File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon / samples / racoon.conf.in
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Tue Feb 21 22:39:10 2012 UTC (12 years, 10 months ago) by misho
Branches: ipsec-tools, MAIN
CVS tags: v0_8_2p2, v0_8_1p0, v0_8_1, v0_8_0p0, v0_8_0, HEAD
ipsec-tools

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" affects "include" directives.  "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
path include "@sysconfdir_x@/racoon";
#include "remote.conf";

# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "@sysconfdir_x@/cert";

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;

# "padding" defines some padding parameters.  You should not touch these.
padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}

# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
	#isakmp ::1 [7000];
	#isakmp 202.249.11.124 [500];
	#admin [7002];		# administrative port for racoonctl.
	#strict_address; 	# requires that all addresses must be bound.
}

# Specify various default timers.
timer
{
	# These value can be changed per remote node.
	counter 5;		# maximum trying count to send.
	interval 20 sec;	# maximum interval to resend.
	persend 1;		# the number of packets per send.

	# maximum time to wait for completing each phase.
	phase1 30 sec;
	phase2 15 sec;
}

remote anonymous
{
	exchange_mode main,aggressive;
	doi ipsec_doi;
	situation identity_only;

	my_identifier asn1dn;
	certificate_type x509 "my.cert.pem" "my.key.pem";

	nonce_size 16;
	initial_contact on;
	proposal_check strict;	# obey, strict, or claim

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method rsasig;
		dh_group 2;
	}
}

remote ::1 [8000]
{
	#exchange_mode main,aggressive;
	exchange_mode aggressive,main;
	doi ipsec_doi;
	situation identity_only;

	my_identifier user_fqdn "sakane@kame.net";
	peers_identifier user_fqdn "sakane@kame.net";
	#certificate_type x509 "mycert" "mypriv";

	nonce_size 16;
	lifetime time 1 min;	# sec,min,hour

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo anonymous
{
	pfs_group 2;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}

sainfo address 203.178.141.209 any address 203.178.141.218 any
{
	pfs_group 2;
	lifetime time 30 sec;
	encryption_algorithm des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
}

sainfo address ::1 icmp6 address ::1 icmp6
{
	pfs_group 3;
	lifetime time 60 sec;
	encryption_algorithm 3des, blowfish, aes;
	authentication_algorithm hmac_sha1, hmac_md5;
	compression_algorithm deflate;
}


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>