1# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $ 2 3# "path" affects "include" directives. "path" must be specified before any 4# "include" directive with relative file path. 5# you can overwrite "path" directive afterwards, however, doing so may add 6# more confusion. 7#path include "/usr/local/v6/etc" ; 8#include "remote.conf" ; 9 10# the file should contain key ID/key pairs, for pre-shared key authentication. 11path pre_shared_key "/usr/local/v6/etc/psk.txt" ; 12 13# racoon will look for certificate file in the directory, 14# if the certificate/certificate request payload is received. 15#path certificate "/usr/local/openssl/certs" ; 16 17# "log" specifies logging level. It is followed by either "notify", "debug" 18# or "debug2". 19#log debug; 20 21remote anonymous 22{ 23 #exchange_mode main,aggressive,base; 24 exchange_mode main,base; 25 26 #my_identifier fqdn "server.kame.net"; 27 #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ; 28 29 lifetime time 24 hour ; # sec,min,hour 30 31 #initial_contact off ; 32 #passive on ; 33 34 # phase 1 proposal (for ISAKMP SA) 35 proposal { 36 encryption_algorithm 3des; 37 hash_algorithm sha1; 38 authentication_method pre_shared_key ; 39 dh_group 2 ; 40 } 41 42 # the configuration could makes racoon (as a responder) 43 # to obey the initiator's lifetime and PFS group proposal, 44 # by setting proposal_check to obey. 45 # this would makes testing "so much easier", but is really 46 # *not* secure !!! 47 proposal_check strict; 48} 49 50# phase 2 proposal (for IPsec SA). 51# actual phase 2 proposal will obey the following items: 52# - kernel IPsec policy configuration (like "esp/transport//use) 53# - permutation of the crypto/hash/compression algorithms presented below 54sainfo anonymous 55{ 56 pfs_group 2; 57 lifetime time 12 hour ; 58 encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; 59 authentication_algorithm hmac_sha1, hmac_md5 ; 60 compression_algorithm deflate ; 61} 62