1RACOON.CONF(5) BSD File Formats Manual RACOON.CONF(5)
2
4 racoon.conf — configuration file for racoon
5
7 racoon.conf is the configuration file for the racoon(8) ISAKMP daemon.
8 racoon(8) negotiates security associations for itself (ISAKMP SA, or
9 phase 1 SA) and for kernel IPsec (IPsec SA, or phase 2 SA). The file
10 consists of a sequence of directives and statements. Each directive is
11 composed by a tag and statements, enclosed by ‘{’ and ‘}’. Lines begin‐
12 ning with ‘#’ are comments.
13 Meta Syntax
15 Keywords and special characters that the parser expects exactly are dis‐
16 played using this font. Parameters are specified with this font. Square
17 brackets (‘[’ and ‘]’) are used to show optional keywords and parameters.
18 Note that you have to pay attention when this manual is describing port
19 numbers. The port number is always enclosed by ‘[’ and ‘]’. In this
20 case, the port number is not an optional keyword. If it is possible to
21 omit the port number, the expression becomes [[port]]. The vertical bar
22 (‘|’) is used to indicate a choice between optional parameters. Paren‐
23 theses (‘(’ and ‘)’) are used to group keywords and parameters when nec‐
24 essary. Major parameters are listed below.
25 number means a hexadecimal or a decimal number. The former must be
27 prefixed with ‘0x’.
28 string
29 path
30 file means any string enclosed in ‘"’ (double quotes).
31 address means IPv6 and/or IPv4 address.
32 port means a TCP/UDP port number. The port number is always
33 enclosed by ‘[’ and ‘]’.
34 timeunit is one of following: sec, secs, second, seconds, min, mins,
35 minute, minutes, hour, hours.
36 Privilege separation
38 privsep { statements }
39 specifies privilege separation parameters. When enabled, these
40 enable racoon(8) to operate with an unprivileged instance doing
41 most of the work, while a privileged instance takes care of per‐
42 forming the following operations as root: reading PSK and private
43 keys, launching hook scripts, and validating passwords against
44 system databases or against PAM.
45 user user;
47 The user to which the unprivileged instance of racoon(8),
48 should switch. This can be a quoted user name or a
49 numeric UID.
50 group group;
51 The group to which the unprivileged instance of
52 racoon(8), should switch. This can be a quoted group
53 name or a numeric GID.
54 chroot path;
55 A directory to which the unprivileged instance of
56 racoon(8) should chroot(2). This directory should hold a
57 tree where the following files must be reachable:
58 /dev/random
59 /dev/urandom
60 the certificates
61 the file containing the Xauth banner
62 The PSK file, the private keys, and the hook scripts are
64 accessed through the privileged instance of racoon(8) and
65 do not need to be reachable in the chroot(2)'ed tree.
66 Path Specification
68 This section specify various paths used by racoon. When running in priv‐
69 ilege separation mode, certificate and script paths are mandatory.
70 path include path;
71 specifies a path to include a file. See File Inclusion.
72 path pre_shared_key file;
73 specifies a file containing pre-shared key(s) for various ID(s).
74 See Pre-shared key File.
75 path certificate path;
76 racoon(8) will search this directory if a certificate or certifi‐
77 cate request is received. If you run with privilege separation,
78 racoon(8) will refuse to use a certificate stored outside of this
79 directory.
80 path backupsa file;
81 specifies a file to which SA information which is negotiated by
82 racoon should be stored. racoon(8) will install SA(s) from the
83 file when started with the -B flag. The file is growing because
84 racoon(8) simply adds SAs to it. You should maintain the file
85 manually.
86 path script path;
87 racoon(8) will search this directory for scripts hooks. If you
88 run with privilege separation, racoon(8) will refuse to execute a
89 script stored outside of this directory.
90 path pidfile file;
91 specifies file where to store PID of process. If path starts
92 with / it is treated as an absolute path, otherwise relative to
93 VARRUN directory specified at compilation time. Default is
94 racoon.pid.
95 File Inclusion
97 include file
98 other configuration files can be included.
99 Identifier Specification
101 is obsolete. It must be defined at each remote directive.
102 Timer Specification
104 timer { statements }
105 specifies various timer values.
106 counter number;
108 the maximum number of retries to send. The default is 5.
109 interval number timeunit;
110 the interval to resend, in seconds. The default time is
111 10 seconds.
112 persend number;
113 the number of packets per send. The default is 1.
114 phase1 number timeunit;
115 the maximum time it should take to complete phase 1. The
116 default time is 15 seconds.
117 phase2 number timeunit;
118 the maximum time it should take to complete phase 2. The
119 default time is 10 seconds.
120 natt_keepalive number timeunit;
121 interval between sending NAT-Traversal keep-alive pack‐
122 ets. The default time is 20 seconds. Set to 0s to dis‐
123 able keep-alive packets.
124 Listening Port Specification
126 listen { statements }
127 If no listen directive is specified, racoon(8) will listen on all
128 available interface addresses. The following is the list of
129 valid statements:
130 isakmp address [[port]];
132 If this is specified, racoon(8) will only listen on
133 address. The default port is 500, which is specified by
134 IANA. You can provide more than one address definition.
135 isakmp_natt address [port];
136 Same as isakmp but also sets the socket options to accept
137 UDP-encapsulated ESP traffic for NAT-Traversal. If you
138 plan to use NAT-T, you should provide at least one
139 address with port 4500, which is specified by IANA.
140 There is no default.
141 strict_address;
142 require that all addresses for ISAKMP must be bound.
143 This statement will be ignored if you do not specify any
144 address.
145 The listen section can also be used to specify the admin socket
146 mode and ownership, if racoon was built with support for admin
147 port.
148 adminsock path [owner group mode];
149 path, owner, and group are the socket path, owner, and
150 group; they must be quoted. Defaults are
151 /var/racoon/racoon.sock, UID 0, and GID 0. mode is the
152 access mode in octal, default is 0600.
153 adminsock disabled;
154 This directive tells racoon to not listen on the admin
155 socket.
156 Miscellaneous Global Parameters
158 gss_id_enc enctype;
159 Older versions of racoon(8) used ISO-Latin-1 as the encoding of
160 the GSS-API identifier attribute. For interoperability with Mi‐
161 crosoft Windows' GSS-API authentication scheme, the default
162 encoding has been changed to UTF-16LE. The gss_id_enc parameter
163 allows racoon(8) to be configured to use the old encoding for
164 compatibility with existing racoon(8) installations. The follow‐
165 ing are valid values for enctype:
166 utf-16le
168 Use UTF-16LE to encode the GSS-API identifier attribute.
169 This is the default encoding. This encoding is compati‐
170 ble with Microsoft Windows.
171 latin1 Use ISO-Latin-1 to encode the GSS-API identifier
172 attribute. This is the encoding used by older versions
173 of racoon(8).
174 Remote Nodes Specifications
176 remote (address | anonymous) [[port]] [inherit parent] { statements }
177 specifies the parameters for IKE phase 1 for each remote node.
178 The default port is 500. If anonymous is specified, the state‐
179 ments apply to all peers which do not match any other remote
180 directive.
181 Sections with inherit parent statements (where parent is either
183 address or a keyword anonymous) have all values predefined to
184 those of a given parent. In these sections it is enough to rede‐
185 fine only the changed parameters.
186 The following are valid statements.
188 exchange_mode (main | aggressive | base);
190 defines the exchange mode for phase 1 when racoon is the
191 initiator. It also means the acceptable exchange mode
192 when racoon is responder. More than one mode can be
193 specified by separating them with a comma. All of the
194 modes are acceptable. The first exchange mode is what
195 racoon uses when it is the initiator.
196 doi ipsec_doi;
197 means to use IPsec DOI as specified in RFC 2407. You can
198 omit this statement.
199 situation identity_only;
200 means to use SIT_IDENTITY_ONLY as specified in RFC 2407.
201 You can omit this statement.
202 identifier idtype;
203 is obsolete. Instead, use my_identifier.
204 my_identifier idtype ...;
205 specifies the identifier sent to the remote host and the
206 type to use in the phase 1 negotiation. address, fqdn,
207 user_fqdn, keyid, and asn1dn can be used as an idtype.
208 Use them in the following way:
209 my_identifier address [address];
210 the type is the IP address. This is the default
211 type if you do not specify an identifier to use.
212 my_identifier user_fqdn string;
213 the type is a USER_FQDN (user fully-qualified
214 domain name).
215 my_identifier fqdn string;
216 the type is a FQDN (fully-qualified domain name).
217 my_identifier keyid file;
218 the type is a KEY_ID.
219 my_identifier asn1dn [string];
220 the type is an ASN.1 distinguished name. If
221 string is omitted, racoon(8) will get the DN from
222 the Subject field in the certificate.
223 xauth_login [string];
224 specifies the login to use in client-side Hybrid authen‐
225 tication. It is available only if racoon(8) has been
226 built with this option. The associated password is
227 looked up in the pre-shared key files, using the login
228 string as the key id.
229 peers_identifier idtype ...;
230 specifies the peer's identifier to be received. If it is
231 not defined then racoon(8) will not verify the peer's
232 identifier in ID payload transmitted from the peer. If
233 it is defined, the behavior of the verification depends
234 on the flag of verify_identifier. The usage of idtype is
235 the same as my_identifier except that the individual com‐
236 ponent values of an asn1dn identifier may specified as *
237 to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine").
238 Alternative acceptable peer identifiers may be specified
239 by repeating the peers_identifier statement.
240 verify_identifier (on | off);
241 If you want to verify the peer's identifier, set this to
242 on. In this case, if the value defined by
243 peers_identifier is not the same as the peer's identifier
244 in the ID payload, the negotiation will failed. The
245 default is off.
246 certificate_type certspec;
247 specifies a certificate specification. certspec is one
248 of followings:
249 x509 certfile privkeyfile;
250 certfile means a file name of a certificate.
251 privkeyfile means a file name of a secret key.
252 ca_type cacertspec;
253 specifies a root certificate authority specification.
254 cacertspec is one of followings:
255 x509 cacertfile;
256 cacertfile means a file name of the root certifi‐
257 cate authority. Default is /etc/openssl/cert.pem
258 mode_cfg (on | off);
259 Gather network information through ISAKMP mode configura‐
260 tion. Default is off.
261 peers_certfile (dnssec | certfile);
262 If dnssec is defined, racoon(8) will ignore the CERT pay‐
263 load from the peer, and try to get the peer's certificate
264 from DNS instead. If certfile is defined, racoon(8) will
265 ignore the CERT payload from the peer, and will use this
266 certificate as the peer's certificate.
267 script script phase1_up
268 script script phase1_down
269 Shell scripts that get executed when a phase 1 SA goes up
270 or down. Both scripts get either phase1_up or
271 phase1_down as first argument, and the following vari‐
272 ables are set in their environment:
273 LOCAL_ADDR
274 The local address of the phase 1 SA.
275 LOCAL_PORT
276 The local port used for IKE for the phase 1 SA.
277 REMOTE_ADDR
278 The remote address of the phase 1 SA.
279 REMOTE_PORT
280 The remote port used for IKE for the phase 1 SA.
281 The following variables are only set if mode_cfg was
282 enabled:
283 INTERNAL_ADDR4
284 An IPv4 internal address obtained by ISAKMP mode
285 config.
286 INTERNAL_NETMASK4
287 An IPv4 internal netmask obtained by ISAKMP mode
288 config.
289 INTERNAL_DNS4
290 Internal DNS server IPv4 address obtained by
291 ISAKMP mode config.
292 INTERNAL_NBNS4
293 Internal WINS server IPv4 address obtained by
294 ISAKMP mode config.
295 send_cert (on | off);
296 If you do not want to send a certificate for some reason,
297 set this to off. The default is on.
298 send_cr (on | off);
299 If you do not want to send a certificate request for some
300 reason, set this to off. The default is on.
301 verify_cert (on | off);
302 If you do not want to verify the peer's certificate for
303 some reason, set this to off. The default is on.
304 lifetime time number timeunit;
305 Define a lifetime of a certain time which will be pro‐
306 posed in the phase 1 negotiations. Any proposal will be
307 accepted, and the attribute(s) will be not proposed to
308 the peer if you do not specify it (them). They can be
309 individually specified in each proposal.
310 ike_frag (on | off);
311 Enable receiver-side IKE fragmentation, if racoon(8) has
312 been built with this feature. This extension is there to
313 work around broken firewalls that do not work with frag‐
314 mented UDP packets. IKE fragmentation is always enabled
315 on the sender-side, and it is used if the peer advertises
316 itself as IKE fragmentation capable.
317 esp_frag fraglen;
318 This option is only relevant if you use NAT traversal in
319 tunnel mode. Its purpose is to work around broken DSL
320 routers that reject UDP fragments, by fragmenting the IP
321 packets before ESP encapsulation. The result is ESP over
322 UDP of fragmented packets instead of fragmented ESP over
323 UDP packets (i.e., IP:UDP:ESP:frag(IP) instead of
324 frag(IP:UDP:ESP:IP)). fraglen is the maximum size of the
325 fragments. 552 should work anywhere, but the higher
326 fraglen is, the better is the performance.
327 Note that because PMTU discovery is broken on many sites,
329 you will have to use MSS clamping if you want TCP to work
330 correctly.
331 initial_contact (on | off);
332 enable this to send an INITIAL-CONTACT message. The
333 default value is on. This message is useful only when
334 the implementation of the responder chooses an old SA
335 when there are multiple SAs with different established
336 time, and the initiator reboots. If racoon did not send
337 the message, the responder would use an old SA even when
338 a new SA was established. The KAME stack has the switch
339 in the system wide value net.key.preferred_oldsa. when
340 the value is zero, the stack always uses a new SA.
341 passive (on | off);
342 If you do not want to initiate the negotiation, set this
343 to on. The default value is off. It is useful for a
344 server.
345 proposal_check level;
346 specifies the action of lifetime length and PFS of the
347 phase 2 selection on the responder side, and the action
348 of lifetime check in phase 1. The default level is
349 strict. If the level is:
350 obey the responder will obey the initiator anytime.
351 strict If the responder's length is longer than the ini‐
352 tiator's one, the responder uses the initiator's
353 one. Otherwise it rejects the proposal. If PFS
354 is not required by the responder, the responder
355 will obey the proposal. If PFS is required by
356 both sides and if the responder's group is not
357 equal to the initiator's one, then the responder
358 will reject the proposal.
359 claim If the responder's length is longer than the ini‐
360 tiator's one, the responder will use the initia‐
361 tor's one. If the responder's length is shorter
362 than the initiator's one, the responder uses its
363 own length AND sends a RESPONDER-LIFETIME notify
364 message to an initiator in the case of lifetime
365 (phase 2 only). For PFS, this directive behaves
366 the same as strict.
367 exact If the initiator's length is not equal to the
368 responder's one, the responder will reject the
369 proposal. If PFS is required by both sides and
370 if the responder's group is not equal to the ini‐
371 tiator's one, then the responder will reject the
372 proposal.
373 support_proxy (on | off);
374 If this value is set to on, then both values of ID pay‐
375 loads in the phase 2 exchange are always used as the
376 addresses of end-point of IPsec-SAs. The default is off.
377 generate_policy (on | off);
378 This directive is for the responder. Therefore you
379 should set passive to on in order that racoon(8) only
380 becomes a responder. If the responder does not have any
381 policy in SPD during phase 2 negotiation, and the direc‐
382 tive is set to on, then racoon(8) will choose the first
383 proposal in the SA payload from the initiator, and gener‐
384 ate policy entries from the proposal. It is useful to
385 negotiate with clients whose IP address is allocated
386 dynamically. Note that an inappropriate policy might be
387 installed into the responder's SPD by the initiator, so
388 other communications might fail if such policies are
389 installed due to a policy mismatch between the initiator
390 and the responder. This directive is ignored in the ini‐
391 tiator case. The default value is off.
392 nat_traversal (on | off | force);
393 This directive enables use of the NAT-Traversal IPsec
394 extension (NAT-T). NAT-T allows one or both peers to
395 reside behind a NAT gateway (i.e., doing address- or
396 port-translation). Presence of NAT gateways along the
397 path is discovered during phase 1 handshake and if found,
398 NAT-T is negotiated. When NAT-T is in charge, all ESP
399 and AH packets of a given connection are encapsulated
400 into UDP datagrams (port 4500, by default). Possible
401 values are:
402 on NAT-T is used when a NAT gateway is detected
403 between the peers.
404 off NAT-T is not proposed/accepted. This is the
405 default.
406 force NAT-T is used regardless if a NAT is detected
407 between the peers or not.
408 Please note that NAT-T support is a compile-time option.
409 Although it is enabled in the source distribution by
410 default, it may not be available in your particular
411 build. In that case you will get a warning when using
412 any NAT-T related config options.
413 dpd_delay delay;
414 This option activates the DPD and sets the time (in sec‐
415 onds) allowed between 2 proof of liveness requests. The
416 default value is 0, which disables DPD monitoring, but
417 still negotiates DPD support.
418 dpd_retry delay;
419 If dpd_delay is set, this sets the delay (in seconds) to
420 wait for a proof of liveness before considering it as
421 failed and send another request. The default value is 5.
422 dpd_maxfail number;
423 If dpd_delay is set, this sets the maximum number of
424 proof of liveness to request (without reply) before con‐
425 sidering the peer is dead. The default value is 5.
426 nonce_size number;
427 define the byte size of nonce value. Racoon can send any
428 value although RFC2409 specifies that the value MUST be
429 between 8 and 256 bytes. The default size is 16 bytes.
430 proposal { sub-substatements }
431 encryption_algorithm algorithm;
432 specify the encryption algorithm used for the
433 phase 1 negotiation. This directive must be
434 defined. algorithm is one of following: des,
435 3des, blowfish, cast128, aes for Oakley. For
436 other transforms, this statement should not be
437 used.
438 hash_algorithm algorithm;
439 define the hash algorithm used for the phase 1
440 negotiation. This directive must be defined.
441 algorithm is one of following: md5, sha1, sha256,
442 sha384, sha512 for Oakley.
443 authentication_method type;
444 defines the authentication method used for the
445 phase 1 negotiation. This directive must be
446 defined. type is one of: pre_shared_key, rsasig,
447 gssapi_krb, hybrid_rsa_server, or
448 hybrid_rsa_client.
449 dh_group group;
450 define the group used for the Diffie-Hellman
451 exponentiations. This directive must be defined.
452 group is one of following: modp768, modp1024,
453 modp1536, modp2048, modp3072, modp4096, modp6144,
454 modp8192. Or you can define 1, 2, 5, 14, 15, 16,
455 17, or 18 as the DH group number. When you want
456 to use aggressive mode, you must define the same
457 DH group in each proposal.
458 lifetime time number timeunit;
459 define lifetime of the phase 1 SA proposal.
460 Refer to the description of the lifetime direc‐
461 tive defined in the remote directive.
462 gss_id string;
463 define the GSS-API endpoint name, to be included
464 as an attribute in the SA, if the gssapi_krb
465 authentication method is used. If this is not
466 defined, the default value of ‘host/hostname’ is
467 used, where hostname is the value returned by the
468 hostname(1) command.
469 Policy Specifications
471 The policy directive is obsolete, policies are now in the SPD. racoon(8)
472 will obey the policy configured into the kernel by setkey(8), and will
473 construct phase 2 proposals by combining sainfo specifications in
474 racoon.conf, and policies in the kernel.
475 Sainfo Specifications
477 sainfo (source_id destination_id | anonymous) [from idtype [string]] {
478 statements }
479 defines the parameters of the IKE phase 2 (IPsec-SA establish‐
480 ment). source_id and destination_id are constructed like:
481 address address [/ prefix] [[port]] ul_proto
483 or
485 subnet address [/ prefix] [[port]] ul_proto
487 or
489 idtype string
491 It means exactly the content of ID payload. This is not like a
493 filter rule. For example, if you define 3ffe:501:4819::/48 as
494 source_id. 3ffe:501:4819:1000:/64 will not match.
495 In case of longest prefix (selecting single host) address
497 instructs to send ID type of ADDRESS, while subnet instructs to
498 send ID type of SUBNET. Otherwise these instructions are identi‐
499 cal.
500 pfs_group group;
502 define the group of Diffie-Hellman exponentiations. If
503 you do not require PFS then you can omit this directive.
504 Any proposal will be accepted if you do not specify one.
505 group is one of following: modp768, modp1024, modp1536,
506 modp2048, modp3072, modp4096, modp6144, modp8192. Or you
507 can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group
508 number.
509 lifetime time number timeunit;
510 define how long an IPsec-SA will be used, in timeunits.
511 Any proposal will be accepted, and no attribute(s) will
512 be proposed to the peer if you do not specify it(them).
513 See the proposal_check directive.
514 my_identifier idtype ...;
515 is obsolete. It does not make sense to specify an iden‐
516 tifier in the phase 2.
517 racoon(8) does not have a list of security protocols to be nego‐
519 tiated. The list of security protocols are passed by SPD in the
520 kernel. Therefore you have to define all of the potential algo‐
521 rithms in the phase 2 proposals even if there are algorithms
522 which will not be used. These algorithms are define by using the
523 following three directives, with a single comma as the separator.
524 For algorithms that can take variable-length keys, algorithm
525 names can be followed by a key length, like “blowfish 448”.
526 racoon(8) will compute the actual phase 2 proposals by computing
527 the permutation of the specified algorithms, and then combining
528 them with the security protocol specified by the SPD. For exam‐
529 ple, if des, 3des, hmac_md5, and hmac_sha1 are specified as algo‐
530 rithms, we have four combinations for use with ESP, and two for
531 AH. Then, based on the SPD settings, racoon(8) will construct
532 the actual proposals. If the SPD entry asks for ESP only, there
533 will be 4 proposals. If it asks for both AH and ESP, there will
534 be 8 proposals. Note that the kernel may not support the algo‐
535 rithm you have specified.
536 encryption_algorithm algorithms;
537 des, 3des, des_iv64, des_iv32, rc5, rc4, idea, 3idea,
538 cast128, blowfish, null_enc, twofish, rijndael, aes (used
539 with ESP)
540 authentication_algorithm algorithms;
541 des, 3des, des_iv64, des_iv32, hmac_md5, hmac_sha1,
542 hmac_sha256, hmac_sha384, hmac_sha512, non_auth (used
543 with ESP authentication and AH)
544 compression_algorithm algorithms;
545 deflate (used with IPComp)
546 Logging level
548 log level;
549 define logging level. level is one of following: notify, debug,
550 and debug2. The default is notify. If you set the logging level
551 too high on slower machines, IKE negotiation can fail due to tim‐
552 ing constraint changes.
553 Specifying the way to pad
555 padding { statements }
556 specified padding format. The following are valid statements:
557 randomize (on | off);
558 enable using a randomized value for padding. The default
559 is on.
560 randomize_length (on | off);
561 the pad length is random. The default is off.
562 maximum_length number;
563 define a maximum padding length. If randomize_length is
564 off, this is ignored. The default is 20 bytes.
565 exclusive_tail (on | off);
566 means to put the number of pad bytes minus one into the
567 last part of the padding. The default is on.
568 strict_check (on | off);
569 means to constrain the peer to set the number of pad
570 bytes. The default is off.
571 ISAKMP mode configuration settings
573 mode_cfg { statements }
574 Defines the information to return for remote hosts' ISAKMP mode
575 config requests. Also defines the authentication source for
576 remote peers authenticating through hybrid auth.
577 The following are valid statements:
579 auth_source (system | radius | pam);
580 Specify the source for authentication of users through
581 hybrid auth. system means to use the Unix user database.
582 This is the default. radius means to use a RADIUS
583 server. It works only if racoon(8) was built with libra‐
584 dius support, and the configuration is done in
585 radius.conf(5). pam means to use PAM. It works only if
586 racoon(8) was built with libpam support.
587 conf_source (local | radius);
588 Specify the source for IP addresses and netmask allocated
589 through ISAKMP mode config. local means to use the local
590 IP pool defined by the network4 and pool_size keywords.
591 This is the default. radius means to use a RADIUS
592 server. It works only if racoon(8) was built with libra‐
593 dius support, and the configuration is done in
594 radius.conf(5). RADIUS configuration requires RADIUS
595 authentication.
596 accounting (none | radius | pam);
597 Enable or disable accounting for Xauth logins and
598 logouts. Default is none, which disable accounting.
599 radius enable RADIUS accounting. It works only if
600 racoon(8) was built with libradius support, and the con‐
601 figuration is done in radius.conf(5). RADIUS accounting
602 require RADIUS authentication. pam enable PAM account‐
603 ing. It works only if racoon(8) was built with libpam
604 support. PAM accounting requires PAM authentication.
605 pool_size size
606 Specify the size of the IP address pool, either local or
607 allocated through RADIUS. conf_source selects the local
608 pool or the RADIUS configuration, but in both configura‐
609 tions, you cannot have more than size users connected at
610 the same time. The default is 255.
611 network4 address;
612 netmask4 address;
613 The local IP pool base address and network mask from
614 which dynamically allocated IPv4 addresses should be
615 taken. This is used if conf_source is set to local or if
616 the RADIUS server returned 255.255.255.254. Default is
617 0.0.0.0/0.0.0.0.
618 dns4 address;
619 The IPv4 address for a DNS server.
620 nbns4 address;
621 The IPv4 address for a WINS server.
622 banner path;
623 The path of a file displayed on the client at connection
624 time. Default is /etc/motd.
625 auth_throttle delay;
626 On each failed Xauth authentication attempt, refuse new
627 attempts for delay more seconds. This is to avoid dic‐
628 tionary attacks on Xauth passwords. Default is one sec‐
629 ond. Set to zero to disable authentication delay.
630 pfs_group group;
631 Sets the PFS group used in the client proposal (Cisco VPN
632 client only). Default is 0.
633 save_passwd (on | off);
634 Allow the client to save the Xauth password (Cisco VPN
635 client only). Default is off.
636 Special directives
638 complex_bundle (on | off);
639 defines the interpretation of proposal in the case of SA bundle.
640 Normally “IP AH ESP IP payload” is proposed as “AH tunnel and ESP
641 tunnel”. The interpretation is more common to other IKE imple‐
642 mentations, however, it allows very limited set of combinations
643 for proposals. With the option enabled, it will be proposed as
644 “AH transport and ESP tunnel”. The default value is off.
645 Pre-shared key File
647 The pre-shared key file defines pairs of identifiers and corresponding
648 shared secret keys which are used in the pre-shared key authentication
649 method in phase 1. The pair in each line is separated by some number of
650 blanks and/or tab characters like in the hosts(5) file. Key can include
651 blanks because everything after the first blanks is interpreted as the
652 secret key. Lines starting with ‘#’ are ignored. Keys which start with
653 ‘0x’ are interpreted as hexadecimal strings. Note that the file must be
654 owned by the user ID running racoon(8) (usually the privileged user), and
655 must not be accessible by others.
656
658 The following shows how the remote directive should be configured.
659 path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
661 remote anonymous
662 {
663 exchange_mode aggressive,main,base;
664 lifetime time 24 hour;
665 proposal {
666 encryption_algorithm 3des;
667 hash_algorithm sha1;
668 authentication_method pre_shared_key;
669 dh_group 2;
670 }
671 }
672 sainfo anonymous
674 {
675 pfs_group 2;
676 lifetime time 12 hour ;
677 encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
678 authentication_algorithm hmac_sha1, hmac_md5 ;
679 compression_algorithm deflate ;
680 }
681 The following is a sample for the pre-shared key file.
683 10.160.94.3 mekmitasdigoat
685 172.16.1.133 0x12345678
686 194.100.55.1 whatcertificatereally
687 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
688 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
689 foo@kame.net mekmitasdigoat
690 foo.kame.net hoge
691
693 racoon(8), racoonctl(8), setkey(8)
694
696 The racoon.conf configuration file first appeared in the “YIPS” Yokogawa
697 IPsec implementation.
698
700 Some statements may not be handled by racoon(8) yet.
701 Diffie-Hellman computation can take a very long time, and may cause
703 unwanted timeouts, specifically when a large D-H group is used.
704
706 The use of IKE phase 1 aggressive mode is not recommended, as described
707 in http://www.kb.cert.org/vuls/id/886601.
708BSD November 23, 2004 BSD