1 | # Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp |
---|
2 | # Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs |
---|
3 | |
---|
4 | # This file can be used as a template for NAT-Traversal setups. |
---|
5 | # Only NAT-T related options are explained here, refer to other |
---|
6 | # sample files and manual pages for details about the rest. |
---|
7 | |
---|
8 | path include "/etc/racoon"; |
---|
9 | path certificate "/etc/racoon/cert"; |
---|
10 | |
---|
11 | # Define addresses and ports where racoon will listen for an incoming |
---|
12 | # traffic. Don't forget to open these ports on your firewall! |
---|
13 | listen |
---|
14 | { |
---|
15 | # First define an address where racoon will listen |
---|
16 | # for "normal" IKE traffic. IANA allocated port 500. |
---|
17 | isakmp 172.16.0.1[500]; |
---|
18 | |
---|
19 | # To use NAT-T you must also open port 4500 of |
---|
20 | # the same address so that peers can do 'Port floating'. |
---|
21 | # The same port will also be used for the UDP-Encapsulated |
---|
22 | # ESP traffic. |
---|
23 | isakmp_natt 172.16.0.1[4500]; |
---|
24 | } |
---|
25 | |
---|
26 | |
---|
27 | timer |
---|
28 | { |
---|
29 | # To keep the NAT-mappings on your NAT gateway, there must be |
---|
30 | # traffic between the peers. Normally the UDP-Encap traffic |
---|
31 | # (i.e. the real data transported over the tunnel) would be |
---|
32 | # enough, but to be safe racoon will send a short |
---|
33 | # "Keep-alive packet" every few seconds to every peer with |
---|
34 | # whom it does NAT-Traversal. |
---|
35 | # The default is 20s. Set it to 0s to disable sending completely. |
---|
36 | natt_keepalive 10 sec; |
---|
37 | } |
---|
38 | |
---|
39 | # To trigger the SA negotiation there must be an appropriate |
---|
40 | # policy in the kernel SPD. For example for traffic between |
---|
41 | # networks 192.168.0.0/24 and 192.168.1.0/24 with gateways |
---|
42 | # 172.16.0.1 and 172.16.1.1, where the first gateway is behind |
---|
43 | # a NAT which translates its address to 172.16.1.3, you need the |
---|
44 | # following rules: |
---|
45 | # On 172.16.0.1 (e.g. behind the NAT): |
---|
46 | # spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \ |
---|
47 | # esp/tunnel/172.16.0.1-172.16.1.1/require; |
---|
48 | # spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \ |
---|
49 | # esp/tunnel/172.16.1.1-172.16.0.1/require; |
---|
50 | # On the other side (172.16.1.1) either use a "generate_policy on" |
---|
51 | # statement in the remote block, or in case that you know |
---|
52 | # the translated address, use the following policy: |
---|
53 | # spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \ |
---|
54 | # esp/tunnel/172.16.1.1-172.16.1.3/require; |
---|
55 | # spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \ |
---|
56 | # esp/tunnel/172.16.1.3-172.16.1.1/require; |
---|
57 | |
---|
58 | # Phase 1 configuration (for ISAKMP SA) |
---|
59 | remote anonymous |
---|
60 | { |
---|
61 | # NAT-T is supported with all exchange_modes. |
---|
62 | exchange_mode main,base,aggressive; |
---|
63 | |
---|
64 | # With NAT-T you shouldn't use PSK. Let's go on with certs. |
---|
65 | my_identifier asn1dn; |
---|
66 | certificate_type x509 "your-host.cert.pem" "your-host.key.pem"; |
---|
67 | |
---|
68 | # This is the main switch that enables NAT-T. |
---|
69 | # Possible values are: |
---|
70 | # off - NAT-T support is disabled, i.e. neither offered, |
---|
71 | # nor accepted. This is the default. |
---|
72 | # on - normal NAT-T support, i.e. if NAT is detected |
---|
73 | # along the way, NAT-T is used. |
---|
74 | # force - if NAT-T is supported by both peers, it is used |
---|
75 | # regardless of whether there is a NAT gateway between them |
---|
76 | # or not. This is useful for traversing some firewalls. |
---|
77 | nat_traversal on; |
---|
78 | |
---|
79 | proposal { |
---|
80 | authentication_method rsasig; |
---|
81 | encryption_algorithm 3des; |
---|
82 | hash_algorithm sha1; |
---|
83 | dh_group 2; |
---|
84 | } |
---|
85 | |
---|
86 | proposal_check strict; |
---|
87 | } |
---|
88 | |
---|
89 | # Phase 2 proposal (for IPsec SA) |
---|
90 | sainfo anonymous |
---|
91 | { |
---|
92 | pfs_group 2; |
---|
93 | lifetime time 12 hour; |
---|
94 | encryption_algorithm 3des, rijndael; |
---|
95 | authentication_algorithm hmac_sha1; |
---|
96 | compression_algorithm deflate; |
---|
97 | } |
---|