source: rtems-libbsd/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt @ ff36f5e

# Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs

# This file can be used as a template for NAT-Traversal setups.
# Only NAT-T related options are explained here, refer to other 
# sample files and manual pages for details about the rest.

path include "/etc/racoon";
path certificate "/etc/racoon/cert";

# Define addresses and ports where racoon will listen for an incoming
# traffic. Don't forget to open these ports on your firewall!
listen
{
        # First define an address where racoon will listen 
        # for "normal" IKE traffic. IANA allocated port 500.
        isakmp 172.16.0.1[500];

        # To use NAT-T you must also open port 4500 of 
        # the same address so that peers can do 'Port floating'.
        # The same port will also be used for the UDP-Encapsulated 
        # ESP traffic.
        isakmp_natt 172.16.0.1[4500];
}


timer
{
        # To keep the NAT-mappings on your NAT gateway, there must be
        # traffic between the peers. Normally the UDP-Encap traffic
        # (i.e. the real data transported over the tunnel) would be
        # enough, but to be safe racoon will send a short
        # "Keep-alive packet" every few seconds to every peer with
        # whom it does NAT-Traversal.
        # The default is 20s. Set it to 0s to disable sending completely.
        natt_keepalive 10 sec;
}

# To trigger the SA negotiation there must be an appropriate 
# policy in the kernel SPD. For example for traffic between 
# networks 192.168.0.0/24 and 192.168.1.0/24 with gateways 
# 172.16.0.1 and 172.16.1.1, where the first gateway is behind 
# a NAT which translates its address to 172.16.1.3, you need the 
# following rules:
# On 172.16.0.1 (e.g. behind the NAT):
#     spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
#            esp/tunnel/172.16.0.1-172.16.1.1/require;
#     spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
#            esp/tunnel/172.16.1.1-172.16.0.1/require;
# On the other side (172.16.1.1) either use a "generate_policy on"
# statement in the remote block, or in case that you know 
# the translated address, use the following policy:
#     spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
#            esp/tunnel/172.16.1.1-172.16.1.3/require;
#     spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
#            esp/tunnel/172.16.1.3-172.16.1.1/require;

# Phase 1 configuration (for ISAKMP SA)
remote anonymous
{
        # NAT-T is supported with all exchange_modes.
        exchange_mode main,base,aggressive;

        # With NAT-T you shouldn't use PSK. Let's go on with certs.
        my_identifier asn1dn;
        certificate_type x509 "your-host.cert.pem" "your-host.key.pem";

        # This is the main switch that enables NAT-T.
        # Possible values are:
        #   off - NAT-T support is disabled, i.e. neither offered,
        #         nor accepted. This is the default.
        #    on - normal NAT-T support, i.e. if NAT is detected 
        #         along the way, NAT-T is used.
        # force - if NAT-T is supported by both peers, it is used
        #         regardless of whether there is a NAT gateway between them
        #         or not. This is useful for traversing some firewalls.
        nat_traversal on;
        
        proposal {
                authentication_method rsasig;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                dh_group 2;
        }

        proposal_check strict;
}

# Phase 2 proposal (for IPsec SA)
sainfo anonymous
{
        pfs_group 2;
        lifetime time 12 hour;
        encryption_algorithm 3des, rijndael;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}