SourceForge.net Logo

E.3. /etc/sysconfig/racoon.conf

# GPL $Id: racoon.conf,v 1.1.1.1 2005/02/28 18:22:49 cvonk Exp $
# configiration for IPsec server (racoon)

path certificate "/etc/sysconfig/racoon";

# added for NATT in tunnel mode
timer {
    natt_keepalive 10sec;
}

# added for NATT in tunnel mode, 0.0.0.0 will be replaced by startup script
listen {
    isakmp 0.0.0.0[500];
    isakmp_natt 0.0.0.0[4500];
}

remote anonymous {
    exchange_mode main;

    generate_policy on;  # allow incoming roadwarrior w/ X.509 certificates
    passive on;          # allow incoming roadwarrior w/ X.509 certificates

    #verify_identifier on;
    verify_cert on;  # check certificate against revocation list
    certificate_type x509 "siso.vonk-cert.pem" "siso.vonk-key.pem";

    my_identifier asn1dn;     # extract id from public key
    peers_identifier asn1dn;  # extract id from public key

    nat_traversal on;         # added for NATT in tunnel mode
    ike_frag on;
    #esp_frag 552;		# disabled, no kernel support

    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;  #or md5 ?
        authentication_method rsasig;  # use X.509 RSA public/private key
        dh_group modp1024;
    }
}

sainfo anonymous {
    lifetime time 28800 sec;
    #pfs_group modp768;
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
}

log debug;

Example E.3. /etc/sysconfig/racoon.conf