# $KAME: racoon.conf.in,v 1.17 2001/08/14 12:10:22 sakane Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/etc/racoon" ; # Allow third parties the ability to specify remote and sainfo entries # by including all files matching /etc/racoon/remote/*.conf include "/etc/racoon/remote/*.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 10; # maximum trying count to send. interval 3 sec; # interval to resend (retransmit) persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 30 sec; } # # anonymous entry is defined in /etc/racoon/remote/anonymous.conf # #remote anonymous #{ # #exchange_mode main,aggressive; # exchange_mode aggressive,main; # doi ipsec_doi; # situation identity_only; # # #my_identifier address; # my_identifier user_fqdn "macuser@localhost"; # peers_identifier user_fqdn "macuser@localhost"; # #certificate_type x509 "mycert" "mypriv"; # # nonce_size 16; # lifetime time 1 min; # sec,min,hour # initial_contact on; # support_mip6 on; # proposal_check obey; # obey, strict or claim # # proposal { # encryption_algorithm 3des; # hash_algorithm sha1; # authentication_method pre_shared_key ; # dh_group 2 ; # } #} remote ::1 [8000] { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier user_fqdn "macuser@localhost"; peers_identifier user_fqdn "macuser@localhost"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } # # anonymous entry is defined in /etc/racoon/remote/anonymous.conf # #sainfo anonymous #{ # pfs_group 1; # lifetime time 30 sec; # encryption_algorithm aes, 3des ; # authentication_algorithm hmac_sha1; # compression_algorithm deflate ; #} # sainfo address 203.178.141.209 any address 203.178.141.218 any # { # pfs_group 1; # lifetime time 30 sec; # encryption_algorithm des ; # authentication_algorithm hmac_md5; # compression_algorithm deflate ; # } sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des, cast128, blowfish 448, des ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; }