racoon-tool.conf

Langue: en

Version: 301919 (debian - 07/07/09)

Section: 5 (Format de fichier)

NAME

racoon-tool.conf - configuration file for racoon-tool(8).

DESCRIPTION

This manual page documents briefly the racoon-tool.conf(5), configuration file format.

Please consult the racoon.conf(5) man-page first to better understand what is written about here.

SYNTAX

The racoon-tool.conf(5) file is laid out in sections.

Comments are delimited on the left by `#', and can be on a line by themselves, or at the end of a line.

The possible sections are global, connection, and peer. The possible templates are spdadd, spdinit, sadinit, sadadd, remote, sainfo, and racooninit.

Sections start with section: and then continue with their properties (name terminated by `:' then value), and templates ALWAYS have to have each line started with template: Sections and templates can be named, with the name occurring in parenthesis between the last character of their type and the final colon.

SECTIONS

The possible sections are:
global:
Contains global parameters for the generated racoon.conf(5), and global settings used by racoon-tool(8). Available settings are: path_pre_shared_key, path_certificate, path_racoon_conf, racoon_command, racoon_pid_file, log, listen[[0-9a-z]], and complex_bundle.

Apart from racoon-command and racoon_pid_file, the setting map across to the similar names in racoon.conf(5).

The listen directive is a bit different from the man-page and takes multiple {ip-address} [[port]] statements by attaching an index `0-9',`a-z' in square brackets immediately before the colon.

connection(%default|%anonymous|[-_a-z0-9]+):
Connection as described by the complementary SPD entries. Creates `sainfo' sections in the generated racoon.conf(5), and associated SPD entries.

Directives and values are basically one for one with the relevant entries in racoon.conf(5).

The `%default' VPN connection fills in entries in other specified connections, unless they are otherwise defined within the specific connection. The `%anonymous' connection is there for a passive VPN server.

peer(%default|%anonymous|[a-f0-9:.]+):
Defines the phase 1 attributes associated with a peer. This creates `remote' entries in the generated racoon.conf(5).

Directives and values are basically one for one with the relevant entries in racoon.conf(5). Different proposals are signified by adding an index `0-9', or `a-z' to the encryption_algorithm, hash_algorithm, dh_group, and authentication_method entries, within square brackets immediately before the colon.

The `%default' VPN connection fills in entries in other specified connections, unless they are otherwise defined within the specific connection. The `%anonymous' connection is there for a passive VPN server.

TEMPLATES

Templates are described briefly here. You will have to look inside the racoon-tool(8) perl script to see exactly what you can do.
spdinit:
Portion that can be used to initialise the SPD. Uses setkey syntax. See setkey(8).
sadinit:
Portion that can be used to initialise the SAD. Uses setkey syntax. See setkey(8).
spdadd(%default|[-_a-z0-9]+):
Template for adding SPD entries. Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in setkey(8). The built in template is named `%default'.
sadadd(%default|[-_a-z0-9]+):
Template for adding SAD entries. Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in setkey(8). The built in template is named `%default'.
remote(%default|[-_a-z0-9]+):
Template for adding 'remote' entries to the generated racoon.conf(5). Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in setkey(8). The built in template is named `%default'.
sainfo(%default|[-_a-z0-9]+):
Template for adding 'sainfo' entries to the generated racoon.conf(5). Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in setkey(8). The built in template is named `%default'.
racooninit:
Template for adding your own section to the start of the generated racoon.conf(5).

EXAMPLES

Example of a simple configuration using PSK authentication.
 #
 # Configuration file for racoon-tool
 #
 # See racoon-tool.conf(5) for details
 #
 
 #
 # Simple PSK - authentication defaults to pre_shared_key  
 #
 connection(bacckdoor-doormat):
         src_range: 192.168.223.1/32
         dst_range: 192.168.200.0/24
         src_ip: 172.31.1.1
         dst_ip: 10.0.0.1
         admin_status: enabled
         compression: no
         lifetime: time 20 min
         authentication_algorithm: hmac_sha1
         encryption_algorithm: 3des
 
 peer(10.0.0.1):
         verify_cert: on
         passive: off
         verify_identifier: off
         lifetime: time 60 min
         hash_algorithm[0]: sha1
         encryption_algorithm[0]: 3des
 
 

Example of a complex configuration with multple networks betweenthe same endpoints, as well as use of `%default' for common settings.

 #
 # Configuration file for racoon-tool
 #
 
 global:
         log: notify
 
 # default settings to save typing
 peer(%default):
         certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key
         my_identifier: fqdn blurke.bar.com
         lifetime: time 60 min
         verify_identifier: on
         verify_cert: on
         hash_algorithm[0]: sha1
         encryption_algorithm[0]: 3des
         authentication_method[0]: rsasig
 
 connection(%default):
         authentication_algorithm: hmac_sha1
         encryption_algorithm: 3des
         src_ip: 172.31.1.1
         lifetime: time 20 min
 
 # Connection to work
 peer(10.0.0.1):
         peers_identifier: fqdn blue.sky.com
 
 connection(blurke-blue-sky-work):
         src_range: 192.168.203.1/32
         dst_range: 172.16.0.0/24
         dst_ip: 10.0.0.1
         admin_status: enabled
 
 # Connection to telehoused servers
 connection(blurke-mail):
         src_range: 192.168.203.0/24
         dst_range: 172.20.1.1
         dst_ip: 10.100.0.1
         encryption_algorithm: blowfish
         compression: on
         admin_status: yes
 
 peer(10.100.0.1):
         peers_identifier: fqdn mail.bar.com
 
 connection(blurke-web1):
         src_range: 192.168.203.0/24
         dst_range: 172.20.1.23
         dst_ip: 10.100.0.1
         encryption_algorithm: blowfish
         admin_status: yes
 
 connection(blurke-web2):
         src_range: 192.168.203.0/24
         dst_range: 172.20.1.24
         dst_ip: 10.100.0.1
         encryption_algorithm: blowfish
         admin_status: yes
 
 
 
 # Test connection to Free S/WAN
 connection(blurke-freeswan):
         src_range: 192.168.203.0/24
         dst_range: 172.17.100.0/24
         dst_ip: 172.30.1.1
         admin_status: yes
 
 peer(172.30.1.1):
         peers_identifier: fqdn banshee
 

FILES

/etc/racoon/racoon-tool.conf
The file that this man page describes.
/var/lib/racoon/racoon.conf
The generated racoon.conf.

SEE ALSO

racoon.conf(5), racoon-tool(8), racoon(8), setkey(8).

BUGS

This man page is by no means complete.

AUTHOR

This manual page was written by Matthew Grant <grantma@anathoth.gen.nz> for the Debian GNU/Linux system (but may be used by others).