racoon-tool.conf

NAME

racoon-tool.conf - configuration file for racoon-tool(8).

DESCRIPTION

This manual page documents briefly the racoon-tool.conf(5) , configuration file format.
Please consult the racoon.conf(5) man-page first to better understand what is written about here.

SYNTAX

The racoon-tool.conf(5) file is laid out in sections.
Comments are delimited on the left by `#', and can be on a line by themselves, or at the end of a line.
The possible sections are global, connection, and peer. The possible templates are spdadd, spdinit, sadinit, sadadd, remote, sainfo, and racooninit.
Sections start with section: and then continue with their properties (name terminated by `:' then value), and templates ALWAYS have to have each line started with template: Sections and templates can be named, with the name occurring in parenthesis between the last character of their type and the final colon.

SECTIONS

The possible sections are:
R global:
Contains global parameters for the generated racoon.conf(5), and global settings used by racoon-tool(8). Available settings are: path_pre_shared_key, path_certificate, path_racoon_conf, racoon_command, racoon_pid_file, log, listen[[0-9a-z]], and complex_bundle. Apart from racoon-command and racoon_pid_file, the setting map across to the similar names in racoon.conf(5). The listen directive is a bit different from the man-page and takes multiple {ip-address} [[port]] statements by attaching an index `0-9',`a-z' in square brackets immediately before the colon.
R connection( %default|%anonymous|[-_a-z0-9]+ ):
Connection as described by the complementary SPD entries. Creates `sainfo' sections in the generated racoon.conf(5), and associated SPD entries. Directives and values are basically one for one with the relevant entries in racoon.conf(5). The `%default' VPN connection fills in entries in other specified connections, unless they are otherwise defined within the specific connection. The `%anonymous' connection is there for a passive VPN server.
R peer( %default|%anonymous|[a-f0-9:\.]+ ):
Defines the phase 1 attributes associated with a peer. This creates `remote' entries in the generated racoon.conf(5). Directives and values are basically one for one with the relevant entries in racoon.conf(5). Different proposals are signified by adding an index `0-9', or `a-z' to the encryption_algorithm, hash_algorithm, dh_group, and authentication_method entries, within square brackets immediately before the colon. The `%default' VPN connection fills in entries in other specified connections, unless they are otherwise defined within the specific connection. The `%anonymous' connection is there for a passive VPN server.

TEMPLATES

Templates are described briefly here. You will have to look inside the racoon-tool(8) perl script to see exactly what you can do.
R spdinit:
Portion that can be used to initialise the SPD. Uses setkey syntax. See setkey(8).
R sadinit:
Portion that can be used to initialise the SAD. Uses setkey syntax. See setkey(8).
R spdadd(%default|[-_a-z0-9]+):
Template for adding SPD entries. Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in setkey(8). The built in template is named `%default'.
R sadadd(%default|[-_a-z0-9]+):
Template for adding SAD entries. Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in setkey(8). The built in template is named `%default'.
R remote(%default|[-_a-z0-9]+):
Template for adding 'remote' entries to the generated R racoon.conf(5). Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in setkey(8). The built in template is named `%default'.
R sainfo(%default|[-_a-z0-9]+):
Template for adding 'sainfo' entries to the generated racoon.conf(5). Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in setkey(8). The built in template is named `%default'.
R racooninit:
Template for adding your own section to the start of the generated racoon.conf(5).

EXAMPLES

Example of a simple configuration using PSK authentication.
#
# Configuration file for racoon-tool
#
# See racoon-tool.conf(5) for details
#

#
# Simple PSK - authentication defaults to pre_shared_key  
#
connection(bacckdoor-doormat):
	src_range: 192.168.223.1/32
	dst_range: 192.168.200.0/24
	src_ip: 172.31.1.1
	dst_ip: 10.0.0.1
	admin_status: enabled
	compression: no
	lifetime: time 20 min
	authentication_algorithm: hmac_sha1
	encryption_algorithm: 3des

peer(10.0.0.1):
	verify_cert: on
	passive: off
	verify_identifier: off
	lifetime: time 60 min
	hash_algorithm[0]: sha1
	encryption_algorithm[0]: 3des

Example of a complex configuration with multple networks betweenthe same endpoints, as well as use of `%default' for common settings.
#
# Configuration file for racoon-tool
#

global:
	log: notify

# default settings to save typing
peer(%default):
	certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key
	my_identifier: fqdn blurke.bar.com
	lifetime: time 60 min
	verify_identifier: on
	verify_cert: on
	hash_algorithm[0]: sha1
	encryption_algorithm[0]: 3des
	authentication_method[0]: rsasig

connection(%default):
	authentication_algorithm: hmac_sha1
	encryption_algorithm: 3des
	src_ip: 172.31.1.1
	lifetime: time 20 min

# Connection to work
peer(10.0.0.1):
	peers_identifier: fqdn blue.sky.com

connection(blurke-blue-sky-work):
	src_range: 192.168.203.1/32
	dst_range: 172.16.0.0/24
	dst_ip: 10.0.0.1
	admin_status: enabled

# Connection to telehoused servers
connection(blurke-mail):
	src_range: 192.168.203.0/24
	dst_range: 172.20.1.1
	dst_ip: 10.100.0.1
	encryption_algorithm: blowfish
	compression: on
	admin_status: yes

peer(10.100.0.1):
	peers_identifier: fqdn mail.bar.com

connection(blurke-web1):
	src_range: 192.168.203.0/24
	dst_range: 172.20.1.23
	dst_ip: 10.100.0.1
	encryption_algorithm: blowfish
	admin_status: yes

connection(blurke-web2):
	src_range: 192.168.203.0/24
	dst_range: 172.20.1.24
	dst_ip: 10.100.0.1
	encryption_algorithm: blowfish
	admin_status: yes



# Test connection to Free S/WAN
connection(blurke-freeswan):
	src_range: 192.168.203.0/24
	dst_range: 172.17.100.0/24
	dst_ip: 172.30.1.1
	admin_status: yes

peer(172.30.1.1):
	peers_identifier: fqdn banshee

FILES

/etc/racoon/racoon-tool.conf
The file that this man page describes.
/var/lib/racoon/racoon.conf
The generated racoon.conf.

SEE ALSO

BUGS

This man page is by no means complete.

AUTHOR

This manual page was written by Matthew Grant <grantma@anathoth.gen.nz> for the Debian GNU/Linux system (but may be used by others).