File:
[ELWIX - Embedded LightWeight unIX -] /
elwix /
config /
etc /
default /
racoon /
racoon.conf.sample-natt
Revision
1.1.1.1 (vendor branch):
download - view:
text,
annotated -
select for diffs -
revision graph
Tue Jul 5 23:43:00 2011 UTC (13 years, 5 months ago) by
misho
Branches:
misho,
MAIN
CVS tags:
start,
elwix2_3,
elwix2_2,
elwix2_1,
elwix2_0,
elwix1_9_mips,
elwix1_9,
elwix1_8,
elwix1_7,
elwix1_6,
elwix1_5,
elwix1_4,
Patch1,
HEAD,
ELWIX2_2p0,
ELWIX2_1,
ELWIX2_0,
ELWIX1_9,
ELWIX1_8,
ELWIX1_7,
ELWIX1_6,
ELWIX1_5
ELWIX project
# Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
# This file can be used as a template for NAT-Traversal setups.
# Only NAT-T related options are explained here, refer to other
# sample files and manual pages for details about the rest.
path include "/etc/racoon";
path certificate "/etc/racoon/cert";
# Define addresses and ports where racoon will listen for an incoming
# traffic. Don't forget to open these ports on your firewall!
listen
{
# First define an address where racoon will listen
# for "normal" IKE traffic. IANA allocated port 500.
isakmp 172.16.0.1[500];
# To use NAT-T you must also open port 4500 of
# the same address so that peers can do 'Port floating'.
# The same port will also be used for the UDP-Encapsulated
# ESP traffic.
isakmp_natt 172.16.0.1[4500];
}
timer
{
# To keep the NAT-mappings on your NAT gateway, there must be
# traffic between the peers. Normally the UDP-Encap traffic
# (i.e. the real data transported over the tunnel) would be
# enough, but to be safe racoon will send a short
# "Keep-alive packet" every few seconds to every peer with
# whom it does NAT-Traversal.
# The default is 20s. Set it to 0s to disable sending completely.
natt_keepalive 10 sec;
}
# To trigger the SA negotiation there must be an appropriate
# policy in the kernel SPD. For example for traffic between
# networks 192.168.0.0/24 and 192.168.1.0/24 with gateways
# 172.16.0.1 and 172.16.1.1, where the first gateway is behind
# a NAT which translates its address to 172.16.1.3, you need the
# following rules:
# On 172.16.0.1 (e.g. behind the NAT):
# spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
# esp/tunnel/172.16.0.1-172.16.1.1/require;
# spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
# esp/tunnel/172.16.1.1-172.16.0.1/require;
# On the other side (172.16.1.1) either use a "generate_policy on"
# statement in the remote block, or in case that you know
# the translated address, use the following policy:
# spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
# esp/tunnel/172.16.1.1-172.16.1.3/require;
# spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
# esp/tunnel/172.16.1.3-172.16.1.1/require;
# Phase 1 configuration (for ISAKMP SA)
remote anonymous
{
# NAT-T is supported with all exchange_modes.
exchange_mode main,base,aggressive;
# With NAT-T you shouldn't use PSK. Let's go on with certs.
my_identifier asn1dn;
certificate_type x509 "your-host.cert.pem" "your-host.key.pem";
# This is the main switch that enables NAT-T.
# Possible values are:
# off - NAT-T support is disabled, i.e. neither offered,
# nor accepted. This is the default.
# on - normal NAT-T support, i.e. if NAT is detected
# along the way, NAT-T is used.
# force - if NAT-T is supported by both peers, it is used
# regardless of whether there is a NAT gateway between them
# or not. This is useful for traversing some firewalls.
nat_traversal on;
proposal {
authentication_method rsasig;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
}
proposal_check strict;
}
# Phase 2 proposal (for IPsec SA)
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour;
encryption_algorithm 3des, rijndael;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>