1# $KAME: racoon.conf.in,v 1.17 2001/08/14 12:10:22 sakane Exp $ 2 3# "path" must be placed before it is used. 4# You can overwrite what you defined, but it should not be used due to confusion. 5path include "/etc/racoon" ; 6 7# search this file for pre_shared_key with various ID key. 8path pre_shared_key "/etc/racoon/psk.txt" ; 9 10# racoon will look for certificate file in the directory, 11# if the certificate/certificate request payload is received. 12path certificate "/etc/cert" ; 13 14# "log" specifies logging level. It is followed by either "notify", "debug" 15# or "debug2". 16#log debug; 17 18# "padding" defines some parameter of padding. You should not touch these. 19padding 20{ 21 maximum_length 20; # maximum padding length. 22 randomize off; # enable randomize length. 23 strict_check off; # enable strict check. 24 exclusive_tail off; # extract last one octet. 25} 26 27# if no listen directive is specified, racoon will listen to all 28# available interface addresses. 29listen 30{ 31 #isakmp ::1 [7000]; 32 #isakmp 202.249.11.124 [500]; 33 #admin [7002]; # administrative's port by kmpstat. 34 #strict_address; # required all addresses must be bound. 35} 36 37# Specification of default various timer. 38timer 39{ 40 # These value can be changed per remote node. 41 counter 10; # maximum trying count to send. 42 interval 3 sec; # interval to resend (retransmit) 43 persend 1; # the number of packets per a send. 44 45 # timer for waiting to complete each phase. 46 phase1 30 sec; 47 phase2 30 sec; 48 49 # Auto exit delay timer - for use when controlled by VPN socket 50 auto_exit_delay 3 sec; 51} 52 53# 54# anonymous entry is defined in /etc/racoon/remote/anonymous.conf 55# 56#remote anonymous 57#{ 58# #exchange_mode main,aggressive; 59# exchange_mode aggressive,main; 60# doi ipsec_doi; 61# situation identity_only; 62# 63# #my_identifier address; 64# my_identifier user_fqdn "macuser@localhost"; 65# peers_identifier user_fqdn "macuser@localhost"; 66# #certificate_type x509 "mycert" "mypriv"; 67# 68# nonce_size 16; 69# lifetime time 1 min; # sec,min,hour 70# initial_contact on; 71# support_mip6 on; 72# proposal_check obey; # obey, strict or claim 73# 74# proposal { 75# encryption_algorithm 3des; 76# hash_algorithm sha1; 77# authentication_method pre_shared_key ; 78# dh_group 2 ; 79# } 80#} 81 82#remote ::1 [8000] 83#{ 84# #exchange_mode main,aggressive; 85# exchange_mode aggressive,main; 86# doi ipsec_doi; 87# situation identity_only; 88# 89# my_identifier user_fqdn "macuser@localhost"; 90# peers_identifier user_fqdn "macuser@localhost"; 91# #certificate_type x509 "mycert" "mypriv"; 92# 93# nonce_size 16; 94# lifetime time 1 min; # sec,min,hour 95# 96# proposal { 97# encryption_algorithm 3des; 98# hash_algorithm sha1; 99# authentication_method pre_shared_key ; 100# dh_group 2 ; 101# } 102#} 103 104# 105# anonymous entry is defined in /etc/racoon/remote/anonymous.conf 106# 107#sainfo anonymous 108#{ 109# pfs_group 1; 110# lifetime time 30 sec; 111# encryption_algorithm aes, 3des ; 112# authentication_algorithm hmac_sha1; 113# compression_algorithm deflate ; 114#} 115 116# sainfo address 203.178.141.209 any address 203.178.141.218 any 117# { 118# pfs_group 1; 119# lifetime time 30 sec; 120# encryption_algorithm des ; 121# authentication_algorithm hmac_md5; 122# compression_algorithm deflate ; 123# } 124 125#sainfo address ::1 icmp6 address ::1 icmp6 126#{ 127# pfs_group 1; 128# lifetime time 60 sec; 129# encryption_algorithm 3des, cast128, blowfish 448, des ; 130# authentication_algorithm hmac_sha1, hmac_md5 ; 131# compression_algorithm deflate ; 132#} 133 134# Allow third parties the ability to specify remote and sainfo entries 135# by including all files matching /var/run/racoon/*.conf 136# This line should be added at the end of the racoon.conf file 137# so that settings such as timer values will be appropriately applied. 138include "/var/run/racoon/*.conf" ; 139 140