src/racoon/samples/racoon.conf.in - platform/external/ipsec-tools - Git at Google

 # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

 # "path" affects "include" directives.  "path" must be specified before any
 # "include" directive with relative file path.
 # you can overwrite "path" directive afterwards, however, doing so may add
 # more confusion.
 path include "@sysconfdir_x@/racoon";
 #include "remote.conf";

 # the file should contain key ID/key pairs, for pre-shared key authentication.
 path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";

 # racoon will look for certificate file in the directory,
 # if the certificate/certificate request payload is received.
 path certificate "@sysconfdir_x@/cert";

 # "log" specifies logging level.  It is followed by either "notify", "debug"
 # or "debug2".
 #log debug;

 # "padding" defines some padding parameters.  You should not touch these.
 padding
 {
 	maximum_length 20;	# maximum padding length.
 	randomize off;		# enable randomize length.
 	strict_check off;	# enable strict check.
 	exclusive_tail off;	# extract last one octet.
 }

 # if no listen directive is specified, racoon will listen on all
 # available interface addresses.
 listen
 {
 	#isakmp ::1 [7000];
 	#isakmp 202.249.11.124 [500];
 	#admin [7002];		# administrative port for racoonctl.
 	#strict_address; 	# requires that all addresses must be bound.
 }

 # Specify various default timers.
 timer
 {
 	# These value can be changed per remote node.
 	counter 5;		# maximum trying count to send.
 	interval 20 sec;	# maximum interval to resend.
 	persend 1;		# the number of packets per send.

 	# maximum time to wait for completing each phase.
 	phase1 30 sec;
 	phase2 15 sec;
 }

 remote anonymous
 {
 	exchange_mode main,aggressive;
 	doi ipsec_doi;
 	situation identity_only;

 	my_identifier asn1dn;
 	certificate_type x509 "my.cert.pem" "my.key.pem";

 	nonce_size 16;
 	initial_contact on;
 	proposal_check strict;	# obey, strict, or claim

 	proposal {
 		encryption_algorithm 3des;
 		hash_algorithm sha1;
 		authentication_method rsasig;
 		dh_group 2;
 	}
 }

 remote ::1 [8000]
 {
 	#exchange_mode main,aggressive;
 	exchange_mode aggressive,main;
 	doi ipsec_doi;
 	situation identity_only;

 	my_identifier user_fqdn "sakane@kame.net";
 	peers_identifier user_fqdn "sakane@kame.net";
 	#certificate_type x509 "mycert" "mypriv";

 	nonce_size 16;
 	lifetime time 1 min;	# sec,min,hour

 	proposal {
 		encryption_algorithm 3des;
 		hash_algorithm sha1;
 		authentication_method pre_shared_key;
 		dh_group 2;
 	}
 }

 sainfo anonymous
 {
 	pfs_group 2;
 	encryption_algorithm 3des;
 	authentication_algorithm hmac_sha1;
 	compression_algorithm deflate;
 }

 sainfo address 203.178.141.209 any address 203.178.141.218 any
 {
 	pfs_group 2;
 	lifetime time 30 sec;
 	encryption_algorithm des;
 	authentication_algorithm hmac_md5;
 	compression_algorithm deflate;
 }

 sainfo address ::1 icmp6 address ::1 icmp6
 {
 	pfs_group 3;
 	lifetime time 60 sec;
 	encryption_algorithm 3des, blowfish, aes;
 	authentication_algorithm hmac_sha1, hmac_md5;
 	compression_algorithm deflate;
 }
	# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

	# "path" affects "include" directives. "path" must be specified before any
	# "include" directive with relative file path.
	# you can overwrite "path" directive afterwards, however, doing so may add
	# more confusion.
	path include "@sysconfdir_x@/racoon";
	#include "remote.conf";

	# the file should contain key ID/key pairs, for pre-shared key authentication.
	path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";

	# racoon will look for certificate file in the directory,
	# if the certificate/certificate request payload is received.
	path certificate "@sysconfdir_x@/cert";

	# "log" specifies logging level. It is followed by either "notify", "debug"
	# or "debug2".
	#log debug;

	# "padding" defines some padding parameters. You should not touch these.
	padding
	{
	maximum_length 20; # maximum padding length.
	randomize off; # enable randomize length.
	strict_check off; # enable strict check.
	exclusive_tail off; # extract last one octet.
	}

	# if no listen directive is specified, racoon will listen on all
	# available interface addresses.
	listen
	{
	#isakmp ::1 [7000];
	#isakmp 202.249.11.124 [500];
	#admin [7002]; # administrative port for racoonctl.
	#strict_address; # requires that all addresses must be bound.
	}

	# Specify various default timers.
	timer
	{
	# These value can be changed per remote node.
	counter 5; # maximum trying count to send.
	interval 20 sec; # maximum interval to resend.
	persend 1; # the number of packets per send.

	# maximum time to wait for completing each phase.
	phase1 30 sec;
	phase2 15 sec;
	}

	remote anonymous
	{
	exchange_mode main,aggressive;
	doi ipsec_doi;
	situation identity_only;

	my_identifier asn1dn;
	certificate_type x509 "my.cert.pem" "my.key.pem";

	nonce_size 16;
	initial_contact on;
	proposal_check strict; # obey, strict, or claim

	proposal {
	encryption_algorithm 3des;
	hash_algorithm sha1;
	authentication_method rsasig;
	dh_group 2;
	}
	}

	remote ::1 [8000]
	{
	#exchange_mode main,aggressive;
	exchange_mode aggressive,main;
	doi ipsec_doi;
	situation identity_only;

	my_identifier user_fqdn "sakane@kame.net";
	peers_identifier user_fqdn "sakane@kame.net";
	#certificate_type x509 "mycert" "mypriv";

	nonce_size 16;
	lifetime time 1 min; # sec,min,hour

	proposal {
	encryption_algorithm 3des;
	hash_algorithm sha1;
	authentication_method pre_shared_key;
	dh_group 2;
	}
	}

	sainfo anonymous
	{
	pfs_group 2;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	}

	sainfo address 203.178.141.209 any address 203.178.141.218 any
	{
	pfs_group 2;
	lifetime time 30 sec;
	encryption_algorithm des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
	}

	sainfo address ::1 icmp6 address ::1 icmp6
	{
	pfs_group 3;
	lifetime time 60 sec;
	encryption_algorithm 3des, blowfish, aes;
	authentication_algorithm hmac_sha1, hmac_md5;
	compression_algorithm deflate;
	}