1a8f0ad3cSmanu# $KAME: racoon.conf.sample-gssapi,v 1.5 2001/08/16 06:33:40 itojun Exp $ 2a8f0ad3cSmanu 3*097b641dSwiz# sample configuration for GSSAPI authentication (basically, Kerberos). 4a8f0ad3cSmanu# doc/README.gssapi gives some idea on how to configure it. 5a8f0ad3cSmanu# TODO: more documentation. 6a8f0ad3cSmanu 7a8f0ad3cSmanu#listen { 8a8f0ad3cSmanu# strict_address; 9a8f0ad3cSmanu#} 10a8f0ad3cSmanu 11a8f0ad3cSmanu# Uncomment the following for GSS-API to work with older versions of 12a8f0ad3cSmanu# racoon that (incorrectly) used ISO-Latin-1 encoding for the GSS-API 13a8f0ad3cSmanu# identifier attribute. 14a8f0ad3cSmanu#gss_id_enc latin1; 15a8f0ad3cSmanu 16a8f0ad3cSmanuremote anonymous { 17a8f0ad3cSmanu exchange_mode main; 18a8f0ad3cSmanu 19a8f0ad3cSmanu lifetime time 24 hour; 20a8f0ad3cSmanu 21a8f0ad3cSmanu proposal { 22a8f0ad3cSmanu encryption_algorithm 3des; 23a8f0ad3cSmanu hash_algorithm sha1; 24a8f0ad3cSmanu authentication_method gssapi_krb; 25a8f0ad3cSmanu # The default GSS-API ID is "host/hostname", where 26a8f0ad3cSmanu # hostname is the output of the hostname(1) command. 27a8f0ad3cSmanu # You probably want this to match your system's host 28a8f0ad3cSmanu # principal. ktutil(8)'s "list" command will list the 29a8f0ad3cSmanu # principals in your system's keytab. If you need to, 30a8f0ad3cSmanu # you can change the GSS-API ID here. 31a8f0ad3cSmanu #gss_id "host/some.host.name"; 32a8f0ad3cSmanu 33a8f0ad3cSmanu dh_group 1; 34a8f0ad3cSmanu } 35a8f0ad3cSmanu} 36a8f0ad3cSmanu 37a8f0ad3cSmanusainfo anonymous { 38a8f0ad3cSmanu lifetime time 2 hour; 39a8f0ad3cSmanu 40a8f0ad3cSmanu encryption_algorithm rijndael, 3des; 41a8f0ad3cSmanu authentication_algorithm hmac_sha1, hmac_md5; 42a8f0ad3cSmanu compression_algorithm deflate; 43a8f0ad3cSmanu} 44