1# Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp 2# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs 3 4# This file can be used as a template for NAT-Traversal setups. 5# Only NAT-T related options are explained here, refer to other 6# sample files and manual pages for details about the rest. 7 8path include "/etc/racoon"; 9path certificate "/etc/racoon/cert"; 10 11# Define addresses and ports where racoon will listen for an incoming 12# traffic. Don't forget to open these ports on your firewall! 13listen 14{ 15 # First define an address where racoon will listen 16 # for "normal" IKE traffic. IANA allocated port 500. 17 isakmp 172.16.0.1[500]; 18 19 # To use NAT-T you must also open port 4500 of 20 # the same address so that peers can do 'Port floating'. 21 # The same port will also be used for the UDP-Encapsulated 22 # ESP traffic. 23 isakmp_natt 172.16.0.1[4500]; 24} 25 26 27timer 28{ 29 # To keep the NAT-mappings on your NAT gateway, there must be 30 # traffic between the peers. Normally the UDP-Encap traffic 31 # (i.e. the real data transported over the tunnel) would be 32 # enough, but to be safe racoon will send a short 33 # "Keep-alive packet" every few seconds to every peer with 34 # whom it does NAT-Traversal. 35 # The default is 20s. Set it to 0s to disable sending completely. 36 natt_keepalive 10 sec; 37} 38 39# To trigger the SA negotiation there must be an appropriate 40# policy in the kernel SPD. For example for traffic between 41# networks 192.168.0.0/24 and 192.168.1.0/24 with gateways 42# 172.16.0.1 and 172.16.1.1, where the first gateway is behind 43# a NAT which translates its address to 172.16.1.3, you need the 44# following rules: 45# On 172.16.0.1 (e.g. behind the NAT): 46# spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \ 47# esp/tunnel/172.16.0.1-172.16.1.1/require; 48# spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \ 49# esp/tunnel/172.16.1.1-172.16.0.1/require; 50# On the other side (172.16.1.1) either use a "generate_policy on" 51# statement in the remote block, or in case that you know 52# the translated address, use the following policy: 53# spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \ 54# esp/tunnel/172.16.1.1-172.16.1.3/require; 55# spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \ 56# esp/tunnel/172.16.1.3-172.16.1.1/require; 57 58# Phase 1 configuration (for ISAKMP SA) 59remote anonymous 60{ 61 # NAT-T is supported with all exchange_modes. 62 exchange_mode main,base,aggressive; 63 64 # With NAT-T you shouldn't use PSK. Let's go on with certs. 65 my_identifier asn1dn; 66 certificate_type x509 "your-host.cert.pem" "your-host.key.pem"; 67 68 # This is the main switch that enables NAT-T. 69 # Possible values are: 70 # off - NAT-T support is disabled, i.e. neither offered, 71 # nor accepted. This is the default. 72 # on - normal NAT-T support, i.e. if NAT is detected 73 # along the way, NAT-T is used. 74 # force - if NAT-T is supported by both peers, it is used 75 # regardless of whether there is a NAT gateway between them 76 # or not. This is useful for traversing some firewalls. 77 nat_traversal on; 78 79 proposal { 80 authentication_method rsasig; 81 encryption_algorithm 3des; 82 hash_algorithm sha1; 83 dh_group 2; 84 } 85 86 proposal_check strict; 87} 88 89# Phase 2 proposal (for IPsec SA) 90sainfo anonymous 91{ 92 pfs_group 2; 93 lifetime time 12 hour; 94 encryption_algorithm 3des, rijndael; 95 authentication_algorithm hmac_sha1; 96 compression_algorithm deflate; 97} 98