# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $
# "path" affects "include" directives. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "/usr/local/v6/etc" ;
#include "remote.conf" ;
# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/openssl/certs" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
remote anonymous
{
#exchange_mode main,aggressive,base;
exchange_mode main,base;
#my_identifier fqdn "server.kame.net";
#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;
lifetime time 24 hour ; # sec,min,hour
#initial_contact off ;
#passive on ;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
# the configuration could makes racoon (as a responder)
# to obey the initiator's lifetime and PFS group proposal,
# by setting proposal_check to obey.
# this would makes testing "so much easier", but is really
# *not* secure !!!
proposal_check strict;
}
# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>