Update of /cvsroot/ipsec-tools/ipsec-tools/src/racoon/samples
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv5905/samples
2004-02-20 Michal Ludvig <mludvig@...>
* localconf.h: Change default KA_INTERVAL to 20s
* nattraversal.c (natt_keepalive_init): Don't schedule if interval==0.
* racoon.conf.5: Document 'isakmp_natt' and 'natt_keepalive'.
* samples/racoon.conf.sample-natt: New file with sample NAT-T config.
--- NEW FILE: racoon.conf.sample-natt ---
# $Id: racoon.conf.sample-natt,v 184.108.40.206 2004/02/20 09:45:20 ludvigm Exp $
# Contributed by: Michal Ludvig <mludvig@...>, SUSE Labs
# This file can be used as a template for NAT-Traversal setups.
# Only NAT-T related options are explained here, refer to other
# sample files and manual pages for details about the rest.
path include "/etc/racoon";
path certificate "/etc/racoon/cert";
# Define addresses and ports where racoon will listen for an incoming
# traffic. Don't forget to open these ports on your firewall!
# First define an address where racoon will listen
# for a "normal" IKE traffic. IANA allocated port 500.
# To use NAT-T you must also open the port 4500 of
# the same address so that peers can do 'Port floating'.
# The same port will also be used for the UDP-Encapsulated
# ESP traffic.
# To keep the NAT-mappings on your NAT gateway, there must be
# a traffic between the peers. Noramlly the UDP-Encap traffic
# (i.e. the real data transported over the tunnel) would be
# enough, but to be safe racoon will send the a short
# "Keep-alive packet" every few seconds to every peer with
# whom it does NAT-Traversal.
# The default is 20s. Set it to 0 to disable sending completely.
natt_keepalive 10 sec;
# To trigger the SA negotiation there must be an appropriate
# policy in the kernel SPD. For example for traffic between
# networks 192.168.0.0/24 and 192.168.1.0/24 with gateways
# 172.16.0.1 and 172.16.1.1, where the first gw is behind
# a NAT which translates its address to 172.16.1.3 you need the
# following rules:
# On 172.16.0.1 (e.g. behind the NAT):
# spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
# spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
# On the other side (172.16.1.1) either use "generate_policy on"
# statement in the remote block, or in the case that you know
# the translated address, use the following policy:
# spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
# spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
# Phase 1 configuration (for ISAKMP SA)
# NAT-T is supported with all exchange_modes.
# With NAT-T you shouldn't use PSK. Let's go on with certs.
certificate_type x509 "your-host.cert.pem" "your-host.key.pem";
# Phase 2 proposal (for IPsec SA)
lifetime time 12 hour;
encryption_algorithm 3des, rijndael;