1 | # $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $ |
---|
2 | |
---|
3 | # "path" affects "include" directives. "path" must be specified before any |
---|
4 | # "include" directive with relative file path. |
---|
5 | # you can overwrite "path" directive afterwards, however, doing so may add |
---|
6 | # more confusion. |
---|
7 | #path include "/usr/local/v6/etc" ; |
---|
8 | #include "remote.conf" ; |
---|
9 | |
---|
10 | # the file should contain key ID/key pairs, for pre-shared key authentication. |
---|
11 | path pre_shared_key "/usr/local/v6/etc/psk.txt" ; |
---|
12 | |
---|
13 | # racoon will look for certificate file in the directory, |
---|
14 | # if the certificate/certificate request payload is received. |
---|
15 | #path certificate "/usr/local/openssl/certs" ; |
---|
16 | |
---|
17 | # "log" specifies logging level. It is followed by either "notify", "debug" |
---|
18 | # or "debug2". |
---|
19 | #log debug; |
---|
20 | |
---|
21 | remote anonymous |
---|
22 | { |
---|
23 | #exchange_mode main,aggressive,base; |
---|
24 | exchange_mode main,base; |
---|
25 | |
---|
26 | #my_identifier fqdn "server.kame.net"; |
---|
27 | #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ; |
---|
28 | |
---|
29 | lifetime time 24 hour ; # sec,min,hour |
---|
30 | |
---|
31 | #initial_contact off ; |
---|
32 | #passive on ; |
---|
33 | |
---|
34 | # phase 1 proposal (for ISAKMP SA) |
---|
35 | proposal { |
---|
36 | encryption_algorithm 3des; |
---|
37 | hash_algorithm sha1; |
---|
38 | authentication_method pre_shared_key ; |
---|
39 | dh_group 2 ; |
---|
40 | } |
---|
41 | |
---|
42 | # the configuration could makes racoon (as a responder) |
---|
43 | # to obey the initiator's lifetime and PFS group proposal, |
---|
44 | # by setting proposal_check to obey. |
---|
45 | # this would makes testing "so much easier", but is really |
---|
46 | # *not* secure !!! |
---|
47 | proposal_check strict; |
---|
48 | } |
---|
49 | |
---|
50 | # phase 2 proposal (for IPsec SA). |
---|
51 | # actual phase 2 proposal will obey the following items: |
---|
52 | # - kernel IPsec policy configuration (like "esp/transport//use) |
---|
53 | # - permutation of the crypto/hash/compression algorithms presented below |
---|
54 | sainfo anonymous |
---|
55 | { |
---|
56 | pfs_group 2; |
---|
57 | lifetime time 12 hour ; |
---|
58 | encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; |
---|
59 | authentication_algorithm hmac_sha1, hmac_md5 ; |
---|
60 | compression_algorithm deflate ; |
---|
61 | } |
---|