path certificate "/usr/local/etc/racoon/certs";

remote anonymous
{       
  exchange_mode main;
  # Doesn't it really matter if we use main mode or aggressive
  # mode? Our identy isn't secret and we don't send any
  # hashes of a pre-shared key in the clear.
  # exchange_mode aggressive;

  lifetime time 24 hour;
  my_identifier fqdn "ipsec1.hack.org";
  # On the other host:
  # my_identifier fqdn "ipsec1.hack.org";
  certificate_type plain_rsa "ipsec1.rsa";

  # The other host's public key:
  peers_certfile plain_rsa "pubkey2.rsa";
  # On the other side:
  # peers_certfile plain_rsa "pubkey1.rsa";

  # Automatically generate a Security Policy when the other
  # side initiates dialogue.
  generate_policy on;
            
  proposal
  {       
    encryption_algorithm aes;
    hash_algorithm sha256;

    # Use public key authentication:
    authentication_method rsasig;

    dh_group 2;
  }
}

sainfo anonymous
{        
  lifetime time 1 hour;
  encryption_algorithm aes;
  authentication_algorithm hmac_sha256;
  compression_algorithm deflate;
}