• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
2
3# "path" affects "include" directives.  "path" must be specified before any
4# "include" directive with relative file path.
5# you can overwrite "path" directive afterwards, however, doing so may add
6# more confusion.
7path include "@sysconfdir_x@/racoon";
8#include "remote.conf";
9
10# the file should contain key ID/key pairs, for pre-shared key authentication.
11path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
12
13# racoon will look for certificate file in the directory,
14# if the certificate/certificate request payload is received.
15path certificate "@sysconfdir_x@/cert";
16
17# "log" specifies logging level.  It is followed by either "notify", "debug"
18# or "debug2".
19#log debug;
20
21# "padding" defines some padding parameters.  You should not touch these.
22padding
23{
24	maximum_length 20;	# maximum padding length.
25	randomize off;		# enable randomize length.
26	strict_check off;	# enable strict check.
27	exclusive_tail off;	# extract last one octet.
28}
29
30# if no listen directive is specified, racoon will listen on all
31# available interface addresses.
32listen
33{
34	#isakmp ::1 [7000];
35	#isakmp 202.249.11.124 [500];
36	#admin [7002];		# administrative port for racoonctl.
37	#strict_address; 	# requires that all addresses must be bound.
38}
39
40# Specify various default timers.
41timer
42{
43	# These value can be changed per remote node.
44	counter 5;		# maximum trying count to send.
45	interval 20 sec;	# maximum interval to resend.
46	persend 1;		# the number of packets per send.
47
48	# maximum time to wait for completing each phase.
49	phase1 30 sec;
50	phase2 15 sec;
51}
52
53remote anonymous
54{
55	exchange_mode main,aggressive;
56	doi ipsec_doi;
57	situation identity_only;
58
59	my_identifier asn1dn;
60	certificate_type x509 "my.cert.pem" "my.key.pem";
61
62	nonce_size 16;
63	initial_contact on;
64	proposal_check strict;	# obey, strict, or claim
65
66	proposal {
67		encryption_algorithm 3des;
68		hash_algorithm sha1;
69		authentication_method rsasig;
70		dh_group 2;
71	}
72}
73
74remote ::1 [8000]
75{
76	#exchange_mode main,aggressive;
77	exchange_mode aggressive,main;
78	doi ipsec_doi;
79	situation identity_only;
80
81	my_identifier user_fqdn "sakane@kame.net";
82	peers_identifier user_fqdn "sakane@kame.net";
83	#certificate_type x509 "mycert" "mypriv";
84
85	nonce_size 16;
86	lifetime time 1 min;	# sec,min,hour
87
88	proposal {
89		encryption_algorithm 3des;
90		hash_algorithm sha1;
91		authentication_method pre_shared_key;
92		dh_group 2;
93	}
94}
95
96sainfo anonymous
97{
98	pfs_group 2;
99	encryption_algorithm 3des;
100	authentication_algorithm hmac_sha1;
101	compression_algorithm deflate;
102}
103
104sainfo address 203.178.141.209 any address 203.178.141.218 any
105{
106	pfs_group 2;
107	lifetime time 30 sec;
108	encryption_algorithm des;
109	authentication_algorithm hmac_md5;
110	compression_algorithm deflate;
111}
112
113sainfo address ::1 icmp6 address ::1 icmp6
114{
115	pfs_group 3;
116	lifetime time 60 sec;
117	encryption_algorithm 3des, blowfish, aes;
118	authentication_algorithm hmac_sha1, hmac_md5;
119	compression_algorithm deflate;
120}
121
122