# Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp # Contributed by: Michal Ludvig , SUSE Labs # This file can be used as a template for NAT-Traversal setups. # Only NAT-T related options are explained here, refer to other # sample files and manual pages for details about the rest. path include "/etc/racoon"; path certificate "/etc/racoon/cert"; # Define addresses and ports where racoon will listen for an incoming # traffic. Don't forget to open these ports on your firewall! listen { # First define an address where racoon will listen # for "normal" IKE traffic. IANA allocated port 500. isakmp 172.16.0.1[500]; # To use NAT-T you must also open port 4500 of # the same address so that peers can do 'Port floating'. # The same port will also be used for the UDP-Encapsulated # ESP traffic. isakmp_natt 172.16.0.1[4500]; } timer { # To keep the NAT-mappings on your NAT gateway, there must be # traffic between the peers. Normally the UDP-Encap traffic # (i.e. the real data transported over the tunnel) would be # enough, but to be safe racoon will send a short # "Keep-alive packet" every few seconds to every peer with # whom it does NAT-Traversal. # The default is 20s. Set it to 0s to disable sending completely. natt_keepalive 10 sec; } # To trigger the SA negotiation there must be an appropriate # policy in the kernel SPD. For example for traffic between # networks 192.168.0.0/24 and 192.168.1.0/24 with gateways # 172.16.0.1 and 172.16.1.1, where the first gateway is behind # a NAT which translates its address to 172.16.1.3, you need the # following rules: # On 172.16.0.1 (e.g. behind the NAT): # spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \ # esp/tunnel/172.16.0.1-172.16.1.1/require; # spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \ # esp/tunnel/172.16.1.1-172.16.0.1/require; # On the other side (172.16.1.1) either use a "generate_policy on" # statement in the remote block, or in case that you know # the translated address, use the following policy: # spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \ # esp/tunnel/172.16.1.1-172.16.1.3/require; # spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \ # esp/tunnel/172.16.1.3-172.16.1.1/require; # Phase 1 configuration (for ISAKMP SA) remote anonymous { # NAT-T is supported with all exchange_modes. exchange_mode main,base,aggressive; # With NAT-T you shouldn't use PSK. Let's go on with certs. my_identifier asn1dn; certificate_type x509 "your-host.cert.pem" "your-host.key.pem"; # This is the main switch that enables NAT-T. # Possible values are: # off - NAT-T support is disabled, i.e. neither offered, # nor accepted. This is the default. # on - normal NAT-T support, i.e. if NAT is detected # along the way, NAT-T is used. # force - if NAT-T is supported by both peers, it is used # regardless of whether there is a NAT gateway between them # or not. This is useful for traversing some firewalls. nat_traversal on; proposal { authentication_method rsasig; encryption_algorithm 3des; hash_algorithm sha1; dh_group 2; } proposal_check strict; } # Phase 2 proposal (for IPsec SA) sainfo anonymous { pfs_group 2; lifetime time 12 hour; encryption_algorithm 3des, rijndael; authentication_algorithm hmac_sha1; compression_algorithm deflate; }