Annotation of embedaddon/ipsec-tools/src/racoon/samples/racoon.conf.in, revision 1.1.1.1

1.1       misho       1: # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
                      2: 
                      3: # "path" affects "include" directives.  "path" must be specified before any
                      4: # "include" directive with relative file path.
                      5: # you can overwrite "path" directive afterwards, however, doing so may add
                      6: # more confusion.
                      7: path include "@sysconfdir_x@/racoon";
                      8: #include "remote.conf";
                      9: 
                     10: # the file should contain key ID/key pairs, for pre-shared key authentication.
                     11: path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
                     12: 
                     13: # racoon will look for certificate file in the directory,
                     14: # if the certificate/certificate request payload is received.
                     15: path certificate "@sysconfdir_x@/cert";
                     16: 
                     17: # "log" specifies logging level.  It is followed by either "notify", "debug"
                     18: # or "debug2".
                     19: #log debug;
                     20: 
                     21: # "padding" defines some padding parameters.  You should not touch these.
                     22: padding
                     23: {
                     24:        maximum_length 20;      # maximum padding length.
                     25:        randomize off;          # enable randomize length.
                     26:        strict_check off;       # enable strict check.
                     27:        exclusive_tail off;     # extract last one octet.
                     28: }
                     29: 
                     30: # if no listen directive is specified, racoon will listen on all
                     31: # available interface addresses.
                     32: listen
                     33: {
                     34:        #isakmp ::1 [7000];
                     35:        #isakmp 202.249.11.124 [500];
                     36:        #admin [7002];          # administrative port for racoonctl.
                     37:        #strict_address;        # requires that all addresses must be bound.
                     38: }
                     39: 
                     40: # Specify various default timers.
                     41: timer
                     42: {
                     43:        # These value can be changed per remote node.
                     44:        counter 5;              # maximum trying count to send.
                     45:        interval 20 sec;        # maximum interval to resend.
                     46:        persend 1;              # the number of packets per send.
                     47: 
                     48:        # maximum time to wait for completing each phase.
                     49:        phase1 30 sec;
                     50:        phase2 15 sec;
                     51: }
                     52: 
                     53: remote anonymous
                     54: {
                     55:        exchange_mode main,aggressive;
                     56:        doi ipsec_doi;
                     57:        situation identity_only;
                     58: 
                     59:        my_identifier asn1dn;
                     60:        certificate_type x509 "my.cert.pem" "my.key.pem";
                     61: 
                     62:        nonce_size 16;
                     63:        initial_contact on;
                     64:        proposal_check strict;  # obey, strict, or claim
                     65: 
                     66:        proposal {
                     67:                encryption_algorithm 3des;
                     68:                hash_algorithm sha1;
                     69:                authentication_method rsasig;
                     70:                dh_group 2;
                     71:        }
                     72: }
                     73: 
                     74: remote ::1 [8000]
                     75: {
                     76:        #exchange_mode main,aggressive;
                     77:        exchange_mode aggressive,main;
                     78:        doi ipsec_doi;
                     79:        situation identity_only;
                     80: 
                     81:        my_identifier user_fqdn "sakane@kame.net";
                     82:        peers_identifier user_fqdn "sakane@kame.net";
                     83:        #certificate_type x509 "mycert" "mypriv";
                     84: 
                     85:        nonce_size 16;
                     86:        lifetime time 1 min;    # sec,min,hour
                     87: 
                     88:        proposal {
                     89:                encryption_algorithm 3des;
                     90:                hash_algorithm sha1;
                     91:                authentication_method pre_shared_key;
                     92:                dh_group 2;
                     93:        }
                     94: }
                     95: 
                     96: sainfo anonymous
                     97: {
                     98:        pfs_group 2;
                     99:        encryption_algorithm 3des;
                    100:        authentication_algorithm hmac_sha1;
                    101:        compression_algorithm deflate;
                    102: }
                    103: 
                    104: sainfo address 203.178.141.209 any address 203.178.141.218 any
                    105: {
                    106:        pfs_group 2;
                    107:        lifetime time 30 sec;
                    108:        encryption_algorithm des;
                    109:        authentication_algorithm hmac_md5;
                    110:        compression_algorithm deflate;
                    111: }
                    112: 
                    113: sainfo address ::1 icmp6 address ::1 icmp6
                    114: {
                    115:        pfs_group 3;
                    116:        lifetime time 60 sec;
                    117:        encryption_algorithm 3des, blowfish, aes;
                    118:        authentication_algorithm hmac_sha1, hmac_md5;
                    119:        compression_algorithm deflate;
                    120: }
                    121: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>