racoon.conf.in revision 1.1
1# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ 2 3# "path" must be placed before it should be used. 4# You can overwrite which you defined, but it should not use due to confusing. 5path include "@sysconfdir_x@/racoon"; 6#include "remote.conf"; 7 8# search this file for pre_shared_key with various ID key. 9path pre_shared_key "@sysconfdir_x@/racoon/psk.txt"; 10 11# racoon will look for certificate file in the directory, 12# if the certificate/certificate request payload is received. 13path certificate "@sysconfdir_x@/cert"; 14 15# "log" specifies logging level. It is followed by either "notify", "debug" 16# or "debug2". 17#log debug; 18 19# "padding" defines some parameter of padding. You should not touch these. 20padding 21{ 22 maximum_length 20; # maximum padding length. 23 randomize off; # enable randomize length. 24 strict_check off; # enable strict check. 25 exclusive_tail off; # extract last one octet. 26} 27 28# if no listen directive is specified, racoon will listen to all 29# available interface addresses. 30listen 31{ 32 #isakmp ::1 [7000]; 33 #isakmp 202.249.11.124 [500]; 34 #admin [7002]; # administrative's port by kmpstat. 35 #strict_address; # required all addresses must be bound. 36} 37 38# Specification of default various timer. 39timer 40{ 41 # These value can be changed per remote node. 42 counter 5; # maximum trying count to send. 43 interval 20 sec; # maximum interval to resend. 44 persend 1; # the number of packets per a send. 45 46 # timer for waiting to complete each phase. 47 phase1 30 sec; 48 phase2 15 sec; 49} 50 51remote anonymous 52{ 53 exchange_mode main,aggressive; 54 doi ipsec_doi; 55 situation identity_only; 56 57 my_identifier asn1dn; 58 certificate_type x509 "my.cert.pem" "my.key.pem"; 59 60 nonce_size 16; 61 initial_contact on; 62 proposal_check obey; # obey, strict or claim 63 64 proposal { 65 encryption_algorithm 3des; 66 hash_algorithm sha1; 67 authentication_method rsasig; 68 dh_group 2; 69 } 70} 71 72remote ::1 [8000] 73{ 74 #exchange_mode main,aggressive; 75 exchange_mode aggressive,main; 76 doi ipsec_doi; 77 situation identity_only; 78 79 my_identifier user_fqdn "sakane@kame.net"; 80 peers_identifier user_fqdn "sakane@kame.net"; 81 #certificate_type x509 "mycert" "mypriv"; 82 83 nonce_size 16; 84 lifetime time 1 min; # sec,min,hour 85 86 proposal { 87 encryption_algorithm 3des; 88 hash_algorithm sha1; 89 authentication_method pre_shared_key; 90 dh_group 2; 91 } 92} 93 94sainfo anonymous 95{ 96 pfs_group 2; 97 encryption_algorithm 3des; 98 authentication_algorithm hmac_sha1; 99 compression_algorithm deflate; 100} 101 102sainfo address 203.178.141.209 any address 203.178.141.218 any 103{ 104 pfs_group 2; 105 lifetime time 30 sec; 106 encryption_algorithm des; 107 authentication_algorithm hmac_md5; 108 compression_algorithm deflate; 109} 110 111sainfo address ::1 icmp6 address ::1 icmp6 112{ 113 pfs_group 3; 114 lifetime time 60 sec; 115 encryption_algorithm 3des, blowfish, aes; 116 authentication_algorithm hmac_sha1, hmac_md5; 117 compression_algorithm deflate; 118} 119 120