1: # Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
2: # Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
3:
4: # This file can be used as a template for NAT-Traversal setups.
5: # Only NAT-T related options are explained here, refer to other
6: # sample files and manual pages for details about the rest.
7:
8: path include "/etc/racoon";
9: path certificate "/etc/racoon/cert";
10:
11: # Define addresses and ports where racoon will listen for an incoming
12: # traffic. Don't forget to open these ports on your firewall!
13: listen
14: {
15: # First define an address where racoon will listen
16: # for "normal" IKE traffic. IANA allocated port 500.
17: isakmp 172.16.0.1[500];
18:
19: # To use NAT-T you must also open port 4500 of
20: # the same address so that peers can do 'Port floating'.
21: # The same port will also be used for the UDP-Encapsulated
22: # ESP traffic.
23: isakmp_natt 172.16.0.1[4500];
24: }
25:
26:
27: timer
28: {
29: # To keep the NAT-mappings on your NAT gateway, there must be
30: # traffic between the peers. Normally the UDP-Encap traffic
31: # (i.e. the real data transported over the tunnel) would be
32: # enough, but to be safe racoon will send a short
33: # "Keep-alive packet" every few seconds to every peer with
34: # whom it does NAT-Traversal.
35: # The default is 20s. Set it to 0s to disable sending completely.
36: natt_keepalive 10 sec;
37: }
38:
39: # To trigger the SA negotiation there must be an appropriate
40: # policy in the kernel SPD. For example for traffic between
41: # networks 192.168.0.0/24 and 192.168.1.0/24 with gateways
42: # 172.16.0.1 and 172.16.1.1, where the first gateway is behind
43: # a NAT which translates its address to 172.16.1.3, you need the
44: # following rules:
45: # On 172.16.0.1 (e.g. behind the NAT):
46: # spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
47: # esp/tunnel/172.16.0.1-172.16.1.1/require;
48: # spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
49: # esp/tunnel/172.16.1.1-172.16.0.1/require;
50: # On the other side (172.16.1.1) either use a "generate_policy on"
51: # statement in the remote block, or in case that you know
52: # the translated address, use the following policy:
53: # spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
54: # esp/tunnel/172.16.1.1-172.16.1.3/require;
55: # spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
56: # esp/tunnel/172.16.1.3-172.16.1.1/require;
57:
58: # Phase 1 configuration (for ISAKMP SA)
59: remote anonymous
60: {
61: # NAT-T is supported with all exchange_modes.
62: exchange_mode main,base,aggressive;
63:
64: # With NAT-T you shouldn't use PSK. Let's go on with certs.
65: my_identifier asn1dn;
66: certificate_type x509 "your-host.cert.pem" "your-host.key.pem";
67:
68: # This is the main switch that enables NAT-T.
69: # Possible values are:
70: # off - NAT-T support is disabled, i.e. neither offered,
71: # nor accepted. This is the default.
72: # on - normal NAT-T support, i.e. if NAT is detected
73: # along the way, NAT-T is used.
74: # force - if NAT-T is supported by both peers, it is used
75: # regardless of whether there is a NAT gateway between them
76: # or not. This is useful for traversing some firewalls.
77: nat_traversal on;
78:
79: proposal {
80: authentication_method rsasig;
81: encryption_algorithm 3des;
82: hash_algorithm sha1;
83: dh_group 2;
84: }
85:
86: proposal_check strict;
87: }
88:
89: # Phase 2 proposal (for IPsec SA)
90: sainfo anonymous
91: {
92: pfs_group 2;
93: lifetime time 12 hour;
94: encryption_algorithm 3des, rijndael;
95: authentication_algorithm hmac_sha1;
96: compression_algorithm deflate;
97: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to racoon.conf.sample-natt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon / samples