NAME
racoon-tool.conf - configuration file for
racoon-tool(8).
DESCRIPTION
This manual page documents briefly the
racoon-tool.conf(5) ,
configuration file format.
Please consult the
racoon.conf(5)
man-page first to better understand what is written about here.
SYNTAX
Comments are delimited on the left by `#', and can be on a line by
themselves, or at the end of a line.
The possible sections are
global,
connection,
and
peer.
The possible templates are
spdadd,
spdinit,
sadinit,
sadadd,
remote,
sainfo,
and
racooninit.
Sections start with
section:
and then continue with their properties (name terminated by `:' then
value), and templates ALWAYS have to have each line started with
template:
Sections and templates can be named, with the name occurring in
parenthesis between the last character of their type and the final
colon.
SECTIONS
The possible sections are:
R global:
Contains global parameters for the generated
racoon.conf(5),
and global settings used by
racoon-tool(8).
Available settings are:
path_pre_shared_key,
path_certificate,
path_racoon_conf,
racoon_command,
racoon_pid_file,
log,
listen[[0-9a-z]],
and
complex_bundle.
Apart from
racoon-command
and
racoon_pid_file,
the setting map across to the similar names in
racoon.conf(5).
The
listen
directive is a bit different from the man-page and takes multiple
{ip-address} [[port]]
statements by attaching an index `0-9',`a-z' in square brackets immediately
before the colon.
R connection( %default|%anonymous|[-_a-z0-9]+ ):
Connection as described by the complementary SPD entries. Creates
`sainfo' sections in the generated
racoon.conf(5),
and associated SPD entries.
Directives and values are basically one for
one with the relevant entries in
racoon.conf(5).
The `%default' VPN connection fills in entries in other specified
connections, unless they are otherwise defined within the specific
connection. The `%anonymous' connection is there for a passive VPN
server.
R peer( %default|%anonymous|[a-f0-9:\.]+ ):
Defines the phase 1 attributes associated with a peer. This creates
`remote' entries in the generated
racoon.conf(5).
Directives and values are basically one for one with the relevant
entries in
racoon.conf(5).
Different proposals are signified by adding an index `0-9', or `a-z' to
the
encryption_algorithm,
hash_algorithm,
dh_group,
and
authentication_method
entries, within square brackets immediately before the colon.
The `%default' VPN connection fills in entries in other specified
connections, unless they are otherwise defined within the specific
connection. The `%anonymous' connection is there for a passive VPN
server.
TEMPLATES
Templates are described briefly here. You will have to look inside the
racoon-tool(8)
perl script to see exactly what you can do.
R spdinit:
Portion that can be used to initialise the SPD. Uses setkey syntax.
See
setkey(8).
R sadinit:
Portion that can be used to initialise the SAD. Uses setkey syntax.
See
setkey(8).
R spdadd(%default|[-_a-z0-9]+):
Template for adding SPD entries. Different templates can be used.
Keys for replacement are of the form `___setkey_name___', with names
found in
setkey(8).
The built in template is named `%default'.
R sadadd(%default|[-_a-z0-9]+):
Template for adding SAD entries. Different templates can be used.
Keys for replacement are of the form `___setkey_name___', with names
found in
setkey(8).
The built in template is named `%default'.
R remote(%default|[-_a-z0-9]+):
Template for adding 'remote' entries to the generated
R racoon.conf(5).
Different templates can be used. Keys for replacement are
of the form `___setkey_name___', with names found in
setkey(8).
The built in template is named `%default'.
R sainfo(%default|[-_a-z0-9]+):
Template for adding 'sainfo' entries to the generated
racoon.conf(5).
Different templates can be used.
Keys for replacement are of the form `___setkey_name___', with names
found in
setkey(8).
The built in template is named `%default'.
R racooninit:
Template for adding your own section to the start of the generated
racoon.conf(5).
EXAMPLES
Example of a simple configuration using PSK authentication.
#
# Configuration file for racoon-tool
#
# See racoon-tool.conf(5) for details
#
#
# Simple PSK - authentication defaults to pre_shared_key
#
connection(bacckdoor-doormat):
src_range: 192.168.223.1/32
dst_range: 192.168.200.0/24
src_ip: 172.31.1.1
dst_ip: 10.0.0.1
admin_status: enabled
compression: no
lifetime: time 20 min
authentication_algorithm: hmac_sha1
encryption_algorithm: 3des
peer(10.0.0.1):
verify_cert: on
passive: off
verify_identifier: off
lifetime: time 60 min
hash_algorithm[0]: sha1
encryption_algorithm[0]: 3des
Example of a complex configuration with multple networks betweenthe
same endpoints, as well as use of `%default' for common settings.
#
# Configuration file for racoon-tool
#
global:
log: notify
# default settings to save typing
peer(%default):
certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key
my_identifier: fqdn blurke.bar.com
lifetime: time 60 min
verify_identifier: on
verify_cert: on
hash_algorithm[0]: sha1
encryption_algorithm[0]: 3des
authentication_method[0]: rsasig
connection(%default):
authentication_algorithm: hmac_sha1
encryption_algorithm: 3des
src_ip: 172.31.1.1
lifetime: time 20 min
# Connection to work
peer(10.0.0.1):
peers_identifier: fqdn blue.sky.com
connection(blurke-blue-sky-work):
src_range: 192.168.203.1/32
dst_range: 172.16.0.0/24
dst_ip: 10.0.0.1
admin_status: enabled
# Connection to telehoused servers
connection(blurke-mail):
src_range: 192.168.203.0/24
dst_range: 172.20.1.1
dst_ip: 10.100.0.1
encryption_algorithm: blowfish
compression: on
admin_status: yes
peer(10.100.0.1):
peers_identifier: fqdn mail.bar.com
connection(blurke-web1):
src_range: 192.168.203.0/24
dst_range: 172.20.1.23
dst_ip: 10.100.0.1
encryption_algorithm: blowfish
admin_status: yes
connection(blurke-web2):
src_range: 192.168.203.0/24
dst_range: 172.20.1.24
dst_ip: 10.100.0.1
encryption_algorithm: blowfish
admin_status: yes
# Test connection to Free S/WAN
connection(blurke-freeswan):
src_range: 192.168.203.0/24
dst_range: 172.17.100.0/24
dst_ip: 172.30.1.1
admin_status: yes
peer(172.30.1.1):
peers_identifier: fqdn banshee
FILES
/etc/racoon/racoon-tool.conf
The file that this man page describes.
/var/lib/racoon/racoon.conf
The generated racoon.conf.
SEE ALSO
BUGS
This man page is by no means complete.
AUTHOR
This manual page was written by Matthew Grant <grantma@anathoth.gen.nz>
for the Debian GNU/Linux system (but may be used by others).