| # Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp |
| # Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs |
| |
| # This file can be used as a template for NAT-Traversal setups. |
| # Only NAT-T related options are explained here, refer to other |
| # sample files and manual pages for details about the rest. |
| |
| path include "/etc/racoon"; |
| path certificate "/etc/racoon/cert"; |
| |
| # Define addresses and ports where racoon will listen for an incoming |
| # traffic. Don't forget to open these ports on your firewall! |
| listen |
| { |
| # First define an address where racoon will listen |
| # for "normal" IKE traffic. IANA allocated port 500. |
| isakmp 172.16.0.1[500]; |
| |
| # To use NAT-T you must also open port 4500 of |
| # the same address so that peers can do 'Port floating'. |
| # The same port will also be used for the UDP-Encapsulated |
| # ESP traffic. |
| isakmp_natt 172.16.0.1[4500]; |
| } |
| |
| |
| timer |
| { |
| # To keep the NAT-mappings on your NAT gateway, there must be |
| # traffic between the peers. Normally the UDP-Encap traffic |
| # (i.e. the real data transported over the tunnel) would be |
| # enough, but to be safe racoon will send a short |
| # "Keep-alive packet" every few seconds to every peer with |
| # whom it does NAT-Traversal. |
| # The default is 20s. Set it to 0s to disable sending completely. |
| natt_keepalive 10 sec; |
| } |
| |
| # To trigger the SA negotiation there must be an appropriate |
| # policy in the kernel SPD. For example for traffic between |
| # networks 192.168.0.0/24 and 192.168.1.0/24 with gateways |
| # 172.16.0.1 and 172.16.1.1, where the first gateway is behind |
| # a NAT which translates its address to 172.16.1.3, you need the |
| # following rules: |
| # On 172.16.0.1 (e.g. behind the NAT): |
| # spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \ |
| # esp/tunnel/172.16.0.1-172.16.1.1/require; |
| # spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \ |
| # esp/tunnel/172.16.1.1-172.16.0.1/require; |
| # On the other side (172.16.1.1) either use a "generate_policy on" |
| # statement in the remote block, or in case that you know |
| # the translated address, use the following policy: |
| # spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \ |
| # esp/tunnel/172.16.1.1-172.16.1.3/require; |
| # spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \ |
| # esp/tunnel/172.16.1.3-172.16.1.1/require; |
| |
| # Phase 1 configuration (for ISAKMP SA) |
| remote anonymous |
| { |
| # NAT-T is supported with all exchange_modes. |
| exchange_mode main,base,aggressive; |
| |
| # With NAT-T you shouldn't use PSK. Let's go on with certs. |
| my_identifier asn1dn; |
| certificate_type x509 "your-host.cert.pem" "your-host.key.pem"; |
| |
| # This is the main switch that enables NAT-T. |
| # Possible values are: |
| # off - NAT-T support is disabled, i.e. neither offered, |
| # nor accepted. This is the default. |
| # on - normal NAT-T support, i.e. if NAT is detected |
| # along the way, NAT-T is used. |
| # force - if NAT-T is supported by both peers, it is used |
| # regardless of whether there is a NAT gateway between them |
| # or not. This is useful for traversing some firewalls. |
| nat_traversal on; |
| |
| proposal { |
| authentication_method rsasig; |
| encryption_algorithm 3des; |
| hash_algorithm sha1; |
| dh_group 2; |
| } |
| |
| proposal_check strict; |
| } |
| |
| # Phase 2 proposal (for IPsec SA) |
| sainfo anonymous |
| { |
| pfs_group 2; |
| lifetime time 12 hour; |
| encryption_algorithm 3des, rijndael; |
| authentication_algorithm hmac_sha1; |
| compression_algorithm deflate; |
| } |
