1# $KAME: racoon.conf.sample,v 1.27 2001/09/05 22:46:39 sakane Exp $ 2 3# "path" affects "include" directive. "path" must be specified before any 4# "include" directive with relative file path. 5# you can overwrite "path" directive afterwards, however, doing so may add 6# more confusion. 7#path include "/usr/local/v6/etc" ; 8#include "remote.conf" ; 9 10# the file should contain key ID/key pairs, for pre-shared key authentication. 11path pre_shared_key "/usr/local/v6/etc/psk.txt" ; 12 13# racoon will look for certificate file in the directory, 14# if the certificate/certificate request payload is received. 15#path certificate "/usr/local/openssl/certs" ; 16 17# "log" specifies logging level. It is followed by either "notify", "debug" 18# or "debug2". 19#log debug; 20 21remote anonymous 22{ 23 #exchange_mode main,aggressive,base; 24 exchange_mode aggressive,main,base; 25 26 #my_identifier fqdn "server.kame.net"; 27 #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ; 28 29 lifetime time 24 hour ; # sec,min,hour 30 31 #initial_contact off ; 32 #passive on ; 33 34 # phase 1 proposal (for ISAKMP SA) 35 proposal { 36 encryption_algorithm 3des; 37 hash_algorithm sha1; 38 authentication_method pre_shared_key ; 39 dh_group 2 ; 40 } 41 42 # the configuration makes racoon (as a responder) to obey the 43 # initiator's lifetime and PFS group proposal. 44 # this makes testing so much easier. 45 proposal_check obey; 46} 47 48# phase 2 proposal (for IPsec SA). 49# actual phase 2 proposal will obey the following items: 50# - kernel IPsec policy configuration (like "esp/transport//use) 51# - permutation of the crypto/hash/compression algorithms presented below 52sainfo anonymous 53{ 54 pfs_group 2; 55 lifetime time 12 hour ; 56 encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; 57 authentication_algorithm hmac_sha1, hmac_md5 ; 58 compression_algorithm deflate ; 59} 60