Annotation of embedaddon/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt, revision 1.1.1.1

1.1       misho       1: # Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
                      2: # Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
                      3: 
                      4: # This file can be used as a template for NAT-Traversal setups.
                      5: # Only NAT-T related options are explained here, refer to other 
                      6: # sample files and manual pages for details about the rest.
                      7: 
                      8: path include "/etc/racoon";
                      9: path certificate "/etc/racoon/cert";
                     10: 
                     11: # Define addresses and ports where racoon will listen for an incoming
                     12: # traffic. Don't forget to open these ports on your firewall!
                     13: listen
                     14: {
                     15:        # First define an address where racoon will listen 
                     16:        # for "normal" IKE traffic. IANA allocated port 500.
                     17:        isakmp 172.16.0.1[500];
                     18: 
                     19:        # To use NAT-T you must also open port 4500 of 
                     20:        # the same address so that peers can do 'Port floating'.
                     21:        # The same port will also be used for the UDP-Encapsulated 
                     22:        # ESP traffic.
                     23:        isakmp_natt 172.16.0.1[4500];
                     24: }
                     25: 
                     26: 
                     27: timer
                     28: {
                     29:        # To keep the NAT-mappings on your NAT gateway, there must be
                     30:        # traffic between the peers. Normally the UDP-Encap traffic
                     31:        # (i.e. the real data transported over the tunnel) would be
                     32:        # enough, but to be safe racoon will send a short
                     33:        # "Keep-alive packet" every few seconds to every peer with
                     34:        # whom it does NAT-Traversal.
                     35:        # The default is 20s. Set it to 0s to disable sending completely.
                     36:        natt_keepalive 10 sec;
                     37: }
                     38: 
                     39: # To trigger the SA negotiation there must be an appropriate 
                     40: # policy in the kernel SPD. For example for traffic between 
                     41: # networks 192.168.0.0/24 and 192.168.1.0/24 with gateways 
                     42: # 172.16.0.1 and 172.16.1.1, where the first gateway is behind 
                     43: # a NAT which translates its address to 172.16.1.3, you need the 
                     44: # following rules:
                     45: # On 172.16.0.1 (e.g. behind the NAT):
                     46: #     spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
                     47: #            esp/tunnel/172.16.0.1-172.16.1.1/require;
                     48: #     spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
                     49: #            esp/tunnel/172.16.1.1-172.16.0.1/require;
                     50: # On the other side (172.16.1.1) either use a "generate_policy on"
                     51: # statement in the remote block, or in case that you know 
                     52: # the translated address, use the following policy:
                     53: #     spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
                     54: #            esp/tunnel/172.16.1.1-172.16.1.3/require;
                     55: #     spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
                     56: #            esp/tunnel/172.16.1.3-172.16.1.1/require;
                     57: 
                     58: # Phase 1 configuration (for ISAKMP SA)
                     59: remote anonymous
                     60: {
                     61:        # NAT-T is supported with all exchange_modes.
                     62:        exchange_mode main,base,aggressive;
                     63: 
                     64:        # With NAT-T you shouldn't use PSK. Let's go on with certs.
                     65:        my_identifier asn1dn;
                     66:        certificate_type x509 "your-host.cert.pem" "your-host.key.pem";
                     67: 
                     68:        # This is the main switch that enables NAT-T.
                     69:        # Possible values are:
                     70:        #   off - NAT-T support is disabled, i.e. neither offered,
                     71:        #         nor accepted. This is the default.
                     72:        #    on - normal NAT-T support, i.e. if NAT is detected 
                     73:        #         along the way, NAT-T is used.
                     74:        # force - if NAT-T is supported by both peers, it is used
                     75:        #         regardless of whether there is a NAT gateway between them
                     76:        #         or not. This is useful for traversing some firewalls.
                     77:        nat_traversal on;
                     78:        
                     79:        proposal {
                     80:                authentication_method rsasig;
                     81:                encryption_algorithm 3des;
                     82:                hash_algorithm sha1;
                     83:                dh_group 2;
                     84:        }
                     85: 
                     86:        proposal_check strict;
                     87: }
                     88: 
                     89: # Phase 2 proposal (for IPsec SA)
                     90: sainfo anonymous
                     91: {
                     92:        pfs_group 2;
                     93:        lifetime time 12 hour;
                     94:        encryption_algorithm 3des, rijndael;
                     95:        authentication_algorithm hmac_sha1;
                     96:        compression_algorithm deflate;
                     97: }

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>