racoon.conf

1. path pre_shared_key "/usr/local/etc/racoon/psk.txt";
2. log notify; #log verbosity setting: set to 'notify' when testing and debugging is complete
3.  
4. padding # options are not to be changed
5. {
6. maximum_length 20;
7. randomize off;
8. strict_check off;
9. exclusive_tail off;
10. }
11.  
12. timer # timing options. change as needed
13. {
14. counter 5;
15. interval 20 sec;
16. persend 1;
17. # natt_keepalive 15 sec;
18. phase1 30 sec;
19. phase2 15 sec;
20. }
21.  
22. listen # address [port] that racoon will listen on
23. {
24. isakmp <source ip> [500];
25. isakmp_natt <source ip> [4500];
26. }
27.  
28. remote <dest ip> {
29. exchange_mode main;
30. lifetime time 28800 seconds;
31. doi ipsec_doi;
32. situation identity_only;
33. my_identifier address <source ip>;
34. peers_identifier address <dest ip>;
35. lifetime time 8 hour;
36. passive off;
37. proposal_check obey;
38. # nat_traversal off;
39. generate_policy off;
40. proposal {
41. encryption_algorithm aes128;
42. hash_algorithm sha1;
43. authentication_method pre_shared_key;
44. dh_group 2;
45. }
46. generate_policy off;
47. }
48.  
49. sainfo address <internal source tunnel ip/30> any address <internal destination tunnel ip/30> any {
50. pfs_group 2;
51. lifetime time 3600 seconds;
52. encryption_algorithm aes128;
53. authentication_algorithm hmac_sha1;
54. compression_algorithm deflate;
55. }
56.  
57. sainfo address <internal source tunnel ip/30> any address <destination-LAN net> any {
58. pfs_group 2;
59. lifetime time 3600 seconds;
60. encryption_algorithm aes128;
61. authentication_algorithm hmac_sha1;
62. compression_algorithm deflate;
63. }
64.  
65. sainfo address <source-LAN net> any address <destination-LAN net> any {
66. pfs_group 2;
67. lifetime time 3600 seconds;
68. encryption_algorithm aes128;
69. authentication_algorithm hmac_sha1;
70. compression_algorithm deflate;
71. }