Annotation of elwix/config/etc/default/racoon/racoon.conf.sample-natt, revision 1.1

1.1     ! misho       1: # Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
        !             2: # Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
        !             3: 
        !             4: # This file can be used as a template for NAT-Traversal setups.
        !             5: # Only NAT-T related options are explained here, refer to other 
        !             6: # sample files and manual pages for details about the rest.
        !             7: 
        !             8: path include "/etc/racoon";
        !             9: path certificate "/etc/racoon/cert";
        !            10: 
        !            11: # Define addresses and ports where racoon will listen for an incoming
        !            12: # traffic. Don't forget to open these ports on your firewall!
        !            13: listen
        !            14: {
        !            15:        # First define an address where racoon will listen 
        !            16:        # for "normal" IKE traffic. IANA allocated port 500.
        !            17:        isakmp 172.16.0.1[500];
        !            18: 
        !            19:        # To use NAT-T you must also open port 4500 of 
        !            20:        # the same address so that peers can do 'Port floating'.
        !            21:        # The same port will also be used for the UDP-Encapsulated 
        !            22:        # ESP traffic.
        !            23:        isakmp_natt 172.16.0.1[4500];
        !            24: }
        !            25: 
        !            26: 
        !            27: timer
        !            28: {
        !            29:        # To keep the NAT-mappings on your NAT gateway, there must be
        !            30:        # traffic between the peers. Normally the UDP-Encap traffic
        !            31:        # (i.e. the real data transported over the tunnel) would be
        !            32:        # enough, but to be safe racoon will send a short
        !            33:        # "Keep-alive packet" every few seconds to every peer with
        !            34:        # whom it does NAT-Traversal.
        !            35:        # The default is 20s. Set it to 0s to disable sending completely.
        !            36:        natt_keepalive 10 sec;
        !            37: }
        !            38: 
        !            39: # To trigger the SA negotiation there must be an appropriate 
        !            40: # policy in the kernel SPD. For example for traffic between 
        !            41: # networks 192.168.0.0/24 and 192.168.1.0/24 with gateways 
        !            42: # 172.16.0.1 and 172.16.1.1, where the first gateway is behind 
        !            43: # a NAT which translates its address to 172.16.1.3, you need the 
        !            44: # following rules:
        !            45: # On 172.16.0.1 (e.g. behind the NAT):
        !            46: #     spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
        !            47: #            esp/tunnel/172.16.0.1-172.16.1.1/require;
        !            48: #     spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
        !            49: #            esp/tunnel/172.16.1.1-172.16.0.1/require;
        !            50: # On the other side (172.16.1.1) either use a "generate_policy on"
        !            51: # statement in the remote block, or in case that you know 
        !            52: # the translated address, use the following policy:
        !            53: #     spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
        !            54: #            esp/tunnel/172.16.1.1-172.16.1.3/require;
        !            55: #     spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
        !            56: #            esp/tunnel/172.16.1.3-172.16.1.1/require;
        !            57: 
        !            58: # Phase 1 configuration (for ISAKMP SA)
        !            59: remote anonymous
        !            60: {
        !            61:        # NAT-T is supported with all exchange_modes.
        !            62:        exchange_mode main,base,aggressive;
        !            63: 
        !            64:        # With NAT-T you shouldn't use PSK. Let's go on with certs.
        !            65:        my_identifier asn1dn;
        !            66:        certificate_type x509 "your-host.cert.pem" "your-host.key.pem";
        !            67: 
        !            68:        # This is the main switch that enables NAT-T.
        !            69:        # Possible values are:
        !            70:        #   off - NAT-T support is disabled, i.e. neither offered,
        !            71:        #         nor accepted. This is the default.
        !            72:        #    on - normal NAT-T support, i.e. if NAT is detected 
        !            73:        #         along the way, NAT-T is used.
        !            74:        # force - if NAT-T is supported by both peers, it is used
        !            75:        #         regardless of whether there is a NAT gateway between them
        !            76:        #         or not. This is useful for traversing some firewalls.
        !            77:        nat_traversal on;
        !            78:        
        !            79:        proposal {
        !            80:                authentication_method rsasig;
        !            81:                encryption_algorithm 3des;
        !            82:                hash_algorithm sha1;
        !            83:                dh_group 2;
        !            84:        }
        !            85: 
        !            86:        proposal_check strict;
        !            87: }
        !            88: 
        !            89: # Phase 2 proposal (for IPsec SA)
        !            90: sainfo anonymous
        !            91: {
        !            92:        pfs_group 2;
        !            93:        lifetime time 12 hour;
        !            94:        encryption_algorithm 3des, rijndael;
        !            95:        authentication_algorithm hmac_sha1;
        !            96:        compression_algorithm deflate;
        !            97: }

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>