| 1 | # $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $ |
|---|
| 2 | |
|---|
| 3 | # "path" affects "include" directives. "path" must be specified before any |
|---|
| 4 | # "include" directive with relative file path. |
|---|
| 5 | # you can overwrite "path" directive afterwards, however, doing so may add |
|---|
| 6 | # more confusion. |
|---|
| 7 | #path include "/usr/local/v6/etc" ; |
|---|
| 8 | #include "remote.conf" ; |
|---|
| 9 | |
|---|
| 10 | # the file should contain key ID/key pairs, for pre-shared key authentication. |
|---|
| 11 | path pre_shared_key "/usr/local/v6/etc/psk.txt" ; |
|---|
| 12 | |
|---|
| 13 | # racoon will look for certificate file in the directory, |
|---|
| 14 | # if the certificate/certificate request payload is received. |
|---|
| 15 | #path certificate "/usr/local/openssl/certs" ; |
|---|
| 16 | |
|---|
| 17 | # "log" specifies logging level. It is followed by either "notify", "debug" |
|---|
| 18 | # or "debug2". |
|---|
| 19 | #log debug; |
|---|
| 20 | |
|---|
| 21 | remote anonymous |
|---|
| 22 | { |
|---|
| 23 | #exchange_mode main,aggressive,base; |
|---|
| 24 | exchange_mode main,base; |
|---|
| 25 | |
|---|
| 26 | #my_identifier fqdn "server.kame.net"; |
|---|
| 27 | #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ; |
|---|
| 28 | |
|---|
| 29 | lifetime time 24 hour ; # sec,min,hour |
|---|
| 30 | |
|---|
| 31 | #initial_contact off ; |
|---|
| 32 | #passive on ; |
|---|
| 33 | |
|---|
| 34 | # phase 1 proposal (for ISAKMP SA) |
|---|
| 35 | proposal { |
|---|
| 36 | encryption_algorithm 3des; |
|---|
| 37 | hash_algorithm sha1; |
|---|
| 38 | authentication_method pre_shared_key ; |
|---|
| 39 | dh_group 2 ; |
|---|
| 40 | } |
|---|
| 41 | |
|---|
| 42 | # the configuration could makes racoon (as a responder) |
|---|
| 43 | # to obey the initiator's lifetime and PFS group proposal, |
|---|
| 44 | # by setting proposal_check to obey. |
|---|
| 45 | # this would makes testing "so much easier", but is really |
|---|
| 46 | # *not* secure !!! |
|---|
| 47 | proposal_check strict; |
|---|
| 48 | } |
|---|
| 49 | |
|---|
| 50 | # phase 2 proposal (for IPsec SA). |
|---|
| 51 | # actual phase 2 proposal will obey the following items: |
|---|
| 52 | # - kernel IPsec policy configuration (like "esp/transport//use) |
|---|
| 53 | # - permutation of the crypto/hash/compression algorithms presented below |
|---|
| 54 | sainfo anonymous |
|---|
| 55 | { |
|---|
| 56 | pfs_group 2; |
|---|
| 57 | lifetime time 12 hour ; |
|---|
| 58 | encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; |
|---|
| 59 | authentication_algorithm hmac_sha1, hmac_md5 ; |
|---|
| 60 | compression_algorithm deflate ; |
|---|
| 61 | } |
|---|
![[RTEMS Logo]](/images/logo.png){kind=logo}
