# $Id: default.conf,v 1.3 2007/07/11 07:53:48 mk Exp $
#
# default section
#
default
{
	remote {
		acceptable_kmp { ikev2; ikev1; kink; };
		ikev1 {
			logmode normal;
			kmp_sa_lifetime_time 600 sec;
			kmp_sa_lifetime_byte infinite;
			interval_to_send 10 sec;
			times_per_send 1;
			ipsec_sa_nego_time_limit 40 sec;
			#kmp_enc_alg { aes192_cbc; aes128_cbc; 3des_cbc; };
			kmp_enc_alg { aes128_cbc; 3des_cbc; };
			kmp_hash_alg { sha1; md5; };
			#kmp_dh_group { modp3072; modp2048; modp1536; modp1024; };
			kmp_dh_group { modp2048; };
			kmp_auth_method { psk; };
			random_pad_content on;
			# max_padlen 50 bytes;
		};
		ikev2 {
			logmode debug;
			kmp_sa_lifetime_time infinite;
			kmp_sa_lifetime_byte infinite;
			max_retry_to_send 3;
			interval_to_send 10 sec;
			times_per_send 1;
			kmp_sa_nego_time_limit 60 sec;
			ipsec_sa_nego_time_limit 40 sec;
			kmp_enc_alg { aes192_cbc; aes128_cbc; 3des_cbc; };
			kmp_prf_alg { hmac_md5; hmac_sha1; aes_xcbc; };
			kmp_hash_alg { hmac_sha1; hmac_md5; };
			kmp_dh_group { modp3072; modp2048; modp1536; modp1024;  };
			kmp_auth_method { psk; };
			random_pad_content on;
			random_padlen on;
			max_padlen 50 bytes;
		};
		kink {
			my_principal "kink/racoon2.wide.ad.jp";
			nonce_size 16 B;
		};
	};

	policy {
		ipsec_mode transport;
		ipsec_level require;
	};

	ipsec {
		ipsec_sa_lifetime_time infinite;
		ipsec_sa_lifetime_byte infinite;
	};

	sa {
		esp_enc_alg { aes128_cbc; 3des_cbc; };
		esp_auth_alg { hmac_sha1; hmac_md5; };
	};
};
ipsec ipsec_ah_esp {
	ipsec_sa_lifetime_time 28800 sec;
	sa_index { ah_01; esp_01; };
};
ipsec ipsec_esp {
	ipsec_sa_lifetime_time 28800 sec;
	sa_index esp_01;
};

sa ah_01 {
	sa_protocol ah;
	ah_auth_alg { hmac_sha1; hmac_md5; };
};
sa esp_01 {
	sa_protocol esp;
	esp_enc_alg { aes128_cbc; 3des_cbc; };
	esp_auth_alg { hmac_sha1; hmac_md5; };
};