# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $ # "path" affects "include" directives. "path" must be specified before any # "include" directive with relative file path. # you can overwrite "path" directive afterwards, however, doing so may add # more confusion. #path include "/usr/local/v6/etc" ; #include "remote.conf" ; # the file should contain key ID/key pairs, for pre-shared key authentication. path pre_shared_key "/usr/local/v6/etc/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. #path certificate "/usr/local/openssl/certs" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; remote anonymous { #exchange_mode main,aggressive,base; exchange_mode main,base; #my_identifier fqdn "server.kame.net"; #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ; lifetime time 24 hour ; # sec,min,hour #initial_contact off ; #passive on ; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } # the configuration could makes racoon (as a responder) # to obey the initiator's lifetime and PFS group proposal, # by setting proposal_check to obey. # this would makes testing "so much easier", but is really # *not* secure !!! proposal_check strict; } # phase 2 proposal (for IPsec SA). # actual phase 2 proposal will obey the following items: # - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } |