# Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs

# This file can be used as a template for NAT-Traversal setups.
# Only NAT-T related options are explained here, refer to other 
# sample files and manual pages for details about the rest.

path include "/etc/racoon";
path certificate "/etc/racoon/cert";

# Define addresses and ports where racoon will listen for an incoming
# traffic. Don't forget to open these ports on your firewall!
listen
{
	# First define an address where racoon will listen 
	# for "normal" IKE traffic. IANA allocated port 500.
	isakmp 172.16.0.1[500];

	# To use NAT-T you must also open port 4500 of 
	# the same address so that peers can do 'Port floating'.
	# The same port will also be used for the UDP-Encapsulated 
	# ESP traffic.
	isakmp_natt 172.16.0.1[4500];
}


timer
{
	# To keep the NAT-mappings on your NAT gateway, there must be
	# traffic between the peers. Normally the UDP-Encap traffic
	# (i.e. the real data transported over the tunnel) would be
	# enough, but to be safe racoon will send a short
	# "Keep-alive packet" every few seconds to every peer with
	# whom it does NAT-Traversal.
	# The default is 20s. Set it to 0s to disable sending completely.
	natt_keepalive 10 sec;
}

# To trigger the SA negotiation there must be an appropriate 
# policy in the kernel SPD. For example for traffic between 
# networks 192.168.0.0/24 and 192.168.1.0/24 with gateways 
# 172.16.0.1 and 172.16.1.1, where the first gateway is behind 
# a NAT which translates its address to 172.16.1.3, you need the 
# following rules:
# On 172.16.0.1 (e.g. behind the NAT):
#     spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
#            esp/tunnel/172.16.0.1-172.16.1.1/require;
#     spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
#            esp/tunnel/172.16.1.1-172.16.0.1/require;
# On the other side (172.16.1.1) either use a "generate_policy on"
# statement in the remote block, or in case that you know 
# the translated address, use the following policy:
#     spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
#            esp/tunnel/172.16.1.1-172.16.1.3/require;
#     spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
#            esp/tunnel/172.16.1.3-172.16.1.1/require;

# Phase 1 configuration (for ISAKMP SA)
remote anonymous
{
	# NAT-T is supported with all exchange_modes.
	exchange_mode main,base,aggressive;

	# With NAT-T you shouldn't use PSK. Let's go on with certs.
	my_identifier asn1dn;
	certificate_type x509 "your-host.cert.pem" "your-host.key.pem";

	# This is the main switch that enables NAT-T.
	# Possible values are:
	#   off - NAT-T support is disabled, i.e. neither offered,
	#         nor accepted. This is the default.
	#    on - normal NAT-T support, i.e. if NAT is detected 
	#         along the way, NAT-T is used.
	# force - if NAT-T is supported by both peers, it is used
	#         regardless of whether there is a NAT gateway between them
	#         or not. This is useful for traversing some firewalls.
	nat_traversal on;
	
	proposal {
		authentication_method rsasig;
		encryption_algorithm 3des;
		hash_algorithm sha1;
		dh_group 2;
	}

	proposal_check strict;
}

# Phase 2 proposal (for IPsec SA)
sainfo anonymous
{
	pfs_group 2;
	lifetime time 12 hour;
	encryption_algorithm 3des, rijndael;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}