1die "too few arguments" if (scalar(@ARGV) != 2); 2$me = $ARGV[0]; 3$you = $ARGV[1]; 4$hostname = `hostname`; 5$hostname =~ s/\n$//; 6$userfqdn = `whoami`; 7$userfqdn =~ s/\n$//; 8$userfqdn .= '@' . $hostname; 9$rcsid = '$KAME: sandiego.pl,v 1.11 2000/03/26 10:52:59 itojun Exp $'; 10 11print <<EOF; 12# automatically generated from $rcsid 13# do not edit. 14 15# sample policy setting for setkey(8): 16# spdadd $me $you any -P out ipsec esp/transport//use ah/transport//use; 17 18# search this file for pre_shared_key with various ID key. 19path pre_shared_key "./psk.txt" ; 20 21# racoon will search this directory if the certificate or certificate request 22# is received. 23path certificate "./cert.txt" ; 24 25# personal infomation. 26identifier vendor_id "KAME/racoon"; 27identifier user_fqdn "$userfqdn"; 28identifier fqdn "$hostname"; 29identifier keyid "./keyid.txt"; 30 31# "log" specifies logging level. It is followed by either "info", "notify", 32# "debug" or "debug2". 33log debug2; 34 35# "padding" defines some parameter of padding. You should not touch these. 36padding { 37 maximum_length 20; # maximum padding length. 38 randomize off; # enbale randomize length. 39 restrict_check off; # enable restrict check. 40 exclusive_tail off; # extract last one octet. 41} 42 43# if no listen directive is specified, racoon will listen to all 44# available interface addresses. 45listen { 46# isakmp 127.0.0.1 [7000]; 47# isakmp 0.0.0.0 [500]; 48 admin [7002]; # administrative's port by kmpstat. 49} 50 51# Specification of default various timer. 52timer { 53 # These value can be changed per remote node. 54 counter 1; # maximun trying count to send. 55 interval 30 sec; # maximun interval to resend. 56 persend 1; # the number of packets per a send. 57 58 # timer for waiting to complete each phase. 59 phase1 20 sec; 60 phase2 15 sec; 61} 62 63# main mode example, with "anonymous" (any peer) configuration 64remote anonymous 65{ 66 # In below case, main mode and aggressive mode are accepted. When 67 # initiating, main mode is first to be sent. 68 exchange_mode main, aggressive; 69 70 identifier address; 71 nonce_size 16; 72 73 # for aggressive mode definition. 74 dh_group modp1024; 75 76 proposal { 77 encryption_algorithm 3des; 78 hash_algorithm md5; 79 authentication_method pre_shared_key ; 80 dh_group modp1024; 81 lifetime time 600 sec; 82 } 83 proposal { 84 encryption_algorithm des; 85 hash_algorithm sha1; 86 authentication_method pre_shared_key ; 87 dh_group modp1024; 88 lifetime time 1000 sec; 89 } 90# proposal { 91# encryption_algorithm 3des; 92# hash_algorithm sha1; 93# authentication_method rsasig ; 94# dh_group modp1024; 95# lifetime time 600 sec; 96# } 97} 98 99remote 194.100.55.1 [500] 100{ 101 exchange_mode main, aggressive; 102 103 # default doi is "ipsec_doi". 104 doi ipsec_doi; 105 106 # default situation is "identity_only". 107 situation identity_only; 108 109 # specify the identifier type 110 # "address", "fqdn", "user_fqdn", "keyid" 111 identifier user_fqdn; 112 113 # specify the bytes length of nonce. 114 nonce_size 16; 115 116 # means to do keep-a-live. This should not be used in dial-up. 117 keepalive; 118 119 dh_group modp1024; 120 121 proposal { 122 # they can be defined explicitly. 123 encryption_algorithm des; 124 hash_algorithm md5; 125 dh_group modp768; 126 authentication_method pre_shared_key ; 127 } 128 proposal { 129 encryption_algorithm 3des; 130 authentication_method pre_shared_key ; 131 132 # they can be defined individually. 133 lifetime time 5 min; 134 lifetime byte 2 MB; 135 } 136} 137 138policy $me $you any inout ipsec 139{ 140 pfs_group modp1024; 141 142 # This proposal means IP2|AH|ESP|ULP. 143 proposal { 144 lifetime time 300 second; 145 lifetime byte 10000 KB; 146 147 protocol esp { 148 level require ; 149 mode transport ; 150 encryption_algorithm des ; 151 authentication_algorithm hmac_sha1 ; 152 } 153 154 # "ah" means AH. 155 protocol ah { 156 level require ; 157 mode transport ; 158 authentication_algorithm hmac_sha1 ; 159 } 160 } 161 162 # This proposal means IP2|ESP|ULP. 163 proposal { 164 lifetime time 600 second; 165 lifetime byte 10000 KB; 166 protocol esp { 167 level require ; 168 mode transport ; 169 encryption_algorithm des ; 170 authentication_algorithm hmac_sha1 ; 171 } 172 } 173 174} 175EOF 176