Annotation of embedaddon/ipsec-tools/src/racoon/racoon.conf.5, revision 1.1
1.1 ! misho 1: .\" $NetBSD: racoon.conf.5,v 1.61 2010/06/22 20:51:04 wiz Exp $
! 2: .\"
! 3: .\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
! 4: .\"
! 5: .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
! 6: .\" All rights reserved.
! 7: .\"
! 8: .\" Redistribution and use in source and binary forms, with or without
! 9: .\" modification, are permitted provided that the following conditions
! 10: .\" are met:
! 11: .\" 1. Redistributions of source code must retain the above copyright
! 12: .\" notice, this list of conditions and the following disclaimer.
! 13: .\" 2. Redistributions in binary form must reproduce the above copyright
! 14: .\" notice, this list of conditions and the following disclaimer in the
! 15: .\" documentation and/or other materials provided with the distribution.
! 16: .\" 3. Neither the name of the project nor the names of its contributors
! 17: .\" may be used to endorse or promote products derived from this software
! 18: .\" without specific prior written permission.
! 19: .\"
! 20: .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
! 21: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
! 22: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
! 23: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
! 24: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
! 25: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
! 26: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
! 27: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
! 28: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
! 29: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
! 30: .\" SUCH DAMAGE.
! 31: .\"
! 32: .Dd June 22, 2010
! 33: .Dt RACOON.CONF 5
! 34: .Os
! 35: .\"
! 36: .Sh NAME
! 37: .Nm racoon.conf
! 38: .Nd configuration file for racoon
! 39: .\"
! 40: .\" .Sh SYNOPSIS
! 41: .\"
! 42: .Sh DESCRIPTION
! 43: .Nm
! 44: is the configuration file for the
! 45: .Xr racoon 8
! 46: ISAKMP daemon.
! 47: .Xr racoon 8
! 48: negotiates security associations for itself (ISAKMP SA, or phase 1 SA)
! 49: and for kernel IPsec (IPsec SA, or phase 2 SA).
! 50: The file consists of a sequence of directives and statements.
! 51: Each directive is composed by a tag and statements, enclosed by
! 52: .Ql {
! 53: and
! 54: .Ql } .
! 55: Lines beginning with
! 56: .Ql #
! 57: are comments.
! 58: .\"
! 59: .Ss Meta Syntax
! 60: Keywords and special characters that the parser expects exactly are
! 61: displayed using
! 62: .Ic this
! 63: font.
! 64: Parameters are specified with
! 65: .Ar this
! 66: font.
! 67: Square brackets
! 68: .Po
! 69: .Ql \&[
! 70: and
! 71: .Ql \&]
! 72: .Pc
! 73: are used to show optional keywords and parameters.
! 74: Note that
! 75: you have to pay attention when this manual is describing
! 76: .Ar port
! 77: numbers.
! 78: The
! 79: .Ar port
! 80: number is always enclosed by
! 81: .Ql \&[
! 82: and
! 83: .Ql \&] .
! 84: In this case, the port number is not an optional keyword.
! 85: If it is possible to omit the
! 86: .Ar port
! 87: number,
! 88: the expression becomes
! 89: .Bq Bq Ar port .
! 90: The vertical bar
! 91: .Pq Ql \&|
! 92: is used to indicate
! 93: a choice between optional parameters.
! 94: Parentheses
! 95: .Po
! 96: .Ql \&(
! 97: and
! 98: .Ql \&)
! 99: .Pc
! 100: are used to group keywords and parameters when necessary.
! 101: Major parameters are listed below.
! 102: .Pp
! 103: .Bl -tag -width addressx -compact
! 104: .It Ar number
! 105: means a hexadecimal or a decimal number.
! 106: The former must be prefixed with
! 107: .Ql Li 0x .
! 108: .It Ar string
! 109: .It Ar path
! 110: .It Ar file
! 111: means any string enclosed in
! 112: .Ql \&"
! 113: .Pq double quotes .
! 114: .It Ar address
! 115: means IPv6 and/or IPv4 address.
! 116: .It Ar port
! 117: means a TCP/UDP port number.
! 118: The port number is always enclosed by
! 119: .Ql \&[
! 120: and
! 121: .Ql \&] .
! 122: .It Ar timeunit
! 123: is one of following:
! 124: .Ic sec , secs , second , seconds ,
! 125: .Ic min , mins , minute , minutes ,
! 126: .Ic hour , hours .
! 127: .El
! 128: .\"
! 129: .Ss Privilege separation
! 130: .Bl -tag -width Ds -compact
! 131: .It Ic privsep { Ar statements Ic }
! 132: Specifies privilege separation parameters.
! 133: When enabled, these enable
! 134: .Xr racoon 8
! 135: to operate with an unprivileged instance doing most of the work, while
! 136: a privileged instance takes care of performing the following operations
! 137: as root: reading PSK and private keys, launching hook scripts, and
! 138: validating passwords against system databases or against PAM.
! 139: Please note that using privilege separation makes changes to the
! 140: .Ar listen
! 141: and
! 142: .Ar paths
! 143: sections ignored upon configuration reloads.
! 144: A
! 145: .Xr racoon 8
! 146: restart is required if you want such changes to be taken into account.
! 147: .Pp
! 148: .Bl -tag -width Ds -compact
! 149: .It Ic user Ar user ;
! 150: The user to which the unprivileged instance of
! 151: .Xr racoon 8 ,
! 152: should switch.
! 153: This can be a quoted user name or a numeric UID.
! 154: .It Ic group Ar group ;
! 155: The group the unprivileged instance of
! 156: .Xr racoon 8 ,
! 157: should switch.
! 158: This can be a quoted group name or a numeric GID.
! 159: .It Ic chroot Ar path ;
! 160: A directory to which the unprivileged instance of
! 161: .Xr racoon 8
! 162: should
! 163: .Xr chroot 2 .
! 164: This directory should hold a tree where the following files must be
! 165: reachable:
! 166: .Bl -tag -width Ds -compact
! 167: .It Pa /dev/random
! 168: .It Pa /dev/urandom
! 169: .It The certificates
! 170: .It The file containing the Xauth banner
! 171: .El
! 172: .Pp
! 173: The PSK file, the private keys, and the hook scripts are accessed through the
! 174: privileged instance of
! 175: .Xr racoon 8
! 176: and do not need to be reachable in the
! 177: .Xr chroot 2 Ap ed
! 178: tree.
! 179: .El
! 180: .El
! 181: .Ss Path Specification
! 182: This section specifies various paths used by racoon.
! 183: When running in privilege separation mode,
! 184: .Ic certificate
! 185: and
! 186: .Ic script
! 187: paths are mandatory.
! 188: A
! 189: .Xr racoon 8
! 190: restart is required if you want path changes to be taken into account.
! 191: .Bl -tag -width Ds -compact
! 192: .It Ic path include Ar path ;
! 193: Specifies a path to include a file.
! 194: See
! 195: .Sx File Inclusion .
! 196: .It Ic path pre_shared_key Ar file ;
! 197: Specifies a file containing pre-shared key(s) for various ID(s).
! 198: See
! 199: .Sx Pre-shared key File .
! 200: .It Ic path certificate Ar path ;
! 201: .Xr racoon 8
! 202: will search this directory if a certificate or certificate request is received.
! 203: If you run with privilege separation,
! 204: .Xr racoon 8
! 205: will refuse to use a certificate stored outside of this directory.
! 206: .It Ic path backupsa Ar file ;
! 207: Specifies a file to which SA information negotiated by
! 208: racoon should be stored.
! 209: .Xr racoon 8
! 210: will install SA(s) from the file when started with the
! 211: .Fl B
! 212: flag.
! 213: The file is growing because
! 214: .Xr racoon 8
! 215: simply adds SAs to it.
! 216: You should maintain the file manually.
! 217: .It Ic path script Ar path ;
! 218: .Xr racoon 8
! 219: will search this directory for scripts hooks.
! 220: If you run with privilege separation,
! 221: .Xr racoon 8
! 222: will refuse to execute a script stored outside of this directory.
! 223: .It Ic path pidfile Ar file ;
! 224: Specifies file where to store PID of process.
! 225: If path starts with
! 226: .Pa /
! 227: it is treated as an absolute path.
! 228: Otherwise, it is treated as a relative
! 229: path to the VARRUN directory specified at compilation time.
! 230: Default is
! 231: .Pa racoon.pid .
! 232: .El
! 233: .\"
! 234: .Ss File Inclusion
! 235: .Bl -tag -width Ds -compact
! 236: .It Ic include Ar file
! 237: Specifies other configuration files to be included.
! 238: .El
! 239: .\"
! 240: .Ss Timer Specification
! 241: .Bl -tag -width Ds -compact
! 242: .It Ic timer { Ar statements Ic }
! 243: This section specifies various timer values used by racoon.
! 244: .Pp
! 245: .Bl -tag -width Ds -compact
! 246: .It Ic counter Ar number ;
! 247: The maximum number of retries to send.
! 248: The default is 5.
! 249: .It Ic interval Ar number Ar timeunit ;
! 250: The interval to resend, in seconds.
! 251: The default time is 10 seconds.
! 252: .It Ic persend Ar number ;
! 253: The number of packets per send.
! 254: The default is 1.
! 255: .It Ic phase1 Ar number Ar timeunit ;
! 256: The maximum time it should take to complete phase 1.
! 257: The default time is 15 seconds.
! 258: .It Ic phase2 Ar number Ar timeunit ;
! 259: The maximum time it should take to complete phase 2.
! 260: The default time is 10 seconds.
! 261: .It Ic natt_keepalive Ar number Ar timeunit ;
! 262: The interval between sending NAT-Traversal keep-alive packets.
! 263: The default time is 20 seconds.
! 264: Set to 0s to disable keep-alive packets.
! 265: .El
! 266: .El
! 267: .\"
! 268: .Ss Listening Port Specification
! 269: .Bl -tag -width Ds -compact
! 270: .It Ic listen { Ar statements Ic }
! 271: If no
! 272: .Ar listen
! 273: directive is specified,
! 274: .Xr racoon 8
! 275: will listen on all available interface addresses.
! 276: The following is the list of valid statements:
! 277: .Pp
! 278: .Bl -tag -width Ds -compact
! 279: .\" How do I express bold brackets; `[' and `]' .
! 280: .\" Answer: For bold brackets, do "Ic \&[ foo \&]".
! 281: .\" Is the "Bq Ic [ Ar port ] ;" buggy ?
! 282: .It Ic isakmp Ar address Bq Bq Ar port ;
! 283: If this is specified,
! 284: .Xr racoon 8
! 285: will only listen on the defined
! 286: .Ar address .
! 287: The default port is 500, which is specified by IANA.
! 288: You can provide more than one address definition.
! 289: .It Ic isakmp_natt Ar address Bq Ar port ;
! 290: Same as
! 291: .Ic isakmp
! 292: but also sets the socket options to accept UDP-encapsulated ESP traffic for
! 293: NAT-Traversal.
! 294: If you plan to use NAT-T, you should provide at least one address
! 295: with port 4500, which is specified by IANA.
! 296: There is no default.
! 297: .It Ic strict_address ;
! 298: Requires that all addresses for ISAKMP be bound.
! 299: This statement will be ignored if you do not specify address definitions.
! 300: .El
! 301: When running in privilege separation mode, you need to restart
! 302: .Xr racoon 8
! 303: to have changes to the
! 304: .Ar listen
! 305: section taken into account.
! 306: .Pp
! 307: The
! 308: .Ar listen
! 309: section can also be used to specify the admin socket mode and ownership
! 310: if racoon was built with support for admin port.
! 311: .Bl -tag -width Ds -compact
! 312: .It Ic adminsock Ar path Op Ar owner\ group\ mode ;
! 313: The
! 314: .Ar path ,
! 315: .Ar owner ,
! 316: and
! 317: .Ar group
! 318: values specify the socket path, owner, and group.
! 319: They must be quoted.
! 320: The defaults are
! 321: .Pa /var/racoon/racoon.sock ,
! 322: UID 0, and GID 0.
! 323: .Ar mode
! 324: is the access mode in octal.
! 325: The default is 0600.
! 326: .It Ic adminsock disabled ;
! 327: This directive tells racoon to not listen on the admin socket.
! 328: .El
! 329: .El
! 330: .\"
! 331: .Ss Miscellaneous Global Parameters
! 332: .Bl -tag -width Ds -compact
! 333: .It Ic gss_id_enc Ar enctype ;
! 334: Older versions of
! 335: .Xr racoon 8
! 336: used ISO-Latin-1 as the encoding of the GSS-API identifier attribute.
! 337: For interoperability with Microsoft Windows' GSS-API authentication
! 338: scheme, the default encoding has been changed to UTF-16LE.
! 339: The
! 340: .Ic gss_id_enc
! 341: parameter allows
! 342: .Xr racoon 8
! 343: to be configured to use the old encoding for compatibility with existing
! 344: .Xr racoon 8
! 345: installations.
! 346: The following are valid values for
! 347: .Ar enctype :
! 348: .Pp
! 349: .Bl -tag -width Ds -compact
! 350: .It Ic utf-16le
! 351: Use UTF-16LE to encode the GSS-API identifier attribute.
! 352: This is the default encoding.
! 353: This encoding is compatible with Microsoft Windows.
! 354: .It Ic latin1
! 355: Use ISO-Latin-1 to encode the GSS-API identifier attribute.
! 356: This is the encoding used by older versions of
! 357: .Xr racoon 8 .
! 358: .El
! 359: .El
! 360: .\"
! 361: .Pp
! 362: .Bl -tag -width Ds -compact
! 363: .It Ic pfkey_buffer Ar kBytes
! 364: Specifies the socket send/receive buffer size in kilobytes.
! 365: Numerous kernel PF_KEY implementations have problems with dumping
! 366: SAD/SDP with large amount of entries (this happens when 100s to
! 367: 1000s of tunnels are configured).
! 368: .Pp
! 369: The default value of 0 leaves everything at the OS-specific default value.
! 370: If the default buffer size is greater than what is specified here racoon
! 371: will not decrease it.
! 372: .Pp
! 373: This problem is known to be fixed in Linux 2.6.25 and later.
! 374: .El
! 375: .\"
! 376: .Ss Remote Nodes Specifications
! 377: .Bl -tag -width Ds -compact
! 378: .It Ic remote Ar name Bo Ic inherit Ar parent_name Bc Ic { Ar statements Ic }
! 379: Specifies the IKE phase 1 parameters for each remote node.
! 380: .Pp
! 381: If connection is initiated using racoonctl, a unique match using the
! 382: remote IP must be found or the remote block name has to be given.
! 383: For received acquires (kernel notices traffic requiring a new SA) the
! 384: remote IP and remoteid from matching sainfo block are used to decide
! 385: the remoteblock.
! 386: If no uniquely matching remoteblock is found using
! 387: these criteria, no connection attempt is done.
! 388: .Pp
! 389: When acting as responder, racoon picks the first proposal that has one
! 390: or more acceptable remote configurations.
! 391: When determining if a remote
! 392: specification is matching the following information is checked:
! 393: .Bl -bullet -width Ds -compact
! 394: .It
! 395: The remote IP is checked against
! 396: .Ic remote_address .
! 397: .It
! 398: ISAKMP exchange type is checked against
! 399: .Ic exchange_mode .
! 400: .It
! 401: ISAKMP SA attributes must match a
! 402: .Ic proposal
! 403: block.
! 404: .It
! 405: The remote identity is matched against
! 406: .Ic peers_identifier
! 407: if
! 408: .Ic verify_identifier
! 409: is on.
! 410: .It
! 411: If a certificate request was received, it must match the issuer of
! 412: .Ic "certificate_type x509"
! 413: certificate.
! 414: If certificate request without issuer name was sent, the
! 415: .Ic match_empty_cr
! 416: parameter specifies whether or not remote block matches.
! 417: .El
! 418: .Pp
! 419: Similarly, NAT-T is enabled if any of the initial remote configuration
! 420: candidates allow NAT-T.
! 421: .Pp
! 422: Sections with
! 423: .Ic inherit Ar parent
! 424: statements (where
! 425: .Ar parent
! 426: is either
! 427: .Ar address
! 428: or a keyword
! 429: .Ic anonymous )
! 430: that have all values predefined to those of a given
! 431: .Ar parent .
! 432: In these sections it is enough to redefine only the changed parameters.
! 433: .Pp
! 434: The following are valid statements.
! 435: .Pp
! 436: .Bl -tag -width Ds -compact
! 437: .\"
! 438: .It Ic remote_address Ar address ;
! 439: Defines the IP address of the peer.
! 440: .\"
! 441: .It Ic exchange_mode ( main | aggressive | base ) ;
! 442: Defines the exchange mode for phase 1 when racoon is the initiator.
! 443: It also means the acceptable exchange mode when racoon is the responder.
! 444: More than one mode can be specified by separating them with a comma.
! 445: All of the modes are acceptable.
! 446: The first exchange mode is what racoon uses when it is the initiator.
! 447: .\"
! 448: .It Ic doi Ic ipsec_doi ;
! 449: Means to use IPsec DOI as specified in RFC 2407.
! 450: You can omit this statement.
! 451: .\"
! 452: .It Ic situation Ic identity_only ;
! 453: Means to use SIT_IDENTITY_ONLY as specified in RFC 2407.
! 454: You can omit this statement.
! 455: .\"
! 456: .It Ic my_identifier Bo Ar qualifier Bc Ar idtype ... ;
! 457: Specifies the identifier sent to the remote host
! 458: and the type to use in the phase 1 negotiation.
! 459: .Ic address, fqdn , user_fqdn , keyid ,
! 460: and
! 461: .Ic asn1dn
! 462: can be used as an
! 463: .Ar idtype .
! 464: The
! 465: .Ar qualifier
! 466: is currently only used for
! 467: .Ic keyid ,
! 468: and can be either
! 469: .Ic file
! 470: or
! 471: .Ic tag .
! 472: The possible values are :
! 473: .Bl -tag -width Ds -compact
! 474: .It Ic my_identifier Ic address Bq Ar address ;
! 475: The type is the IP address.
! 476: This is the default type if you do not specify an identifier to use.
! 477: .It Ic my_identifier Ic user_fqdn Ar string ;
! 478: The type is a USER_FQDN (user fully-qualified domain name).
! 479: .It Ic my_identifier Ic fqdn Ar string ;
! 480: The type is a FQDN (fully-qualified domain name).
! 481: .It Ic my_identifier Ic keyid Bo Ic file Bc Ar file ;
! 482: The type is a KEY_ID, read from the file.
! 483: .It Ic my_identifier Ic keyid Ic tag Ar string ;
! 484: The type is a KEY_ID, specified in the quoted string.
! 485: .It Ic my_identifier Ic asn1dn Bq Ar string ;
! 486: The type is an ASN.1 distinguished name.
! 487: If
! 488: .Ar string
! 489: is omitted,
! 490: .Xr racoon 8
! 491: will get the DN from the Subject field in the certificate.
! 492: .El
! 493: .\"
! 494: .It Ic xauth_login Bq Ar string ;
! 495: Specifies the login to use in client-side Hybrid authentication.
! 496: It is available only if
! 497: .Xr racoon 8
! 498: has been built with this option.
! 499: The associated password is looked up in the pre-shared key files,
! 500: using the login
! 501: .Ic string
! 502: as the key id.
! 503: .\"
! 504: .It Ic peers_identifier Ar idtype ... ;
! 505: Specifies the peer's identifier to be received.
! 506: If it is not defined then
! 507: .Xr racoon 8
! 508: will not verify the peer's identifier in ID payload transmitted from the peer.
! 509: If it is defined, the behavior of the verification depends on the flag of
! 510: .Ic verify_identifier .
! 511: The usage of
! 512: .Ar idtype
! 513: is the same as
! 514: .Ic my_identifier
! 515: except that the individual component values of an
! 516: .Ic asn1dn
! 517: identifier may specified as
! 518: .Ic *
! 519: to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine").
! 520: The format of the
! 521: specification should correspond to RFC 2253; in particular, commas and certain
! 522: other characters -
! 523: .Ic ,=+\*[Lt]\*[Gt]#;
! 524: - may be included in a name by preceeding them with a backslash "\e", and
! 525: arbitrary characters may be inserted in a name with the "\enn" escape, where
! 526: nn is the hex representation of the ascii value of the desired character.
! 527: Alternative acceptable peer identifiers may be specified by repeating the
! 528: .Ic peers_identifier
! 529: statement.
! 530: .\"
! 531: .It Ic verify_identifier (on | off) ;
! 532: If you want to verify the peer's identifier,
! 533: set this to on.
! 534: In this case, if the value defined by
! 535: .Ic peers_identifier
! 536: is not the same as the peer's identifier in the ID payload,
! 537: the negotiation will fail.
! 538: The default is off.
! 539: .\"
! 540: .It Ic certificate_type Ar certspec ;
! 541: Specifies a certificate specification.
! 542: .Ar certspec
! 543: is one of followings:
! 544: .Bl -tag -width Ds -compact
! 545: .It Ic x509 Ar certfile Ar privkeyfile ;
! 546: .Ar certfile
! 547: means a file name of a certificate.
! 548: .Ar privkeyfile
! 549: means a file name of a secret key.
! 550: .El
! 551: .Bl -tag -width Ds -compact
! 552: .It Ic plain_rsa Ar privkeyfile ;
! 553: .Ar privkeyfile
! 554: means a file name of a private key generated by
! 555: .Xr plainrsa-gen 8 .
! 556: Required
! 557: for RSA authentication.
! 558: .El
! 559: .It Ic ca_type Ar cacertspec ;
! 560: Specifies a root certificate authority specification.
! 561: .Ar cacertspec
! 562: is one of followings:
! 563: .Bl -tag -width Ds -compact
! 564: .It Ic x509 Ar cacertfile ;
! 565: .Ar cacertfile
! 566: means a file name of the root certificate authority.
! 567: Default is
! 568: .Pa /etc/openssl/cert.pem
! 569: .El
! 570: .\"
! 571: .It Ic mode_cfg (on | off) ;
! 572: Gather network information through ISAKMP mode configuration.
! 573: Default is off.
! 574: .\"
! 575: .It Ic weak_phase1_check (on | off) ;
! 576: Tells racoon to act on unencrypted deletion messages during phase 1.
! 577: This is a small security risk, so the default is off, meaning that
! 578: racoon will keep on trying to establish a connection even if the
! 579: user credentials are wrong, for instance.
! 580: .\"
! 581: .It Ic peers_certfile ( dnssec | Ar certfile | Ic plain_rsa Ar pubkeyfile ) ;
! 582: If
! 583: .Ic dnssec
! 584: is defined,
! 585: .Xr racoon 8
! 586: will ignore the CERT payload from the peer,
! 587: and try to get the peer's certificate from DNS instead.
! 588: If
! 589: .Ar certfile
! 590: is defined,
! 591: .Xr racoon 8
! 592: will ignore the CERT payload from the peer,
! 593: and will use this certificate as the peer's certificate.
! 594: If
! 595: .Ic plain_rsa
! 596: is defined,
! 597: .Xr racoon 8
! 598: will expect
! 599: .Ar pubkeyfile
! 600: to be the peer's public key that was generated by
! 601: .Xr plainrsa-gen 8 .
! 602: .\"
! 603: .It Ic script Ar script Ic phase1_up
! 604: .It Ic script Ar script Ic phase1_down
! 605: .It Ic script Ar script Ic phase1_dead
! 606: Shell scripts that get executed when a phase 1 SA goes up or down, or
! 607: when it is detected as dead by DPD.
! 608: All scripts get either
! 609: .Ic phase1_up
! 610: ,
! 611: .Ic phase1_down
! 612: or
! 613: .Ic phase1_dead
! 614: as first argument, and the following
! 615: variables are set in their environment:
! 616: .Bl -tag -width Ds -compact
! 617: .It Ev LOCAL_ADDR
! 618: The local address of the phase 1 SA.
! 619: .It Ev LOCAL_PORT
! 620: The local port used for IKE for the phase 1 SA.
! 621: .It Ev REMOTE_ADDR
! 622: The remote address of the phase 1 SA.
! 623: .It Ev REMOTE_PORT
! 624: The remote port used for IKE for the phase 1 SA.
! 625: .It Ev REMOTE_ID
! 626: The remote identity received in IKE for the phase 1 SA.
! 627: .El
! 628: The following variables are only set if
! 629: .Ic mode_cfg
! 630: was enabled:
! 631: .Bl -tag -width Ds -compact
! 632: .It INTERNAL_ADDR4
! 633: An IPv4 internal address obtained by ISAKMP mode config.
! 634: .It INTERNAL_NETMASK4
! 635: An IPv4 internal netmask obtained by ISAKMP mode config.
! 636: .It INTERNAL_CIDR4
! 637: An IPv4 internal netmask obtained by ISAKMP mode config, in CIDR notation.
! 638: .It INTERNAL_DNS4
! 639: The first internal DNS server IPv4 address obtained by ISAKMP mode config.
! 640: .It INTERNAL_DNS4_LIST
! 641: A list of internal DNS servers IPv4 address obtained by ISAKMP mode config,
! 642: separated by spaces.
! 643: .It INTERNAL_WINS4
! 644: The first internal WINS server IPv4 address obtained by ISAKMP mode config.
! 645: .It INTERNAL_WINS4_LIST
! 646: A list of internal WINS servers IPv4 address obtained by ISAKMP mode config,
! 647: separated by spaces.
! 648: .It SPLIT_INCLUDE
! 649: The space separated list of IPv4 addresses and masks (address slash mask)
! 650: that define the networks to be encrypted (as opposed to the default where
! 651: all the traffic should be encrypted) ; obtained by ISAKMP mode config ;
! 652: SPLIT_INCLUDE and SPLIT_LOCAL are mutually exclusive.
! 653: .It SPLIT_LOCAL
! 654: The space separated list of IPv4 addresses and masks (address slash mask)
! 655: that define the networks to be considered local, and thus excluded from the
! 656: tunnels ; obtained by ISAKMP mode config.
! 657: .It SPLIT_INCLUDE_CIDR
! 658: Same as SPLIT_INCLUDE, with netmasks in CIDR notation.
! 659: .It SPLIT_LOCAL_CIDR
! 660: Same as SPLIT_LOCAL, with netmasks in CIDR notation.
! 661: .It DEFAULT_DOMAIN
! 662: The DNS default domain name obtained by ISAKMP mode config.
! 663: .El
! 664: .\"
! 665: .\"
! 666: .It Ic send_cert (on | off) ;
! 667: If you do not want to send a certificate, set this to off.
! 668: The default is on.
! 669: .\"
! 670: .It Ic send_cr (on | off) ;
! 671: If you do not want to send a certificate request, set this to off.
! 672: The default is on.
! 673: .\"
! 674: .It Ic match_empty_cr (on | off) ;
! 675: Specifies whether this remote block is a valid match when a non-specific
! 676: certificate request is received.
! 677: The default is on.
! 678: .\"
! 679: .It Ic verify_cert (on | off) ;
! 680: By default, the identifier sent by the remote host (as specified in its
! 681: .Ic my_identifier
! 682: statement) is compared with the credentials in the certificate
! 683: used to authenticate the remote host as follows:
! 684: .Bl -tag -width Ds -compact
! 685: .It Type Ic asn1dn :
! 686: The entire certificate subject name is compared with the identifier,
! 687: e.g. "C=XX, O=YY, ...".
! 688: .It Type Ic address, fqdn, or user_fqdn :
! 689: The certificate's subjectAltName is compared with the identifier.
! 690: .El
! 691: If the two do not match the negotiation will fail.
! 692: If you do not want to verify the identifier using the peer's certificate,
! 693: set this to off.
! 694: .\"
! 695: .It Ic lifetime time Ar number Ar timeunit ;
! 696: Define a lifetime of a certain time
! 697: which will be proposed in the phase 1 negotiations.
! 698: Any proposal will be accepted, and the attribute(s) will not be proposed to
! 699: the peer if you do not specify it (them).
! 700: They can be individually specified in each proposal.
! 701: .\"
! 702: .It Ic ike_frag (on | off | force) ;
! 703: Enable receiver-side IKE fragmentation if
! 704: .Xr racoon 8
! 705: has been built with this feature.
! 706: If set to on, racoon will advertise
! 707: itself as being capable of receiving packets split by IKE fragmentation.
! 708: This extension is there to work around broken firewalls that do not
! 709: work with fragmented UDP packets.
! 710: IKE fragmentation is always enabled on the sender-side, and it is
! 711: used if the peer advertises itself as IKE fragmentation capable.
! 712: By selecting force, IKE Fragmentation will
! 713: be used when racoon is acting as the initiator even before the remote
! 714: peer has advertised itself as IKE fragmentation capable.
! 715: .\"
! 716: .It Ic esp_frag Ar fraglen ;
! 717: This option is only relevant if you use NAT traversal in tunnel mode.
! 718: Its purpose is to work around broken DSL routers that reject UDP
! 719: fragments, by fragmenting the IP packets before ESP encapsulation.
! 720: The result is ESP over UDP of fragmented packets instead of fragmented
! 721: ESP over UDP packets (i.e., IP:UDP:ESP:frag(IP) instead of
! 722: frag(IP:UDP:ESP:IP)).
! 723: .Ar fraglen
! 724: is the maximum size of the fragments.
! 725: 552 should work anywhere,
! 726: but the higher
! 727: .Ar fraglen
! 728: is, the better the performance.
! 729: .Pp
! 730: Note that because PMTU discovery is broken on many sites, you will
! 731: have to use MSS clamping if you want TCP to work correctly.
! 732: .\"
! 733: .It Ic initial_contact (on | off) ;
! 734: Enable this to send an INITIAL-CONTACT message.
! 735: The default value is
! 736: .Ic on .
! 737: This message is useful only when the responder implementation chooses an
! 738: old SA when there are multiple SAs with different established time and the
! 739: initiator reboots.
! 740: If racoon did not send the message,
! 741: the responder would use an old SA even when a new SA was established.
! 742: For systems that use a KAME derived IPSEC stack, the
! 743: .Xr sysctl 8
! 744: variable net.key.preferred_oldsa can be used to control this preference.
! 745: When the value is zero, the stack always uses a new SA.
! 746: .\"
! 747: .It Ic passive (on | off) ;
! 748: If you do not want to initiate the negotiation, set this to on.
! 749: The default value is
! 750: .Ic off .
! 751: It is useful for a server.
! 752: .\"
! 753: .It Ic proposal_check Ar level ;
! 754: Specifies the action of lifetime length, key length, and PFS of the phase 2
! 755: selection on the responder side, and the action of lifetime check in
! 756: phase 1.
! 757: The default level is
! 758: .Ic strict .
! 759: If the
! 760: .Ar level
! 761: is:
! 762: .Bl -tag -width Ds -compact
! 763: .It Ic obey
! 764: The responder will obey the initiator anytime.
! 765: .It Ic strict
! 766: If the responder's lifetime length is longer than the initiator's or
! 767: the responder's key length is shorter than the initiator's,
! 768: the responder will use the initiator's value.
! 769: Otherwise, the proposal will be rejected.
! 770: If PFS is not required by the responder, the responder will obey the proposal.
! 771: If PFS is required by both sides and the responder's group is not equal to
! 772: the initiator's, then the responder will reject the proposal.
! 773: .It Ic claim
! 774: If the responder's lifetime length is longer than the initiator's or
! 775: the responder's key length is shorter than the initiator's,
! 776: the responder will use the initiator's value.
! 777: If the responder's lifetime length is shorter than the initiator's,
! 778: the responder uses its own length AND sends a RESPONDER-LIFETIME notify
! 779: message to an initiator in the case of lifetime (phase 2 only).
! 780: For PFS, this directive behaves the same as
! 781: .Ic strict .
! 782: .It Ic exact
! 783: If the initiator's lifetime or key length is not equal to the responder's,
! 784: the responder will reject the proposal.
! 785: If PFS is required by both sides and the responder's group is not equal to
! 786: the initiator's, then the responder will reject the proposal.
! 787: .El
! 788: .\"
! 789: .It Ic support_proxy (on | off) ;
! 790: If this value is set to on, then both values of ID payloads in the
! 791: phase 2 exchange are always used as the addresses of end-point of
! 792: IPsec-SAs.
! 793: The default is off.
! 794: .\"
! 795: .It Ic generate_policy (on | off | require | unique) ;
! 796: This directive is for the responder.
! 797: Therefore you should set
! 798: .Ic passive
! 799: to on in order that
! 800: .Xr racoon 8
! 801: only becomes a responder.
! 802: If the responder does not have any policy in SPD during phase 2
! 803: negotiation, and the directive is set to on, then
! 804: .Xr racoon 8
! 805: will choose the first proposal in the
! 806: SA payload from the initiator, and generate policy entries from the proposal.
! 807: It is useful to negotiate with clients whose IP address is allocated
! 808: dynamically.
! 809: Note that an inappropriate policy might be installed into the responder's SPD
! 810: by the initiator,
! 811: so other communications might fail if such policies are installed
! 812: due to a policy mismatch between the initiator and the responder.
! 813: .Ic on
! 814: and
! 815: .Ic require
! 816: values mean the same thing (generate a require policy).
! 817: .Ic unique
! 818: tells racoon to set up unique policies, with a monotoning increasing
! 819: reqid number (between 1 and IPSEC_MANUAL_REQID_MAX).
! 820: This directive is ignored in the initiator case.
! 821: The default value is
! 822: .Ic off .
! 823: .\"
! 824: .\"
! 825: .It Ic nat_traversal (on | off | force) ;
! 826: This directive enables use of the NAT-Traversal IPsec extension
! 827: (NAT-T).
! 828: NAT-T allows one or both peers to reside behind a NAT gateway (i.e.,
! 829: doing address- or port-translation).
! 830: If a NAT gateway is detected during the phase 1 handshake, racoon will
! 831: attempt to negotiate the use of NAT-T with the remote peer.
! 832: If the negotiation succeeds, all ESP and AH packets for the given connection
! 833: will be encapsulated into UDP datagrams (port 4500, by default).
! 834: Possible values are:
! 835: .Bl -tag -width Ds -compact
! 836: .It Ic on
! 837: NAT-T is used when a NAT gateway is detected between the peers.
! 838: .It Ic off
! 839: NAT-T is not proposed/accepted.
! 840: This is the default.
! 841: .It Ic force
! 842: NAT-T is used regardless of whether a NAT gateway is detected between the
! 843: peers or not.
! 844: .El
! 845: Please note that NAT-T support is a compile-time option.
! 846: Although it is enabled in the source distribution by default, it
! 847: may not be available in your particular build.
! 848: In that case you will get a
! 849: warning when using any NAT-T related config options.
! 850: .\"
! 851: .It Ic dpd_delay Ar delay ;
! 852: This option activates the DPD and sets the time (in seconds) allowed
! 853: between 2 proof of liveliness requests.
! 854: The default value is
! 855: .Ic 0 ,
! 856: which disables DPD monitoring, but still negotiates DPD support.
! 857: .\"
! 858: .It Ic dpd_retry Ar delay ;
! 859: If
! 860: .Ic dpd_delay
! 861: is set, this sets the delay (in seconds) to wait for a proof of
! 862: liveliness before considering it as failed and send another request.
! 863: The default value is
! 864: .Ic 5 .
! 865: .\"
! 866: .It Ic dpd_maxfail Ar number ;
! 867: If
! 868: .Ic dpd_delay
! 869: is set, this sets the maximum number of liveliness proofs to request
! 870: (without reply) before considering the peer is dead.
! 871: The default value is
! 872: .Ic 5 .
! 873: .\"
! 874: .It Ic rekey (on | off | force) ;
! 875: Enable automatic renegotiation of expired phase1 when there are non-dying
! 876: phase2 SAs.
! 877: Possible values are:
! 878: .Bl -tag -width Ds -compact
! 879: .It Ic force
! 880: Rekeying is done unconditionally.
! 881: .It Ic on
! 882: Rekeying is done only if DPD monitoring is active.
! 883: This is the default.
! 884: .It Ic off
! 885: No automatic rekeying.
! 886: Do note that turning off automatic rekeying will
! 887: result in inaccurate DPD monitoring.
! 888: .El
! 889: .\"
! 890: .It Ic nonce_size Ar number ;
! 891: define the byte size of nonce value.
! 892: Racoon can send any value although
! 893: RFC2409 specifies that the value MUST be between 8 and 256 bytes.
! 894: The default size is 16 bytes.
! 895: .\"
! 896: .It Ic ph1id Ar number ;
! 897: An optional number to identify the remote proposal and to link it
! 898: only with sainfos who have the same number.
! 899: Defaults to 0.
! 900: .\"
! 901: .It Ic proposal { Ar sub-substatements Ic }
! 902: .Bl -tag -width Ds -compact
! 903: .\"
! 904: .It Ic encryption_algorithm Ar algorithm ;
! 905: Specifies the encryption algorithm used for the phase 1 negotiation.
! 906: This directive must be defined.
! 907: .Ar algorithm
! 908: is one of following:
! 909: .Ic des, 3des, blowfish, cast128, aes, camellia
! 910: .\".Ic rc5 , idea
! 911: for Oakley.
! 912: For other transforms, this statement should not be used.
! 913: .\"
! 914: .It Ic hash_algorithm Ar algorithm ;
! 915: Defines the hash algorithm used for the phase 1 negotiation.
! 916: This directive must be defined.
! 917: .Ar algorithm
! 918: is one of following:
! 919: .Ic md5, sha1, sha256, sha384, sha512
! 920: for Oakley.
! 921: .\"
! 922: .It Ic authentication_method Ar type ;
! 923: Defines the authentication method used for the phase 1 negotiation.
! 924: This directive must be defined.
! 925: .Ar type
! 926: is one of:
! 927: .Ic pre_shared_key , rsasig
! 928: (for plain RSA authentication),
! 929: .Ic gssapi_krb , hybrid_rsa_server ,
! 930: .Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server
! 931: or
! 932: .Ic xauth_psk_client .
! 933: .\"
! 934: .It Ic dh_group Ar group ;
! 935: Defines the group used for the Diffie-Hellman exponentiations.
! 936: This directive must be defined.
! 937: .Ar group
! 938: is one of following:
! 939: .Ic modp768 , modp1024 , modp1536 ,
! 940: .Ic modp2048 , modp3072 , modp4096 ,
! 941: .Ic modp6144 , modp8192 .
! 942: Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
! 943: When you want to use aggressive mode,
! 944: you must define the same DH group in each proposal.
! 945: .It Ic lifetime time Ar number Ar timeunit ;
! 946: Defines the lifetime of the phase 1 SA proposal.
! 947: Refer to the description of the
! 948: .Ic lifetime
! 949: directive defined in the
! 950: .Ic remote
! 951: directive.
! 952: .It Ic gss_id Ar string ;
! 953: Defines the GSS-API endpoint name, to be included as an attribute in the SA,
! 954: if the
! 955: .Ic gssapi_krb
! 956: authentication method is used.
! 957: If this is not defined, the default value of
! 958: .Ql host/hostname
! 959: is used, where hostname is the value returned by the
! 960: .Xr hostname 1
! 961: command.
! 962: .El
! 963: .El
! 964: .Pp
! 965: .It Ic remote Po Ar address | Ic anonymous Pc Bo Bo Ar port Bc Bc \
! 966: Bo Ic inherit Ar parent Bc Ic { Ar statements Ic }
! 967: Deprecated format of specifying a remote block.
! 968: This will be removed in future.
! 969: It is a remnant from time when remote block was decided
! 970: solely based on the peers IP address.
! 971: .Pp
! 972: This is equivalent to:
! 973: .Bd -literal -offset
! 974: remote "address" [inherit "parent-address"] {
! 975: remote_address address;
! 976: }
! 977: .Ed
! 978: .El
! 979: .\"
! 980: .Ss Sainfo Specifications
! 981: .Bl -tag -width Ds -compact
! 982: .It Ic sainfo Po Ar local_id | Ic anonymous Pc \
! 983: Po Ar remote_id | Ic clientaddr | Ic anonymous Pc \
! 984: Bo Ic from Ar idtype Bo Ar string Bc Bc Bo Ic group Ar string Bc \
! 985: Ic { Ar statements Ic }
! 986: Defines the parameters of the IKE phase 2 (IPsec-SA establishment).
! 987: .Pp
! 988: The
! 989: .Ar local_id
! 990: and
! 991: .Ar remote_id
! 992: strings are constructed like:
! 993: .Pp
! 994: .Ic address Ar address
! 995: .Bq Ic / Ar prefix
! 996: .Bq Ic [ Ar port ]
! 997: .Ar ul_proto
! 998: .Pp
! 999: or
! 1000: .Pp
! 1001: .Ic subnet Ar address
! 1002: .Bq Ic / Ar prefix
! 1003: .Bq Ic [ Ar port ]
! 1004: .Ar ul_proto
! 1005: .Pp
! 1006: An id string should be expressed to match the exact value of an ID payload.
! 1007: This is not like a filter rule.
! 1008: For example, if you define 3ffe:501:4819::/48 as
! 1009: .Ar local_id .
! 1010: 3ffe:501:4819:1000:/64 will not match.
! 1011: In the case of a longest prefix (selecting a single host),
! 1012: .Ar address
! 1013: instructs to send ID type of ADDRESS while
! 1014: .Ar subnet
! 1015: instructs to send ID type of SUBNET.
! 1016: Otherwise, these instructions are identical.
! 1017: .Pp
! 1018: The
! 1019: .Ic anonymous
! 1020: keyword can be used to match any id.
! 1021: The
! 1022: .Ic clientaddr
! 1023: keyword can be used to match a remote id that is equal to either the peer
! 1024: ip address or the mode_cfg ip address (if assigned).
! 1025: This can be useful
! 1026: to restrict policy generation when racoon is acting as a client gateway
! 1027: for peers with dynamic ip addresses.
! 1028: .Pp
! 1029: The
! 1030: .Ic from
! 1031: keyword allows an sainfo to only match for peers that use a specific phase1
! 1032: id value during authentication.
! 1033: The
! 1034: .Ic group
! 1035: keyword allows an XAuth group membership check to be performed
! 1036: for this sainfo section.
! 1037: When the mode_cfg auth source is set to
! 1038: .Ic system
! 1039: or
! 1040: .Ic ldap ,
! 1041: the XAuth user is verified to be a member of the specified group
! 1042: before allowing a matching SA to be negotiated.
! 1043: .Pp
! 1044: .Bl -tag -width Ds -compact
! 1045: .\"
! 1046: .It Ic pfs_group Ar group ;
! 1047: define the group of Diffie-Hellman exponentiations.
! 1048: If you do not require PFS then you can omit this directive.
! 1049: Any proposal will be accepted if you do not specify one.
! 1050: .Ar group
! 1051: is one of following:
! 1052: .Ic modp768 , modp1024 , modp1536 ,
! 1053: .Ic modp2048 , modp3072 , modp4096 ,
! 1054: .Ic modp6144 , modp8192 .
! 1055: Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
! 1056: .\"
! 1057: .It Ic lifetime time Ar number Ar timeunit ;
! 1058: define how long an IPsec-SA will be used, in timeunits.
! 1059: Any proposal will be accepted, and no attribute(s) will be proposed to
! 1060: the peer if you do not specify it(them).
! 1061: See the
! 1062: .Ic proposal_check
! 1063: directive.
! 1064: .\"
! 1065: .It Ic remoteid Ar number ;
! 1066: Sainfos will only be used if their remoteid matches the ph1id of the
! 1067: remote section used for phase 1.
! 1068: Defaults to 0, which is also the default for ph1id.
! 1069: .El
! 1070: .\"
! 1071: .Pp
! 1072: .Xr racoon 8
! 1073: does not have a list of security protocols to be negotiated.
! 1074: The list of security protocols are passed by SPD in the kernel.
! 1075: Therefore you have to define all of the potential algorithms
! 1076: in the phase 2 proposals even if there are algorithms which will not be used.
! 1077: These algorithms are define by using the following three directives,
! 1078: with a single comma as the separator.
! 1079: For algorithms that can take variable-length keys, algorithm names
! 1080: can be followed by a key length, like
! 1081: .Dq Li blowfish 448 .
! 1082: .Xr racoon 8
! 1083: will compute the actual phase 2 proposals by computing
! 1084: the permutation of the specified algorithms,
! 1085: and then combining them with the security protocol specified by the SPD.
! 1086: For example, if
! 1087: .Ic des , 3des , hmac_md5 ,
! 1088: and
! 1089: .Ic hmac_sha1
! 1090: are specified as algorithms, we have four combinations for use with ESP,
! 1091: and two for AH.
! 1092: Then, based on the SPD settings,
! 1093: .Xr racoon 8
! 1094: will construct the actual proposals.
! 1095: If the SPD entry asks for ESP only, there will be 4 proposals.
! 1096: If it asks for both AH and ESP, there will be 8 proposals.
! 1097: Note that the kernel may not support the algorithm you have specified.
! 1098: .\"
! 1099: .Bl -tag -width Ds -compact
! 1100: .It Ic encryption_algorithm Ar algorithms ;
! 1101: .Ic des , 3des , des_iv64 , des_iv32 ,
! 1102: .Ic rc5 , rc4 , idea , 3idea ,
! 1103: .Ic cast128 , blowfish , null_enc ,
! 1104: .Ic twofish , rijndael , aes , camellia
! 1105: .Pq used with ESP
! 1106: .\"
! 1107: .It Ic authentication_algorithm Ar algorithms ;
! 1108: .Ic des , 3des , des_iv64 , des_iv32 ,
! 1109: .Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth
! 1110: .Pq used with ESP authentication and AH
! 1111: .\"
! 1112: .It Ic compression_algorithm Ar algorithms ;
! 1113: .Ic deflate
! 1114: .Pq used with IPComp
! 1115: .El
! 1116: .El
! 1117: .\"
! 1118: .Ss Logging level
! 1119: .Bl -tag -width Ds -compact
! 1120: .It Ic log Ar level ;
! 1121: Defines the logging level.
! 1122: .Ar level
! 1123: is one of following:
! 1124: .Ic error , warning , notify , info , debug
! 1125: or
! 1126: .Ic debug2 .
! 1127: The default is
! 1128: .Ic info .
! 1129: If you set the logging level too high on slower machines,
! 1130: IKE negotiation can fail due to timing constraint changes.
! 1131: .El
! 1132: .\"
! 1133: .Ss Specifies the way to pad
! 1134: .Bl -tag -width Ds -compact
! 1135: .It Ic padding { Ar statements Ic }
! 1136: specifies the padding format.
! 1137: The following are valid statements:
! 1138: .Bl -tag -width Ds -compact
! 1139: .It Ic randomize (on | off) ;
! 1140: Enables the use of a randomized value for padding.
! 1141: The default is on.
! 1142: .It Ic randomize_length (on | off) ;
! 1143: The pad length will be random.
! 1144: The default is off.
! 1145: .It Ic maximum_length Ar number ;
! 1146: Defines a maximum padding length.
! 1147: If
! 1148: .Ic randomize_length
! 1149: is off, this is ignored.
! 1150: The default is 20 bytes.
! 1151: .It Ic exclusive_tail (on | off) ;
! 1152: Means to put the number of pad bytes minus one into the last part
! 1153: of the padding.
! 1154: The default is on.
! 1155: .It Ic strict_check (on | off) ;
! 1156: Means to constrain the peer to set the number of pad bytes.
! 1157: The default is off.
! 1158: .El
! 1159: .El
! 1160: .Ss ISAKMP mode configuration settings
! 1161: .Bl -tag -width Ds -compact
! 1162: .It Ic mode_cfg { Ar statements Ic }
! 1163: Defines the information to return for remote hosts' ISAKMP mode config
! 1164: requests.
! 1165: Also defines the authentication source for remote peers
! 1166: authenticating through Xauth.
! 1167: .Pp
! 1168: The following are valid statements:
! 1169: .Bl -tag -width Ds -compact
! 1170: .It Ic auth_source (system | radius | pam | ldap) ;
! 1171: Specifies the source for authentication of users through Xauth.
! 1172: .Ar system
! 1173: means to use the Unix user database.
! 1174: This is the default.
! 1175: .Ar radius
! 1176: means to use a RADIUS server.
! 1177: It works only if
! 1178: .Xr racoon 8
! 1179: was built with libradius support.
! 1180: Radius configuration is handled by statements in the
! 1181: .Ic radiuscfg
! 1182: section.
! 1183: .Ar pam
! 1184: means to use PAM.
! 1185: It works only if
! 1186: .Xr racoon 8
! 1187: was built with libpam support.
! 1188: .Ar ldap
! 1189: means to use LDAP.
! 1190: It works only if
! 1191: .Xr racoon 8
! 1192: was built with libldap support.
! 1193: LDAP configuration is handled by statements in the
! 1194: .Ic ldapcfg
! 1195: section.
! 1196: .It Ic auth_groups Ar "group1", ... ;
! 1197: Specifies the group memberships for Xauth in quoted group name strings.
! 1198: When defined, the authenticating user must be a member of at least one
! 1199: group for Xauth to succeed.
! 1200: .It Ic group_source (system | ldap) ;
! 1201: Specifies the source for group validation of users through Xauth.
! 1202: .Ar system
! 1203: means to use the Unix user database.
! 1204: This is the default.
! 1205: .Ar ldap
! 1206: means to use LDAP.
! 1207: It works only if
! 1208: .Xr racoon 8
! 1209: was built with libldap support and requires LDAP authentication.
! 1210: LDAP configuration is handled by statements in the
! 1211: .Ic ldapcfg
! 1212: section.
! 1213: .It Ic conf_source (local | radius | ldap) ;
! 1214: Specifies the source for IP addresses and netmask allocated through ISAKMP
! 1215: mode config.
! 1216: .Ar local
! 1217: means to use the local IP pool defined by the
! 1218: .Ic network4
! 1219: and
! 1220: .Ic pool_size
! 1221: statements.
! 1222: This is the default.
! 1223: .Ar radius
! 1224: means to use a RADIUS server.
! 1225: It works only if
! 1226: .Xr racoon 8
! 1227: was built with libradius support and requires RADIUS authentication.
! 1228: RADIUS configuration is handled by statements in the
! 1229: .Ic radiuscfg
! 1230: section.
! 1231: .Ar ldap
! 1232: means to use an LDAP server.
! 1233: It works only if
! 1234: .Xr racoon 8
! 1235: was built with libldap support and requires LDAP authentication.
! 1236: LDAP configuration is handled by
! 1237: statements in the
! 1238: .Ic ldapcfg
! 1239: section.
! 1240: .It Ic accounting (none | system | radius | pam) ;
! 1241: Enables or disables accounting for Xauth logins and logouts.
! 1242: The default is
! 1243: .Ar none
! 1244: which disable accounting.
! 1245: Specifying
! 1246: .Ar system
! 1247: enables system accounting through
! 1248: .Xr utmp 5 .
! 1249: Specifying
! 1250: .Ar radius
! 1251: enables RADIUS accounting.
! 1252: It works only if
! 1253: .Xr racoon 8
! 1254: was built with libradius support and requires RADIUS authentication.
! 1255: RADIUS configuration is handled by statements in the
! 1256: .Ic radiuscfg
! 1257: section.
! 1258: Specifying
! 1259: .Ar pam
! 1260: enables PAM accounting.
! 1261: It works only if
! 1262: .Xr racoon 8
! 1263: was build with libpam support and requires PAM authentication.
! 1264: .It Ic pool_size Ar size
! 1265: Specify the size of the IP address pool, either local or allocated
! 1266: through RADIUS.
! 1267: .Ic conf_source
! 1268: selects the local pool or the RADIUS configuration, but in both
! 1269: configurations, you cannot have more than
! 1270: .Ar size
! 1271: users connected at the same time.
! 1272: The default is 255.
! 1273: .It Ic network4 Ar address ;
! 1274: .It Ic netmask4 Ar address ;
! 1275: The local IP pool base address and network mask from which dynamically
! 1276: allocated IPv4 addresses should be taken.
! 1277: This is used if
! 1278: .Ic conf_source
! 1279: is set to
! 1280: .Ar local
! 1281: or if the RADIUS server returned
! 1282: .Ar 255.255.255.254 .
! 1283: Default is
! 1284: .Ar 0.0.0.0/0.0.0.0 .
! 1285: .It Ic dns4 Ar addresses ;
! 1286: A list of IPv4 addresses for DNS servers, separated by commas, or on multiple
! 1287: .Ic dns4
! 1288: lines.
! 1289: .It Ic wins4 Ar addresses ;
! 1290: A list of IPv4 address for WINS servers.
! 1291: The keyword
! 1292: .It nbns4
! 1293: can also be used as an alias for
! 1294: .It wins4 .
! 1295: .It Ic split_network (include | local_lan) Ar network/mask, ...
! 1296: The network configuration to send, in CIDR notation (e.g. 192.168.1.0/24).
! 1297: If
! 1298: .Ic include
! 1299: is specified, the tunnel should be only used to encrypt the indicated
! 1300: destinations ; otherwise, if
! 1301: .Ic local_lan
! 1302: is used, everything will pass through the tunnel but those destinations.
! 1303: .It Ic default_domain Ar domain ;
! 1304: The default DNS domain to send.
! 1305: .It Ic split_dns Ar "domain", ...
! 1306: The split dns configuration to send, in quoted domain name strings.
! 1307: This list can be used to describe a list of domain names for which
! 1308: a peer should query a modecfg assigned dns server.
! 1309: DNS queries for all other domains would be handled locally.
! 1310: (Cisco VPN client only).
! 1311: .It Ic banner Ar path ;
! 1312: The path of a file displayed on the client at connection time.
! 1313: Default is
! 1314: .Ar /etc/motd .
! 1315: .It Ic auth_throttle Ar delay ;
! 1316: On each failed Xauth authentication attempt, refuse new attempts for a set
! 1317: .Ar delay
! 1318: of seconds.
! 1319: This is to avoid dictionary attacks on Xauth passwords.
! 1320: Default is one second.
! 1321: Set to zero to disable authentication delay.
! 1322: .It Ic pfs_group Ar group ;
! 1323: Sets the PFS group used in the client proposal (Cisco VPN client only).
! 1324: Default is 0.
! 1325: .It Ic save_passwd (on | off) ;
! 1326: Allow the client to save the Xauth password (Cisco VPN client only).
! 1327: Default is off.
! 1328: .El
! 1329: .El
! 1330: .Ss Ldap configuration settings
! 1331: .Bl -tag -width Ds -compact
! 1332: .It Ic ldapcfg { Ar statements Ic }
! 1333: Defines the parameters that will be used to communicate with an ldap
! 1334: server for
! 1335: .Ic xauth
! 1336: authentication.
! 1337: .Pp
! 1338: The following are valid statements:
! 1339: .Bl -tag -width Ds -compact
! 1340: .It Ic version (2 | 3) ;
! 1341: The ldap protocol version used to communicate with the server.
! 1342: The default is
! 1343: .Ic 3 .
! 1344: .It Ic host Ar (hostname | address) ;
! 1345: The host name or ip address of the ldap server.
! 1346: The default is
! 1347: .Ic localhost .
! 1348: .It Ic port Ar number ;
! 1349: The port that the ldap server is configured to listen on.
! 1350: The default is
! 1351: .Ic 389 .
! 1352: .It Ic base Ar distinguished name ;
! 1353: The ldap search base.
! 1354: This option has no default value.
! 1355: .It Ic subtree (on | off) ;
! 1356: Use the subtree ldap search scope.
! 1357: Otherwise, use the one level search scope.
! 1358: The default is
! 1359: .Ic off .
! 1360: .It Ic bind_dn Ar distinguished name ;
! 1361: The user dn used to optionally bind as before performing ldap search operations.
! 1362: If this option is not specified, anonymous binds are used.
! 1363: .It Ic bind_pw Ar string ;
! 1364: The password used when binding as
! 1365: .Ic bind_dn .
! 1366: .It Ic attr_user Ar attribute name ;
! 1367: The attribute used to specify a users name in an ldap directory.
! 1368: For example,
! 1369: if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
! 1370: The default value is
! 1371: .Ic cn .
! 1372: .It Ic attr_addr Ar attribute name ;
! 1373: .It Ic attr_mask Ar attribute name ;
! 1374: The attributes used to specify a users network address and subnet mask in an
! 1375: ldap directory.
! 1376: These values are forwarded during mode_cfg negotiation when
! 1377: the conf_source is set to ldap.
! 1378: The default values are
! 1379: .Ic racoon-address
! 1380: and
! 1381: .Ic racoon-netmask .
! 1382: .It Ic attr_group Ar attribute name ;
! 1383: The attribute used to specify a group name in an ldap directory.
! 1384: For example,
! 1385: if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn".
! 1386: The default value is
! 1387: .Ic cn .
! 1388: .It Ic attr_member Ar attribute name ;
! 1389: The attribute used to specify group membership in an ldap directory.
! 1390: The default value is
! 1391: .Ic member .
! 1392: .El
! 1393: .El
! 1394: .Ss Radius configuration settings
! 1395: .Bl -tag -width Ds -compact
! 1396: .It Ic radiuscfg { Ar statements Ic }
! 1397: Defines the parameters that will be used to communicate with radius
! 1398: servers for
! 1399: .Ic xauth
! 1400: authentication.
! 1401: If radius is selected as the xauth authentication or accounting
! 1402: source and no servers are defined in this section, settings from
! 1403: the system
! 1404: .Xr radius.conf 5
! 1405: configuration file will be used instead.
! 1406: .Pp
! 1407: The following are valid statements:
! 1408: .Bl -tag -width Ds -compact
! 1409: .It Ic auth Ar (hostname | address) [port] sharedsecret ;
! 1410: The host name or ip address, optional port value and shared secret value
! 1411: of a radius authentication server.
! 1412: Up to 5 radius authentication servers
! 1413: may be specified using multiple lines.
! 1414: .It Ic acct Ar (hostname | address) [port] sharedsecret ;
! 1415: The host name or ip address, optional port value and shared secret value
! 1416: of a radius accounting server.
! 1417: Up to 5 radius accounting servers may be
! 1418: specified using multiple lines.
! 1419: .It Ic timeout Ar seconds ;
! 1420: The timeout for receiving replies from radius servers.
! 1421: The default is
! 1422: .Ic 3 .
! 1423: .It Ic retries Ar count ;
! 1424: The maximum number of repeated requests to make before giving up
! 1425: on a radius server.
! 1426: The default is
! 1427: .Ic 3 .
! 1428: .El
! 1429: .El
! 1430: .Ss Special directives
! 1431: .Bl -tag -width Ds -compact
! 1432: .It Ic complex_bundle (on | off) ;
! 1433: defines the interpretation of proposal in the case of SA bundle.
! 1434: Normally
! 1435: .Dq IP AH ESP IP payload
! 1436: is proposed as
! 1437: .Dq AH tunnel and ESP tunnel .
! 1438: The interpretation is more common to other IKE implementations, however,
! 1439: it allows very limited set of combinations for proposals.
! 1440: With the option enabled, it will be proposed as
! 1441: .Dq AH transport and ESP tunnel .
! 1442: The default value is
! 1443: .Ic off .
! 1444: .El
! 1445: .\"
! 1446: .Ss Pre-shared key File
! 1447: The pre-shared key file defines pairs of identifiers and corresponding
! 1448: shared secret keys which are used in the pre-shared key authentication
! 1449: method in phase 1.
! 1450: The pair in each line is separated by some number of blanks and/or tab
! 1451: characters like in the
! 1452: .Xr hosts 5
! 1453: file.
! 1454: Key can include blanks because everything after the first blanks
! 1455: is interpreted as the secret key.
! 1456: Lines starting with
! 1457: .Ql #
! 1458: are ignored.
! 1459: Keys which start with
! 1460: .Ql 0x
! 1461: are interpreted as hexadecimal strings.
! 1462: Note that the file must be owned by the user ID running
! 1463: .Xr racoon 8
! 1464: .Pq usually the privileged user ,
! 1465: and must not be accessible by others.
! 1466: .\"
! 1467: .Sh EXAMPLES
! 1468: The following shows how the remote directive should be configured.
! 1469: .Bd -literal -offset
! 1470: path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
! 1471: remote anonymous
! 1472: {
! 1473: exchange_mode aggressive,main,base;
! 1474: lifetime time 24 hour;
! 1475: proposal {
! 1476: encryption_algorithm 3des;
! 1477: hash_algorithm sha1;
! 1478: authentication_method pre_shared_key;
! 1479: dh_group 2;
! 1480: }
! 1481: }
! 1482:
! 1483: sainfo anonymous
! 1484: {
! 1485: pfs_group 2;
! 1486: lifetime time 12 hour ;
! 1487: encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
! 1488: authentication_algorithm hmac_sha1, hmac_md5 ;
! 1489: compression_algorithm deflate ;
! 1490: }
! 1491: .Ed
! 1492: .Pp
! 1493: If you are configuring plain RSA authentication, the remote directive
! 1494: should look like the following:
! 1495: .Bd -literal -offset
! 1496: path certificate "/usr/local/v6/etc" ;
! 1497: remote anonymous
! 1498: {
! 1499: exchange_mode main,base ;
! 1500: lifetime time 12 hour ;
! 1501: certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv";
! 1502: peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub";
! 1503: proposal {
! 1504: encryption_algorithm aes ;
! 1505: hash_algorithm sha1 ;
! 1506: authentication_method rsasig ;
! 1507: dh_group 2 ;
! 1508: }
! 1509: }
! 1510: .Ed
! 1511: .Pp
! 1512: The following is a sample for the pre-shared key file.
! 1513: .Bd -literal -offset
! 1514: 10.160.94.3 mekmitasdigoat
! 1515: 172.16.1.133 0x12345678
! 1516: 194.100.55.1 whatcertificatereally
! 1517: 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
! 1518: 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
! 1519: foo@kame.net mekmitasdigoat
! 1520: foo.kame.net hoge
! 1521: .Ed
! 1522: .\"
! 1523: .Sh SEE ALSO
! 1524: .Xr racoon 8 ,
! 1525: .Xr racoonctl 8 ,
! 1526: .Xr setkey 8
! 1527: .\"
! 1528: .Sh HISTORY
! 1529: The
! 1530: .Nm
! 1531: configuration file first appeared in the
! 1532: .Dq YIPS
! 1533: Yokogawa IPsec implementation.
! 1534: .\"
! 1535: .Sh BUGS
! 1536: Some statements may not be handled by
! 1537: .Xr racoon 8
! 1538: yet.
! 1539: .Pp
! 1540: Diffie-Hellman computation can take a very long time, and may cause
! 1541: unwanted timeouts, specifically when a large D-H group is used.
! 1542: .\"
! 1543: .Sh SECURITY CONSIDERATIONS
! 1544: The use of IKE phase 1 aggressive mode is not recommended,
! 1545: as described in
! 1546: .Li http://www.kb.cert.org/vuls/id/886601 .
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to racoon.conf.5 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon