Man Linux: Main Page and Category List

NAME

       racoon-tool.conf - configuration file for racoon-tool(8).

DESCRIPTION

       This   manual   page   documents   briefly   the   racoon-tool.conf(5),
       configuration file format.

       Please consult the racoon.conf(5) man-page first to  better  understand
       what is written about here.

SYNTAX

       The racoon-tool.conf(5) file is laid out in sections.

       Comments  are  delimited  on  the  left by ‘#’, and can be on a line by
       themselves, or at the end of a line.

       The possible sections are global, connection, and peer.   The  possible
       templates  are  spdadd,  spdinit,  sadinit, sadadd, remote, sainfo, and
       racooninit.

       Sections start with section: and then continue  with  their  properties
       (name  terminated by ‘:’ then value), and templates ALWAYS have to have
       each line started with template: Sections and templates can  be  named,
       with  the  name  occurring in parenthesis between the last character of
       their type and the final colon.

SECTIONS

       The possible sections are:

       global:
              Contains global parameters for the generated racoon.conf(5), and
              global settings used by racoon-tool(8).  Available settings are:
              path_pre_shared_key,     path_certificate,     path_racoon_conf,
              racoon_command,   racoon_pid_file,  log,  listen[[0-9a-z]],  and
              complex_bundle.

              Apart from racoon-command and racoon_pid_file, the  setting  map
              across to the similar names in racoon.conf(5).

              The  listen  directive  is a bit different from the man-page and
              takes multiple {ip-address} [[port]] statements by attaching  an
              index  ‘0-9’,‘a-z’  in  square  brackets  immediately before the
              colon.

       connection(%default|%anonymous|[-_a-z0-9]+):
              Connection  as  described  by  the  complementary  SPD  entries.
              Creates  ‘sainfo’  sections in the generated racoon.conf(5), and
              associated SPD entries.

              Directives and  values  are  basically  one  for  one  with  the
              relevant entries in racoon.conf(5).

              The   ‘%default’  VPN  connection  fills  in  entries  in  other
              specified connections, unless they are otherwise defined  within
              the  specific  connection.  The ‘%anonymous’ connection is there
              for a passive VPN server.

       peer(%default|%anonymous|[a-f0-9:.]+):
              Defines the phase 1 attributes associated  with  a  peer.   This
              creates ‘remote’ entries in the generated racoon.conf(5).

              Directives  and  values  are  basically  one  for  one  with the
              relevant entries in  racoon.conf(5).   Different  proposals  are
              signified   by   adding   an   index  ‘0-9’,  or  ‘a-z’  to  the
              encryption_algorithm,     hash_algorithm,     dh_group,      and
              authentication_method    entries,    within    square   brackets
              immediately before the colon.

              The  ‘%default’  VPN  connection  fills  in  entries  in   other
              specified  connections, unless they are otherwise defined within
              the specific connection. The ‘%anonymous’  connection  is  there
              for a passive VPN server.

TEMPLATES

       Templates are described briefly here.  You will have to look inside the
       racoon-tool(8) perl script to see exactly what you can do.

       spdinit:
              Portion that can be used to initialise  the  SPD.   Uses  setkey
              syntax.  See setkey(8).

       sadinit:
              Portion  that  can  be  used to initialise the SAD.  Uses setkey
              syntax.  See setkey(8).

       spdadd(%default|[-_a-z0-9]+):
              Template for adding SPD  entries.  Different  templates  can  be
              used.  Keys for replacement are of the form ‘___setkey_name___’,
              with names found in setkey(8).  The built in template  is  named
              ‘%default’.

       sadadd(%default|[-_a-z0-9]+):
              Template  for  adding  SAD  entries.  Different templates can be
              used.  Keys for replacement are of the form ‘___setkey_name___’,
              with  names  found in setkey(8).  The built in template is named
              ‘%default’.

       remote(%default|[-_a-z0-9]+):
              Template  for  adding  ’remote’   entries   to   the   generated
              racoon.conf(5).   Different  templates  can  be  used.  Keys for
              replacement are of  the  form  ‘___setkey_name___’,  with  names
              found  in setkey(8).  The built in template is named ‘%default’.

       sainfo(%default|[-_a-z0-9]+):
              Template  for  adding  ’sainfo’   entries   to   the   generated
              racoon.conf(5).   Different  templates  can  be  used.  Keys for
              replacement are of  the  form  ‘___setkey_name___’,  with  names
              found  in setkey(8).  The built in template is named ‘%default’.

       racooninit:
              Template for adding  your  own  section  to  the  start  of  the
              generated racoon.conf(5).

EXAMPLES

       Example of a simple configuration using PSK authentication.

       #
       # Configuration file for racoon-tool
       #
       # See racoon-tool.conf(5) for details
       #

       #
       # Simple PSK - authentication defaults to pre_shared_key
       #
       connection(bacckdoor-doormat):
            src_range: 192.168.223.1/32
            dst_range: 192.168.200.0/24
            src_ip: 172.31.1.1
            dst_ip: 10.0.0.1
            admin_status: enabled
            compression: no
            lifetime: time 20 min
            authentication_algorithm: hmac_sha1
            encryption_algorithm: 3des

       peer(10.0.0.1):
            verify_cert: on
            passive: off
            verify_identifier: off
            lifetime: time 60 min
            hash_algorithm[0]: sha1
            encryption_algorithm[0]: 3des

       Example  of  a  complex  configuration with multple networks betweenthe
       same endpoints, as well as use of ‘%default’ for common settings.

       #
       # Configuration file for racoon-tool
       #

       global:
            log: notify

       # default settings to save typing
       peer(%default):
            certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key
            my_identifier: fqdn blurke.bar.com
            lifetime: time 60 min
            verify_identifier: on
            verify_cert: on
            hash_algorithm[0]: sha1
            encryption_algorithm[0]: 3des
            authentication_method[0]: rsasig

       connection(%default):
            authentication_algorithm: hmac_sha1
            encryption_algorithm: 3des
            src_ip: 172.31.1.1
            lifetime: time 20 min

       # Connection to work
       peer(10.0.0.1):
            peers_identifier: fqdn blue.sky.com

       connection(blurke-blue-sky-work):
            src_range: 192.168.203.1/32
            dst_range: 172.16.0.0/24
            dst_ip: 10.0.0.1
            admin_status: enabled

       # Connection to telehoused servers
       connection(blurke-mail):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.1
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            compression: on
            admin_status: yes

       peer(10.100.0.1):
            peers_identifier: fqdn mail.bar.com

       connection(blurke-web1):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.23
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            admin_status: yes

       connection(blurke-web2):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.24
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            admin_status: yes

       # Test connection to Free S/WAN
       connection(blurke-freeswan):
            src_range: 192.168.203.0/24
            dst_range: 172.17.100.0/24
            dst_ip: 172.30.1.1
            admin_status: yes

       peer(172.30.1.1):
            peers_identifier: fqdn banshee

FILES

       /etc/racoon/racoon-tool.conf
              The file that this man page describes.

       /var/lib/racoon/racoon.conf
              The generated racoon.conf.

SEE ALSO

       racoon.conf(5), racoon-tool(8), racoon(8), setkey(8).

BUGS

       This man page is by no means complete.

AUTHOR

       This manual page was written by Matthew Grant <grantma@anathoth.gen.nz>
       for the Debian GNU/Linux system (but may be used by others).