267 lines
11 KiB
Text
267 lines
11 KiB
Text
# This is a sample configuration file for freeDiameter daemon.
|
|
|
|
# Most of the options can be omitted, as they default to reasonable values.
|
|
# Only TLS-related options must be configured properly in usual setups.
|
|
|
|
# It is possible to use "include" keyword to import additional files
|
|
# e.g.: include "/etc/freeDiameter.d/*.conf"
|
|
# This is exactly equivalent as copy & paste the content of the included file(s)
|
|
# where the "include" keyword is found.
|
|
|
|
|
|
##############################################################
|
|
## Peer identity and realm
|
|
|
|
# The Diameter Identity of this daemon.
|
|
# This must be a valid FQDN that resolves to the local host.
|
|
# Default: hostname's FQDN
|
|
#Identity = "aaa.koganei.freediameter.net";
|
|
Identity = "mme.localdomain";
|
|
|
|
# The Diameter Realm of this daemon.
|
|
# Default: the domain part of Identity (after the first dot).
|
|
#Realm = "koganei.freediameter.net";
|
|
Realm = "localdomain";
|
|
|
|
##############################################################
|
|
## Transport protocol configuration
|
|
|
|
# The port this peer is listening on for incoming connections (TCP and SCTP).
|
|
# Default: 3868. Use 0 to disable.
|
|
#Port = 3868;
|
|
|
|
# The port this peer is listening on for incoming TLS-protected connections (TCP and SCTP).
|
|
# See TLS_old_method for more information about TLS flavours.
|
|
# Note: we use TLS/SCTP instead of DTLS/SCTP at the moment. This will change in future version of freeDiameter.
|
|
# Default: 5868. Use 0 to disable.
|
|
#SecPort = 5868;
|
|
|
|
# Use RFC3588 method for TLS protection, where TLS is negociated after CER/CEA exchange is completed
|
|
# on the unsecure connection. The alternative is RFC6733 mechanism, where TLS protects also the
|
|
# CER/CEA exchange on a dedicated secure port.
|
|
# This parameter only affects outgoing connections.
|
|
# The setting can be also defined per-peer (see Peers configuration section).
|
|
# Default: use RFC6733 method with separate port for TLS.
|
|
#TLS_old_method;
|
|
|
|
# Disable use of TCP protocol (only listen and connect over SCTP)
|
|
# Default : TCP enabled
|
|
#No_TCP;
|
|
|
|
# Disable use of SCTP protocol (only listen and connect over TCP)
|
|
# Default : SCTP enabled
|
|
#No_SCTP;
|
|
# This option is ignored if freeDiameter is compiled with DISABLE_SCTP option.
|
|
|
|
# Prefer TCP instead of SCTP for establishing new connections.
|
|
# This setting may be overwritten per peer in peer configuration blocs.
|
|
# Default : SCTP is attempted first.
|
|
#Prefer_TCP;
|
|
|
|
# Default number of streams per SCTP associations.
|
|
# This setting may be overwritten per peer basis.
|
|
# Default : 30 streams
|
|
#SCTP_streams = 30;
|
|
|
|
##############################################################
|
|
## Endpoint configuration
|
|
|
|
# Disable use of IP addresses (only IPv6)
|
|
# Default : IP enabled
|
|
#No_IP;
|
|
|
|
# Disable use of IPv6 addresses (only IP)
|
|
# Default : IPv6 enabled
|
|
#No_IPv6;
|
|
|
|
# Specify local addresses the server must bind to
|
|
# Default : listen on all addresses available.
|
|
#ListenOn = "202.249.37.5";
|
|
#ListenOn = "2001:200:903:2::202:1";
|
|
#ListenOn = "fe80::21c:5ff:fe98:7d62%eth0";
|
|
ListenOn = "127.0.0.2";
|
|
|
|
|
|
##############################################################
|
|
## Server configuration
|
|
|
|
# How many Diameter peers are allowed to be connecting at the same time ?
|
|
# This parameter limits the number of incoming connections from the time
|
|
# the connection is accepted until the first CER is received.
|
|
# Default: 5 unidentified clients in paralel.
|
|
#ThreadsPerServer = 5;
|
|
|
|
##############################################################
|
|
## TLS Configuration
|
|
|
|
# TLS is managed by the GNUTLS library in the freeDiameter daemon.
|
|
# You may find more information about parameters and special behaviors
|
|
# in the relevant documentation.
|
|
# http://www.gnu.org/software/gnutls/manual/
|
|
|
|
# Credentials of the local peer
|
|
# The X509 certificate and private key file to use for the local peer.
|
|
# The files must contain PKCS-1 encoded RSA key, in PEM format.
|
|
# (These parameters are passed to gnutls_certificate_set_x509_key_file function)
|
|
# Default : NO DEFAULT
|
|
#TLS_Cred = "<x509 certif file.PEM>" , "<x509 private key file.PEM>";
|
|
#TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";
|
|
TLS_Cred = "@sysconfdir@/open5gs/tls/mme.crt", "@sysconfdir@/open5gs/tls/mme.key";
|
|
|
|
# Certificate authority / trust anchors
|
|
# The file containing the list of trusted Certificate Authorities (PEM list)
|
|
# (This parameter is passed to gnutls_certificate_set_x509_trust_file function)
|
|
# The directive can appear several times to specify several files.
|
|
# Default : GNUTLS default behavior
|
|
#TLS_CA = "<file.PEM>";
|
|
TLS_CA = "@sysconfdir@/open5gs/tls/ca.crt";
|
|
|
|
# Certificate Revocation List file
|
|
# The information about revoked certificates.
|
|
# The file contains a list of trusted CRLs in PEM format. They should have been verified before.
|
|
# (This parameter is passed to gnutls_certificate_set_x509_crl_file function)
|
|
# Note: openssl CRL format might have interoperability issue with GNUTLS format.
|
|
# Default : GNUTLS default behavior
|
|
#TLS_CRL = "<file.PEM>";
|
|
|
|
# GNU TLS Priority string
|
|
# This string allows to configure the behavior of GNUTLS key exchanges
|
|
# algorithms. See gnutls_priority_init function documentation for information.
|
|
# You should also refer to the Diameter required TLS support here:
|
|
# http://tools.ietf.org/html/rfc6733#section-13.1
|
|
# Default : "NORMAL"
|
|
# Example: TLS_Prio = "NONE:+VERS-TLS1.1:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL";
|
|
#TLS_Prio = "NORMAL";
|
|
|
|
# Diffie-Hellman parameters size
|
|
# Set the number of bits for generated DH parameters
|
|
# Valid value should be 768, 1024, 2048, 3072 or 4096.
|
|
# (This parameter is passed to gnutls_dh_params_generate2 function,
|
|
# it usually should match RSA key size)
|
|
# Default : 1024
|
|
#TLS_DH_Bits = 1024;
|
|
|
|
# Alternatively, you can specify a file to load the PKCS#3 encoded
|
|
# DH parameters directly from. This accelerates the daemon start
|
|
# but is slightly less secure. If this file is provided, the
|
|
# TLS_DH_Bits parameters has no effect.
|
|
# Default : no default.
|
|
#TLS_DH_File = "<file.PEM>";
|
|
|
|
|
|
##############################################################
|
|
## Timers configuration
|
|
|
|
# The Tc timer of this peer.
|
|
# It is the delay before a new attempt is made to reconnect a disconnected peer.
|
|
# The value is expressed in seconds. The recommended value is 30 seconds.
|
|
# Default: 30
|
|
#TcTimer = 30;
|
|
|
|
# The Tw timer of this peer.
|
|
# It is the delay before a watchdog message is sent, as described in RFC 3539.
|
|
# The value is expressed in seconds. The default value is 30 seconds. Value must
|
|
# be greater or equal to 6 seconds. See details in the RFC.
|
|
# Default: 30
|
|
#TwTimer = 30;
|
|
|
|
##############################################################
|
|
## Applications configuration
|
|
|
|
# Disable the relaying of Diameter messages?
|
|
# For messages not handled locally, the default behavior is to forward the
|
|
# message to another peer if any is available, according to the routing
|
|
# algorithms. In addition the "0xffffff" application is advertised in CER/CEA
|
|
# exchanges.
|
|
# Default: Relaying is enabled.
|
|
#NoRelay;
|
|
NoRelay;
|
|
|
|
# Number of server threads that can handle incoming messages at the same time.
|
|
# Default: 4
|
|
#AppServThreads = 4;
|
|
|
|
# Other applications are configured by loaded extensions.
|
|
|
|
##############################################################
|
|
## Extensions configuration
|
|
|
|
# The freeDiameter framework merely provides support for
|
|
# Diameter Base Protocol. The specific application behaviors,
|
|
# as well as advanced functions, are provided
|
|
# by loadable extensions (plug-ins).
|
|
# These extensions may in addition receive the name of a
|
|
# configuration file, the format of which is extension-specific.
|
|
#
|
|
# Format:
|
|
#LoadExtension = "/path/to/extension" [ : "/optional/configuration/file" ] ;
|
|
#
|
|
# Examples:
|
|
#LoadExtension = "extensions/sample.fdx";
|
|
#LoadExtension = "extensions/sample.fdx":"conf/sample.conf";
|
|
|
|
# Extensions are named as follow:
|
|
# dict_* for extensions that add content to the dictionary definitions.
|
|
# dbg_* for extensions useful only to retrieve more information on the framework execution.
|
|
# acl_* : Access control list, to control which peers are allowed to connect.
|
|
# rt_* : routing extensions that impact how messages are forwarded to other peers.
|
|
# app_* : applications, these extensions usually register callbacks to handle specific messages.
|
|
# test_* : dummy extensions that are useful only in testing environments.
|
|
|
|
|
|
# The dbg_msg_dump.fdx extension allows you to tweak the way freeDiameter displays some
|
|
# information about some events. This extension does not actually use a configuration file
|
|
# but receives directly a parameter in the string passed to the extension. Here are some examples:
|
|
## LoadExtension = "dbg_msg_dumps.fdx" : "0x1111"; # Removes all default hooks, very quiet even in case of errors.
|
|
## LoadExtension = "dbg_msg_dumps.fdx" : "0x2222"; # Display all events with few details.
|
|
## LoadExtension = "dbg_msg_dumps.fdx" : "0x0080"; # Dump complete information about sent and received messages.
|
|
# The four digits respectively control: connections, routing decisions, sent/received messages, errors.
|
|
# The values for each digit are:
|
|
# 0 - default - keep the default behavior
|
|
# 1 - quiet - remove any specific log
|
|
# 2 - compact - display only a summary of the information
|
|
# 4 - full - display the complete information on a single long line
|
|
# 8 - tree - display the complete information in an easier to read format spanning several lines.
|
|
|
|
LoadExtension = "@libdir@/freeDiameter/dbg_msg_dumps.fdx" : "0x8888";
|
|
LoadExtension = "@libdir@/freeDiameter/dict_rfc5777.fdx";
|
|
LoadExtension = "@libdir@/freeDiameter/dict_mip6i.fdx";
|
|
LoadExtension = "@libdir@/freeDiameter/dict_nasreq.fdx";
|
|
LoadExtension = "@libdir@/freeDiameter/dict_nas_mipv6.fdx";
|
|
LoadExtension = "@libdir@/freeDiameter/dict_dcca.fdx";
|
|
LoadExtension = "@libdir@/freeDiameter/dict_dcca_3gpp.fdx";
|
|
|
|
|
|
##############################################################
|
|
## Peers configuration
|
|
|
|
# The local server listens for incoming connections. By default,
|
|
# all unknown connecting peers are rejected. Extensions can override this behavior (e.g., acl_wl).
|
|
#
|
|
# In addition to incoming connections, the local peer can
|
|
# be configured to establish and maintain connections to some
|
|
# Diameter nodes and allow connections from these nodes.
|
|
# This is achieved with the ConnectPeer directive described below.
|
|
#
|
|
# Note that the configured Diameter Identity MUST match
|
|
# the information received inside CEA, or the connection will be aborted.
|
|
#
|
|
# Format:
|
|
#ConnectPeer = "diameterid" [ { parameter1; parameter2; ...} ] ;
|
|
# Parameters that can be specified in the peer's parameter list:
|
|
# No_TCP; No_SCTP; No_IP; No_IPv6; Prefer_TCP; TLS_old_method;
|
|
# No_TLS; # assume transparent security instead of TLS. DTLS is not supported yet (will change in future versions).
|
|
# Port = 5868; # The port to connect to
|
|
# TcTimer = 30;
|
|
# TwTimer = 30;
|
|
# ConnectTo = "202.249.37.5";
|
|
# ConnectTo = "2001:200:903:2::202:1";
|
|
# TLS_Prio = "NORMAL";
|
|
# Realm = "realm.net"; # Reject the peer if it does not advertise this realm.
|
|
# Examples:
|
|
#ConnectPeer = "aaa.wide.ad.jp";
|
|
#ConnectPeer = "old.diameter.serv" { TcTimer = 60; TLS_old_method; No_SCTP; Port=3868; } ;
|
|
ConnectPeer = "hss.localdomain" { ConnectTo = "127.0.0.8"; No_TLS; };
|
|
|
|
|
|
##############################################################
|