source: rtems-libbsd/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt @ ff36f5e

5-freebsd-12
Last change on this file since ff36f5e was ff36f5e, checked in by Christian Mauderer <christian.mauderer@…>, on May 30, 2018 at 12:27:35 PM

Import ipsec-tools 0.8.2.

Import unchanged ipsec-tools sources in the release version 0.8.2. The
homepage of ipsec-tools is http://ipsec-tools.sourceforge.net/. The
sources can be obtained from there.

  • Property mode set to 100644
File size: 3.4 KB
Line 
1# Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
2# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
3
4# This file can be used as a template for NAT-Traversal setups.
5# Only NAT-T related options are explained here, refer to other
6# sample files and manual pages for details about the rest.
7
8path include "/etc/racoon";
9path certificate "/etc/racoon/cert";
10
11# Define addresses and ports where racoon will listen for an incoming
12# traffic. Don't forget to open these ports on your firewall!
13listen
14{
15        # First define an address where racoon will listen
16        # for "normal" IKE traffic. IANA allocated port 500.
17        isakmp 172.16.0.1[500];
18
19        # To use NAT-T you must also open port 4500 of
20        # the same address so that peers can do 'Port floating'.
21        # The same port will also be used for the UDP-Encapsulated
22        # ESP traffic.
23        isakmp_natt 172.16.0.1[4500];
24}
25
26
27timer
28{
29        # To keep the NAT-mappings on your NAT gateway, there must be
30        # traffic between the peers. Normally the UDP-Encap traffic
31        # (i.e. the real data transported over the tunnel) would be
32        # enough, but to be safe racoon will send a short
33        # "Keep-alive packet" every few seconds to every peer with
34        # whom it does NAT-Traversal.
35        # The default is 20s. Set it to 0s to disable sending completely.
36        natt_keepalive 10 sec;
37}
38
39# To trigger the SA negotiation there must be an appropriate
40# policy in the kernel SPD. For example for traffic between
41# networks 192.168.0.0/24 and 192.168.1.0/24 with gateways
42# 172.16.0.1 and 172.16.1.1, where the first gateway is behind
43# a NAT which translates its address to 172.16.1.3, you need the
44# following rules:
45# On 172.16.0.1 (e.g. behind the NAT):
46#     spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
47#            esp/tunnel/172.16.0.1-172.16.1.1/require;
48#     spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
49#            esp/tunnel/172.16.1.1-172.16.0.1/require;
50# On the other side (172.16.1.1) either use a "generate_policy on"
51# statement in the remote block, or in case that you know
52# the translated address, use the following policy:
53#     spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
54#            esp/tunnel/172.16.1.1-172.16.1.3/require;
55#     spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
56#            esp/tunnel/172.16.1.3-172.16.1.1/require;
57
58# Phase 1 configuration (for ISAKMP SA)
59remote anonymous
60{
61        # NAT-T is supported with all exchange_modes.
62        exchange_mode main,base,aggressive;
63
64        # With NAT-T you shouldn't use PSK. Let's go on with certs.
65        my_identifier asn1dn;
66        certificate_type x509 "your-host.cert.pem" "your-host.key.pem";
67
68        # This is the main switch that enables NAT-T.
69        # Possible values are:
70        #   off - NAT-T support is disabled, i.e. neither offered,
71        #         nor accepted. This is the default.
72        #    on - normal NAT-T support, i.e. if NAT is detected
73        #         along the way, NAT-T is used.
74        # force - if NAT-T is supported by both peers, it is used
75        #         regardless of whether there is a NAT gateway between them
76        #         or not. This is useful for traversing some firewalls.
77        nat_traversal on;
78       
79        proposal {
80                authentication_method rsasig;
81                encryption_algorithm 3des;
82                hash_algorithm sha1;
83                dh_group 2;
84        }
85
86        proposal_check strict;
87}
88
89# Phase 2 proposal (for IPsec SA)
90sainfo anonymous
91{
92        pfs_group 2;
93        lifetime time 12 hour;
94        encryption_algorithm 3des, rijndael;
95        authentication_algorithm hmac_sha1;
96        compression_algorithm deflate;
97}
Note: See TracBrowser for help on using the repository browser.