Annotation of elwix/config/etc/default/racoon/racoon.conf.sample-natt, revision 1.1
1.1 ! misho 1: # Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
! 2: # Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
! 3:
! 4: # This file can be used as a template for NAT-Traversal setups.
! 5: # Only NAT-T related options are explained here, refer to other
! 6: # sample files and manual pages for details about the rest.
! 7:
! 8: path include "/etc/racoon";
! 9: path certificate "/etc/racoon/cert";
! 10:
! 11: # Define addresses and ports where racoon will listen for an incoming
! 12: # traffic. Don't forget to open these ports on your firewall!
! 13: listen
! 14: {
! 15: # First define an address where racoon will listen
! 16: # for "normal" IKE traffic. IANA allocated port 500.
! 17: isakmp 172.16.0.1[500];
! 18:
! 19: # To use NAT-T you must also open port 4500 of
! 20: # the same address so that peers can do 'Port floating'.
! 21: # The same port will also be used for the UDP-Encapsulated
! 22: # ESP traffic.
! 23: isakmp_natt 172.16.0.1[4500];
! 24: }
! 25:
! 26:
! 27: timer
! 28: {
! 29: # To keep the NAT-mappings on your NAT gateway, there must be
! 30: # traffic between the peers. Normally the UDP-Encap traffic
! 31: # (i.e. the real data transported over the tunnel) would be
! 32: # enough, but to be safe racoon will send a short
! 33: # "Keep-alive packet" every few seconds to every peer with
! 34: # whom it does NAT-Traversal.
! 35: # The default is 20s. Set it to 0s to disable sending completely.
! 36: natt_keepalive 10 sec;
! 37: }
! 38:
! 39: # To trigger the SA negotiation there must be an appropriate
! 40: # policy in the kernel SPD. For example for traffic between
! 41: # networks 192.168.0.0/24 and 192.168.1.0/24 with gateways
! 42: # 172.16.0.1 and 172.16.1.1, where the first gateway is behind
! 43: # a NAT which translates its address to 172.16.1.3, you need the
! 44: # following rules:
! 45: # On 172.16.0.1 (e.g. behind the NAT):
! 46: # spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
! 47: # esp/tunnel/172.16.0.1-172.16.1.1/require;
! 48: # spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
! 49: # esp/tunnel/172.16.1.1-172.16.0.1/require;
! 50: # On the other side (172.16.1.1) either use a "generate_policy on"
! 51: # statement in the remote block, or in case that you know
! 52: # the translated address, use the following policy:
! 53: # spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
! 54: # esp/tunnel/172.16.1.1-172.16.1.3/require;
! 55: # spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
! 56: # esp/tunnel/172.16.1.3-172.16.1.1/require;
! 57:
! 58: # Phase 1 configuration (for ISAKMP SA)
! 59: remote anonymous
! 60: {
! 61: # NAT-T is supported with all exchange_modes.
! 62: exchange_mode main,base,aggressive;
! 63:
! 64: # With NAT-T you shouldn't use PSK. Let's go on with certs.
! 65: my_identifier asn1dn;
! 66: certificate_type x509 "your-host.cert.pem" "your-host.key.pem";
! 67:
! 68: # This is the main switch that enables NAT-T.
! 69: # Possible values are:
! 70: # off - NAT-T support is disabled, i.e. neither offered,
! 71: # nor accepted. This is the default.
! 72: # on - normal NAT-T support, i.e. if NAT is detected
! 73: # along the way, NAT-T is used.
! 74: # force - if NAT-T is supported by both peers, it is used
! 75: # regardless of whether there is a NAT gateway between them
! 76: # or not. This is useful for traversing some firewalls.
! 77: nat_traversal on;
! 78:
! 79: proposal {
! 80: authentication_method rsasig;
! 81: encryption_algorithm 3des;
! 82: hash_algorithm sha1;
! 83: dh_group 2;
! 84: }
! 85:
! 86: proposal_check strict;
! 87: }
! 88:
! 89: # Phase 2 proposal (for IPsec SA)
! 90: sainfo anonymous
! 91: {
! 92: pfs_group 2;
! 93: lifetime time 12 hour;
! 94: encryption_algorithm 3des, rijndael;
! 95: authentication_algorithm hmac_sha1;
! 96: compression_algorithm deflate;
! 97: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>