 119 compression_algorithm deflate; 120} 121 122