NAME
racoon-tool.conf - configuration file for racoon-tool(8).
DESCRIPTION
This manual page documents briefly the racoon-tool.conf(5),
configuration file format.
Please consult the racoon.conf(5) man-page first to better understand
what is written about here.
SYNTAX
The racoon-tool.conf(5) file is laid out in sections.
Comments are delimited on the left by ‘#’, and can be on a line by
themselves, or at the end of a line.
The possible sections are global, connection, and peer. The possible
templates are spdadd, spdinit, sadinit, sadadd, remote, sainfo, and
racooninit.
Sections start with section: and then continue with their properties
(name terminated by ‘:’ then value), and templates ALWAYS have to have
each line started with template: Sections and templates can be named,
with the name occurring in parenthesis between the last character of
their type and the final colon.
SECTIONS
The possible sections are:
global:
Contains global parameters for the generated racoon.conf(5), and
global settings used by racoon-tool(8). Available settings are:
path_pre_shared_key, path_certificate, path_racoon_conf,
racoon_command, racoon_pid_file, log, listen[[0-9a-z]], and
complex_bundle.
Apart from racoon-command and racoon_pid_file, the setting map
across to the similar names in racoon.conf(5).
The listen directive is a bit different from the man-page and
takes multiple {ip-address} [[port]] statements by attaching an
index ‘0-9’,‘a-z’ in square brackets immediately before the
colon.
connection(%default|%anonymous|[-_a-z0-9]+):
Connection as described by the complementary SPD entries.
Creates ‘sainfo’ sections in the generated racoon.conf(5), and
associated SPD entries.
Directives and values are basically one for one with the
relevant entries in racoon.conf(5).
The ‘%default’ VPN connection fills in entries in other
specified connections, unless they are otherwise defined within
the specific connection. The ‘%anonymous’ connection is there
for a passive VPN server.
peer(%default|%anonymous|[a-f0-9:.]+):
Defines the phase 1 attributes associated with a peer. This
creates ‘remote’ entries in the generated racoon.conf(5).
Directives and values are basically one for one with the
relevant entries in racoon.conf(5). Different proposals are
signified by adding an index ‘0-9’, or ‘a-z’ to the
encryption_algorithm, hash_algorithm, dh_group, and
authentication_method entries, within square brackets
immediately before the colon.
The ‘%default’ VPN connection fills in entries in other
specified connections, unless they are otherwise defined within
the specific connection. The ‘%anonymous’ connection is there
for a passive VPN server.
TEMPLATES
Templates are described briefly here. You will have to look inside the
racoon-tool(8) perl script to see exactly what you can do.
spdinit:
Portion that can be used to initialise the SPD. Uses setkey
syntax. See setkey(8).
sadinit:
Portion that can be used to initialise the SAD. Uses setkey
syntax. See setkey(8).
spdadd(%default|[-_a-z0-9]+):
Template for adding SPD entries. Different templates can be
used. Keys for replacement are of the form ‘___setkey_name___’,
with names found in setkey(8). The built in template is named
‘%default’.
sadadd(%default|[-_a-z0-9]+):
Template for adding SAD entries. Different templates can be
used. Keys for replacement are of the form ‘___setkey_name___’,
with names found in setkey(8). The built in template is named
‘%default’.
remote(%default|[-_a-z0-9]+):
Template for adding ’remote’ entries to the generated
racoon.conf(5). Different templates can be used. Keys for
replacement are of the form ‘___setkey_name___’, with names
found in setkey(8). The built in template is named ‘%default’.
sainfo(%default|[-_a-z0-9]+):
Template for adding ’sainfo’ entries to the generated
racoon.conf(5). Different templates can be used. Keys for
replacement are of the form ‘___setkey_name___’, with names
found in setkey(8). The built in template is named ‘%default’.
racooninit:
Template for adding your own section to the start of the
generated racoon.conf(5).
EXAMPLES
Example of a simple configuration using PSK authentication.
#
# Configuration file for racoon-tool
#
# See racoon-tool.conf(5) for details
#
#
# Simple PSK - authentication defaults to pre_shared_key
#
connection(bacckdoor-doormat):
src_range: 192.168.223.1/32
dst_range: 192.168.200.0/24
src_ip: 172.31.1.1
dst_ip: 10.0.0.1
admin_status: enabled
compression: no
lifetime: time 20 min
authentication_algorithm: hmac_sha1
encryption_algorithm: 3des
peer(10.0.0.1):
verify_cert: on
passive: off
verify_identifier: off
lifetime: time 60 min
hash_algorithm[0]: sha1
encryption_algorithm[0]: 3des
Example of a complex configuration with multple networks betweenthe
same endpoints, as well as use of ‘%default’ for common settings.
#
# Configuration file for racoon-tool
#
global:
log: notify
# default settings to save typing
peer(%default):
certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key
my_identifier: fqdn blurke.bar.com
lifetime: time 60 min
verify_identifier: on
verify_cert: on
hash_algorithm[0]: sha1
encryption_algorithm[0]: 3des
authentication_method[0]: rsasig
connection(%default):
authentication_algorithm: hmac_sha1
encryption_algorithm: 3des
src_ip: 172.31.1.1
lifetime: time 20 min
# Connection to work
peer(10.0.0.1):
peers_identifier: fqdn blue.sky.com
connection(blurke-blue-sky-work):
src_range: 192.168.203.1/32
dst_range: 172.16.0.0/24
dst_ip: 10.0.0.1
admin_status: enabled
# Connection to telehoused servers
connection(blurke-mail):
src_range: 192.168.203.0/24
dst_range: 172.20.1.1
dst_ip: 10.100.0.1
encryption_algorithm: blowfish
compression: on
admin_status: yes
peer(10.100.0.1):
peers_identifier: fqdn mail.bar.com
connection(blurke-web1):
src_range: 192.168.203.0/24
dst_range: 172.20.1.23
dst_ip: 10.100.0.1
encryption_algorithm: blowfish
admin_status: yes
connection(blurke-web2):
src_range: 192.168.203.0/24
dst_range: 172.20.1.24
dst_ip: 10.100.0.1
encryption_algorithm: blowfish
admin_status: yes
# Test connection to Free S/WAN
connection(blurke-freeswan):
src_range: 192.168.203.0/24
dst_range: 172.17.100.0/24
dst_ip: 172.30.1.1
admin_status: yes
peer(172.30.1.1):
peers_identifier: fqdn banshee
FILES
/etc/racoon/racoon-tool.conf
The file that this man page describes.
/var/lib/racoon/racoon.conf
The generated racoon.conf.
SEE ALSO
racoon.conf(5), racoon-tool(8), racoon(8), setkey(8).
BUGS
This man page is by no means complete.
AUTHOR
This manual page was written by Matthew Grant <grantma@anathoth.gen.nz>
for the Debian GNU/Linux system (but may be used by others).