go to
> racoon(8)
> racoonctl(8)
> setkey(8)
Homepage > Man Pages > Category > File Formats
Homepage > Man Pages > Name > R


man page of racoon.conf

racoon.conf: configuration file for racoon


racoon.conf - configuration file for racoon


racoon.conf is the configuration file for the racoon(8) ISAKMP daemon. racoon(8) negotiates security associations for itself (ISAKMP SA, or phase 1 SA) and for kernel IPsec (IPsec SA, or phase 2 SA). The file consists of a sequence of directives and statements. Each directive is composed by a tag and statements, enclosed by '{' and '}'. Lines beginning with '#' are comments. Meta Syntax Keywords and special characters that the parser expects exactly are displayed using this font. Parameters are specified with this font. Square brackets ('[' and ']') are used to show optional keywords and parameters. Note that you have to pay attention when this manual is describing port numbers. The port number is always enclosed by '[' and ']'. In this case, the port number is not an optional keyword. If it is possible to omit the port number, the expression becomes [[port]]. The vertical bar ('|') is used to indicate a choice between optional parameters. Parentheses ('(' and ')') are used to group keywords and parameters when necessary. Major parameters are listed below. number means a hexadecimal or a decimal number. The former must be prefixed with '0x'. string path file means any string enclosed in '"' (double quotes). address means IPv6 and/or IPv4 address. port means a TCP/UDP port number. The port number is always enclosed by '[' and ']'. timeunit is one of following: sec, secs, second, seconds, min, mins, minute, minutes, hour, hours. Privilege separation privsep { statements } Specifies privilege separation parameters. When enabled, these enable racoon(8) to operate with an unprivileged instance doing most of the work, while a privileged instance takes care of performing the following operations as root: reading PSK and private keys, launching hook scripts, and validating passwords against system databases or against PAM. Please note that using privilege separation makes changes to the listen and paths sections ignored upon configuration reloads. A racoon(8) restart is required if you want such changes to be taken into account. user user; The user to which the unprivileged instance of racoon(8), should switch. This can be a quoted user name or a numeric UID. group group; The group the unprivileged instance of racoon(8), should switch. This can be a quoted group name or a numeric GID. chroot path; A directory to which the unprivileged instance of racoon(8) should chroot(2). This directory should hold a tree where the following files must be reachable: /dev/random /dev/urandom The certificates The file containing the Xauth banner The PSK file, the private keys, and the hook scripts are accessed through the privileged instance of racoon(8) and do not need to be reachable in the chroot(2)'ed tree. Path Specification This section specifies various paths used by racoon. When running in privilege separation mode, certificate and script paths are mandatory. A racoon(8) restart is required if you want path changes to be taken into account. path include path; Specifies a path to include a file. See File Inclusion. path pre_shared_key file; Specifies a file containing pre-shared key(s) for various ID(s). See Pre-shared key File. path certificate path; racoon(8) will search this directory if a certificate or certificate request is received. If you run with privilege separation, racoon(8) will refuse to use a certificate stored outside of this directory. path backupsa file; Specifies a file to which SA information negotiated by racoon should be stored. racoon(8) will install SA(s) from the file when started with the -B flag. The file is growing because racoon(8) simply adds SAs to it. You should maintain the file manually. path script path; racoon(8) will search this directory for scripts hooks. If you run with privilege separation, racoon(8) will refuse to execute a script stored outside of this directory. path pidfile file; Specifies file where to store PID of process. If path starts with / it is treated as an absolute path. Otherwise, it is treated as a relative path to the VARRUN directory specified at compilation time. Default is racoon.pid. File Inclusion include file Specifies other configuration files to be included. Timer Specification timer { statements } This section specifies various timer values used by racoon. counter number; The maximum number of retries to send. The default is 5. interval number timeunit; The interval to resend, in seconds. The default time is 10 seconds. persend number; The number of packets per send. The default is 1. phase1 number timeunit; The maximum time it should take to complete phase 1. The default time is 15 seconds. phase2 number timeunit; The maximum time it should take to complete phase 2. The default time is 10 seconds. natt_keepalive number timeunit; The interval between sending NAT-Traversal keep-alive packets. The default time is 20 seconds. Set to 0s to disable keep-alive packets. Listening Port Specification listen { statements } If no listen directive is specified, racoon(8) will listen on all available interface addresses. The following is the list of valid statements: isakmp address [[port]]; If this is specified, racoon(8) will only listen on the defined address. The default port is 500, which is specified by IANA. You can provide more than one address definition. isakmp_natt address [port]; Same as isakmp but also sets the socket options to accept UDP-encapsulated ESP traffic for NAT-Traversal. If you plan to use NAT-T, you should provide at least one address with port 4500, which is specified by IANA. There is no default. strict_address; Requires that all addresses for ISAKMP be bound. This statement will be ignored if you do not specify address definitions. When running in privilege separation mode, you need to restart racoon(8) to have changes to the listen section taken into account. The listen section can also be used to specify the admin socket mode and ownership if racoon was built with support for admin port. adminsock path [owner group mode]; The path, owner, and group values specify the socket path, owner, and group. They must be quoted. The defaults are /var/racoon/racoon.sock, UID 0, and GID 0. mode is the access mode in octal. The default is 0600. adminsock disabled; This directive tells racoon to not listen on the admin socket. Miscellaneous Global Parameters gss_id_enc enctype; Older versions of racoon(8) used ISO-Latin-1 as the encoding of the GSS-API identifier attribute. For interoperability with Microsoft Windows' GSS-API authentication scheme, the default encoding has been changed to UTF-16LE. The gss_id_enc parameter allows racoon(8) to be configured to use the old encoding for compatibility with existing racoon(8) installations. The following are valid values for enctype: utf-16le Use UTF-16LE to encode the GSS-API identifier attribute. This is the default encoding. This encoding is compatible with Microsoft Windows. latin1 Use ISO-Latin-1 to encode the GSS-API identifier attribute. This is the encoding used by older versions of racoon(8). pfkey_buffer kBytes Specifies the socket send/receive buffer size in kilobytes. Numerous kernel PF_KEY implementations have problems with dumping SAD/SDP with large amount of entries (this happens when 100s to 1000s of tunnels are configured). The default value of 0 leaves everything at the OS-specific default value. If the default buffer size is greater than what is specified here racoon will not decrease it. This problem is known to be fixed in Linux 2.6.25 and later. Remote Nodes Specifications remote name [inherit parent_name] { statements } Specifies the IKE phase 1 parameters for each remote node. If connection is initiated using racoonctl, a unique match using the remote IP must be found or the remote block name has to be given. For received acquires (kernel notices traffic requiring a new SA) the remote IP and remoteid from matching sainfo block are used to decide the remoteblock. If no uniquely matching remoteblock is found using these criteria, no connection attempt is done. When acting as responder, racoon picks the first proposal that has one or more acceptable remote configurations. When determining if a remote specification is matching the following information is checked: +


The following shows how the remote directive should be configured. path pre_shared_key "/usr/local/v6/etc/psk.txt" ; remote anonymous { exchange_mode aggressive,main,base; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, blowfish 448, twofish, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } If you are configuring plain RSA authentication, the remote directive should look like the following: path certificate "/usr/local/v6/etc" ; remote anonymous { exchange_mode main,base ; lifetime time 12 hour ; certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv"; peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub"; proposal { encryption_algorithm aes ; hash_algorithm sha1 ; authentication_method rsasig ; dh_group 2 ; } } The following is a sample for the pre-shared key file. mekmitasdigoat 0x12345678 whatcertificatereally 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat foo@kame.net mekmitasdigoat foo.kame.net hoge


racoon(8), racoonctl(8), setkey(8)
The racoon.conf configuration file first appeared in the ''YIPS'' Yokogawa IPsec implementation.
Some statements may not be handled by racoon(8) yet. Diffie-Hellman computation can take a very long time, and may cause unwanted timeouts, specifically when a large D-H group is used.


The use of IKE phase 1 aggressive mode is not recommended, as described in //www.kb.cert.org/vuls/id/886601. RACOON.CONF(5)

Copyright © 2011–2018 by topics-of-interest.com . All rights reserved. Hosted by all-inkl.
Contact · Imprint · Privacy

Page generated in 38.44ms.

Internet and Network | autoresponder.name | brennholz-eichelberg.de