src/racoon/samples/racoon.conf.sample - platform/external/ipsec-tools - Git at Google

 # $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $

 # "path" affects "include" directives.  "path" must be specified before any
 # "include" directive with relative file path.
 # you can overwrite "path" directive afterwards, however, doing so may add
 # more confusion.
 #path include "/usr/local/v6/etc" ;
 #include "remote.conf" ;

 # the file should contain key ID/key pairs, for pre-shared key authentication.
 path pre_shared_key "/usr/local/v6/etc/psk.txt" ;

 # racoon will look for certificate file in the directory,
 # if the certificate/certificate request payload is received.
 #path certificate "/usr/local/openssl/certs" ;

 # "log" specifies logging level.  It is followed by either "notify", "debug"
 # or "debug2".
 #log debug;

 remote anonymous
 {
 	#exchange_mode main,aggressive,base;
 	exchange_mode main,base;

 	#my_identifier fqdn "server.kame.net";
 	#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;

 	lifetime time 24 hour ;	# sec,min,hour

 	#initial_contact off ;
 	#passive on ;

 	# phase 1 proposal (for ISAKMP SA)
 	proposal {
 		encryption_algorithm 3des;
 		hash_algorithm sha1;
 		authentication_method pre_shared_key ;
 		dh_group 2 ;
 	}

 	# the configuration could makes racoon (as a responder)
 	# to obey the initiator's lifetime and PFS group proposal,
 	# by setting proposal_check to obey.
 	# this would makes testing "so much easier", but is really
 	# *not* secure !!!
 	proposal_check strict;
 }

 # phase 2 proposal (for IPsec SA).
 # actual phase 2 proposal will obey the following items:
 # - kernel IPsec policy configuration (like "esp/transport//use)
 # - permutation of the crypto/hash/compression algorithms presented below
 sainfo anonymous
 {
 	pfs_group 2;
 	lifetime time 12 hour ;
 	encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
 	authentication_algorithm hmac_sha1, hmac_md5 ;
 	compression_algorithm deflate ;
 }
	# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $

	# "path" affects "include" directives. "path" must be specified before any
	# "include" directive with relative file path.
	# you can overwrite "path" directive afterwards, however, doing so may add
	# more confusion.
	#path include "/usr/local/v6/etc" ;
	#include "remote.conf" ;

	# the file should contain key ID/key pairs, for pre-shared key authentication.
	path pre_shared_key "/usr/local/v6/etc/psk.txt" ;

	# racoon will look for certificate file in the directory,
	# if the certificate/certificate request payload is received.
	#path certificate "/usr/local/openssl/certs" ;

	# "log" specifies logging level. It is followed by either "notify", "debug"
	# or "debug2".
	#log debug;

	remote anonymous
	{
	#exchange_mode main,aggressive,base;
	exchange_mode main,base;

	#my_identifier fqdn "server.kame.net";
	#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;

	lifetime time 24 hour ; # sec,min,hour

	#initial_contact off ;
	#passive on ;

	# phase 1 proposal (for ISAKMP SA)
	proposal {
	encryption_algorithm 3des;
	hash_algorithm sha1;
	authentication_method pre_shared_key ;
	dh_group 2 ;
	}

	# the configuration could makes racoon (as a responder)
	# to obey the initiator's lifetime and PFS group proposal,
	# by setting proposal_check to obey.
	# this would makes testing "so much easier", but is really
	# not secure !!!
	proposal_check strict;
	}

	# phase 2 proposal (for IPsec SA).
	# actual phase 2 proposal will obey the following items:
	# - kernel IPsec policy configuration (like "esp/transport//use)
	# - permutation of the crypto/hash/compression algorithms presented below
	sainfo anonymous
	{
	pfs_group 2;
	lifetime time 12 hour ;
	encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
	}