source: freeDiameter/doc/freediameter.conf.sample @ 20:277ec00d793e

# This is a sample configuration file for freeDiameter daemon.

# Only the "TLS_Cred" directive is really mandatory in this file.

##############################################################
##  Peer identity and realm 

# The Diameter Identity of this daemon.
# This must be a valid FQDN that resolves to the local host.
# Default: hostname's FQDN
#Identity = "aaa.koganei.wide.ad.jp";

# The Diameter Realm of this daemon.
# Default: the domain part of Identity.
#Realm = "wide.ad.jp";

##############################################################
##  Transport protocol configuration

# The port this peer is listening on for incoming connections (TCP and SCTP).
# Default: 3868
#Port = 3868;

# The port this peer is listening on for incoming TLS connections (TCP and SCTP).
# See TLS_old_method for more information.
# Default: 3869
#SecPort = 3869;

# Use RFC3588 method for TLS protection, where TLS is negociated after CER/CEA
# on the same port. This only affects outgoing connections. It can be overwritten
# on per peer basis.
# Default: use RFC3588bis method with separate port for TLS.
#TLS_old_method;

# Disable use of TCP protocol (only listen and connect in SCTP)
# Default : TCP enabled
#No_TCP;

# Disable use of SCTP protocol (only listen and connect in TCP)
# Default : SCTP enabled
#No_SCTP;
# This option has no effect if freeDiameter is compiled with DISABLE_SCTP option,
# in which case the value is forced to "SCTP disabled".

# Prefer TCP over SCTP for establishing new connections.
# It may be overwritten per peer in peer configuration blocs.
# Default : SCTP is prefered.
#Prefer_TCP;

# Default number of streams per SCTP associations.
# It can be overwritten per peer basis.
# Default : 30 streams
#SCTP_streams = 30;

##############################################################
##  Endpoints configuration

# Disable use of IP addresses (only IPv6)
# Default : IP enabled
#No_IP;

# Disable use of IPv6 addresses (only IP)
# Default : IPv6 enabled
#No_IPv6;

# Specify local addresses where the server must listen
# Default : listen on all addresses available.
#ListenOn = "202.249.37.5";
#ListenOn = "2001:200:903:2::202:1";

##############################################################
##  TLS Configuration

# TLS is managed by the GNUTLS library in the freeDiameter daemon.
# You may find more information about parameters and special behaviors
# in the relevant documentation.
# http://www.gnu.org/software/gnutls/manual/

# Credentials of the local peer
# The X509 certificate and private key file to use for the local peer.
# The files must contain PKCS-1 encoded RSA key, in PEM format.
# (These parameters are passed to gnutls_certificate_set_x509_key_file function)
# Default : NO DEFAULT
#TLS_Cred = "<x509 certif file.PEM>" , "<x509 private key file.PEM>";

# Certificate authority / trust anchors
# The file containing the list of trusted Certificate Authorities (PEM list)
# (This parameter is passed to gnutls_certificate_set_x509_trust_file function)
# The directive can appear several times to specify several files.
# Default : GNUTLS default behavior
#TLS_CA = "<file.PEM>";

# Certificate Revocation List file
# The information about revoked certificates.
# The file contains a list of trusted CRLs in PEM format. They should have been verified before. 
# (This parameter is passed to gnutls_certificate_set_x509_crl_file function)
# Note: currently, openssl CRL seems not supported...
# Default : GNUTLS default behavior
#TLS_CRL = "<file.PEM>";

# GNU TLS Priority string
# This string allows to configure the behavior of GNUTLS key exchanges 
# algorithms. See gnutls_priority_init function documentation for information.
# You should also refer to the Diameter required TLS support here:
#   http://tools.ietf.org/html/draft-ietf-dime-rfc3588bis-18#section-13.1
# Default : "NORMAL"
# Example: TLS_Prio = "NONE:+VERS-TLS1.1:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL";
#TLS_Prio = "NORMAL";

# Diffie-Hellman parameters size
# Set the number of bits for generated DH parameters
# Valid value should be 768, 1024, 2048, 3072 or 4096.
# (This parameter is passed to gnutls_dh_params_generate2 function, 
# it usually should match RSA key size)
# Default : 1024
#TLS_DH_Bits = 1024;


##############################################################
##  Timers configuration

# The Tc timer of this peer.
# It is the delay before a new attempt is made to reconnect a disconnected peer.
# The value is expressed in seconds. The recommended value is 30 seconds.
# Default: 30
#TcTimer = 30;

# The Tw timer of this peer.
# It is the delay before a watchdog message is sent, as described in RFC 3539.
# The value is expressed in seconds. The default value is 30 seconds. Value must
# be greater or equal to 6 seconds. See details in the RFC.
# Default: 30
#TwTimer = 30;

##############################################################
##  Applications configuration

# Disable the relaying of Diameter messages?
# For messages not handled locally, the default behavior is to forward the
# message to another peer if any is available, according to the routing 
# algorithms. In addition the "0xffffff" application is advertised in CER/CEA 
# exchanges.
# Default: Relaying is enabled.
#NoRelay;

# Other applications are configured by loading appropriate extensions.

##############################################################
##  Extensions configuration

#  The freeDiameter daemon merely provides support for
# Diameter Base Protocol. The specific application behaviors,
# as well as advanced functions of the daemon, are provided
# by loadable extensions (plug-ins).
#  These extensions may in addition receive the name of a 
# configuration file, the format of which is extension-specific.
#
# Format:
#LoadExtension = "/path/to/extension" [ : "/optional/configuration/file" ] ;
#
# Exemples:
#LoadExtension = "extensions/sample.so";
#LoadExtension = "extensions/sample.so":"conf/sample.conf";


##############################################################
##  Peers configuration

#  The local server listens for incoming connections. By default,
# all unknown connecting peers are rejected. Extensions can override this behavior.
# 
#  In addition to incoming connections, the local peer can
# be configured to establish and maintain connections to some 
# Diameter nodes and allow connections from these nodes.
#  This is achieved with the ConnectPeer directive described bellow.
#
# Note that the configured Diameter Id MUST match
# the information received inside CEA, or the connection will be aborted.
#
# Format:
#ConnectPeer = "diameterid" [ { parameter1; parameter2; ...} ] ;
# Parameters that can be specified in the peer's parameter list:
#  No_TCP; No_SCTP; No_IP; No_IPv6; Prefer_TCP; TLS_old_method;
#  No_TLS;       # assume transparent security instead of TLS
#  Port = 3868;  # The port to connect to
#  SCTP_streams = 30;
#  TcTimer = 30;
#  TwTimer = 30;
#  ConnectTo = "202.249.37.5";
#  ConnectTo = "2001:200:903:2::202:1";
# Examples:
#ConnectPeer = "aaa.wide.ad.jp";
#ConnectPeer = "old.diameter.serv" { TcTimer = 60; TLS_old_method; No_SCTP; } ;


##############################################################
# -------- Test configuration ---------
Identity = "aaa.koganei.wide.ad.jp";
Realm = "wide.ad.jp";
Port = 3866;
SecPort = 3867;
TLS_old_method;
No_IP;
Prefer_TCP;
SCTP_streams = 50;
ListenOn = "202.249.37.5";
ListenOn = "2001:200:903:2::202:1";
TcTimer = 60;
TwTimer = 6;
NoRelay;
LoadExtension = "extensions/dbg_monitor.fdx";
LoadExtension = "extensions/dict_nasreq.fdx";
LoadExtension = "extensions/dict_eap.fdx";
ConnectPeer = "jules.nautilus6.org" ;
ConnectPeer = "aaa.nautilus6.org" { No_TLS; No_IP; No_TCP; SCTP_streams = 60; } ;
TLS_Cred = "/etc/openssl-ca/clients/certs/fdtest.cert" , "/etc/openssl-ca/clients/privkeys/fdtest.key.pem";
TLS_CA = "/etc/openssl-ca/public-www/cacert.pem";
# TLS_CRL = "/etc/openssl-ca/public-www/crl.pem";