Provided by: racoon_0.8.0-3ubuntu1_i386 bug

NAME

       racoon-tool.conf - configuration file for racoon-tool(8).

DESCRIPTION

       This   manual   page   documents   briefly   the   racoon-tool.conf(5),
       configuration file format.

       Please consult the racoon.conf(5) man-page first to  better  understand
       what is written about here.

SYNTAX

       The racoon-tool.conf(5) file is laid out in sections.

       Comments  are  delimited  on  the  left by `#', and can be on a line by
       themselves, or at the end of a line.

       The possible sections are global, connection, and peer.   The  possible
       templates  are  spdadd,  spdinit,  sadinit, sadadd, remote, sainfo, and
       racooninit.

       Sections start with section: and then continue  with  their  properties
       (name  terminated by `:' then value), and templates ALWAYS have to have
       each line started with template: Sections and templates can  be  named,
       with  the  name  occurring in parenthesis between the last character of
       their type and the final colon.

SECTIONS

       The possible sections are:

       global:
              Contains global parameters for the generated racoon.conf(5), and
              global settings used by racoon-tool(8).  Available settings are:
              path_pre_shared_key,     path_certificate,     path_racoon_conf,
              racoon_command,   racoon_pid_file,  log,  listen[[0-9a-z]],  and
              complex_bundle.

              Apart from racoon-command and racoon_pid_file, the  setting  map
              across to the similar names in racoon.conf(5).

              The  listen  directive  is a bit different from the man-page and
              takes multiple {ip-address} [[port]] statements by attaching  an
              index  `0-9',`a-z'  in  square  brackets  immediately before the
              colon.

       connection(%default|%anonymous|[-_a-z0-9]+):
              Connection  as  described  by  the  complementary  SPD  entries.
              Creates  `sainfo'  sections in the generated racoon.conf(5), and
              associated SPD entries.

              Directives and  values  are  basically  one  for  one  with  the
              relevant entries in racoon.conf(5).

              The   `%default'  VPN  connection  fills  in  entries  in  other
              specified connections, unless they are otherwise defined  within
              the  specific  connection.  The `%anonymous' connection is there
              for a passive VPN server.

       peer(%default|%anonymous|[a-f0-9:.]+):
              Defines the phase 1 attributes associated  with  a  peer.   This
              creates `remote' entries in the generated racoon.conf(5).

              Directives  and  values  are  basically  one  for  one  with the
              relevant entries in  racoon.conf(5).   Different  proposals  are
              signified   by   adding   an   index  `0-9',  or  `a-z'  to  the
              encryption_algorithm,     hash_algorithm,     dh_group,      and
              authentication_method    entries,    within    square   brackets
              immediately before the colon.

              The  `%default'  VPN  connection  fills  in  entries  in   other
              specified  connections, unless they are otherwise defined within
              the specific connection. The `%anonymous'  connection  is  there
              for a passive VPN server.

TEMPLATES

       Templates are described briefly here.  You will have to look inside the
       racoon-tool(8) perl script to see exactly what you can do.

       spdinit:
              Portion that can be used to initialise  the  SPD.   Uses  setkey
              syntax.  See setkey(8).

       sadinit:
              Portion  that  can  be  used to initialise the SAD.  Uses setkey
              syntax.  See setkey(8).

       spdadd(%default|[-_a-z0-9]+):
              Template for adding SPD  entries.  Different  templates  can  be
              used.  Keys for replacement are of the form `___setkey_name___',
              with names found in setkey(8).  The built in template  is  named
              `%default'.

       sadadd(%default|[-_a-z0-9]+):
              Template  for  adding  SAD  entries.  Different templates can be
              used.  Keys for replacement are of the form `___setkey_name___',
              with  names  found in setkey(8).  The built in template is named
              `%default'.

       remote(%default|[-_a-z0-9]+):
              Template  for  adding  'remote'   entries   to   the   generated
              racoon.conf(5).   Different  templates  can  be  used.  Keys for
              replacement are of  the  form  `___setkey_name___',  with  names
              found in setkey(8).  The built in template is named `%default'.

       sainfo(%default|[-_a-z0-9]+):
              Template   for   adding   'sainfo'   entries  to  the  generated
              racoon.conf(5).  Different templates  can  be  used.   Keys  for
              replacement  are  of  the  form  `___setkey_name___', with names
              found in setkey(8).  The built in template is named `%default'.

       racooninit:
              Template for adding  your  own  section  to  the  start  of  the
              generated racoon.conf(5).

EXAMPLES

       Example of a simple configuration using PSK authentication.

       #
       # Configuration file for racoon-tool
       #
       # See racoon-tool.conf(5) for details
       #

       #
       # Simple PSK - authentication defaults to pre_shared_key
       #
       connection(bacckdoor-doormat):
            src_range: 192.168.223.1/32
            dst_range: 192.168.200.0/24
            src_ip: 172.31.1.1
            dst_ip: 10.0.0.1
            admin_status: enabled
            compression: no
            lifetime: time 20 min
            authentication_algorithm: hmac_sha1
            encryption_algorithm: 3des

       peer(10.0.0.1):
            verify_cert: on
            passive: off
            verify_identifier: off
            lifetime: time 60 min
            hash_algorithm[0]: sha1
            encryption_algorithm[0]: 3des

       Example  of  a  complex  configuration with multple networks betweenthe
       same endpoints, as well as use of `%default' for common settings.

       #
       # Configuration file for racoon-tool
       #

       global:
            log: notify

       # default settings to save typing
       peer(%default):
            certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key
            my_identifier: fqdn blurke.bar.com
            lifetime: time 60 min
            verify_identifier: on
            verify_cert: on
            hash_algorithm[0]: sha1
            encryption_algorithm[0]: 3des
            authentication_method[0]: rsasig

       connection(%default):
            authentication_algorithm: hmac_sha1
            encryption_algorithm: 3des
            src_ip: 172.31.1.1
            lifetime: time 20 min

       # Connection to work
       peer(10.0.0.1):
            peers_identifier: fqdn blue.sky.com

       connection(blurke-blue-sky-work):
            src_range: 192.168.203.1/32
            dst_range: 172.16.0.0/24
            dst_ip: 10.0.0.1
            admin_status: enabled

       # Connection to telehoused servers
       connection(blurke-mail):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.1
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            compression: on
            admin_status: yes

       peer(10.100.0.1):
            peers_identifier: fqdn mail.bar.com

       connection(blurke-web1):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.23
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            admin_status: yes

       connection(blurke-web2):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.24
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            admin_status: yes

       # Test connection to Free S/WAN
       connection(blurke-freeswan):
            src_range: 192.168.203.0/24
            dst_range: 172.17.100.0/24
            dst_ip: 172.30.1.1
            admin_status: yes

       peer(172.30.1.1):
            peers_identifier: fqdn banshee

FILES

       /etc/racoon/racoon-tool.conf
              The file that this man page describes.

       /var/lib/racoon/racoon.conf
              The generated racoon.conf.

SEE ALSO

       racoon.conf(5), racoon-tool(8), racoon(8), setkey(8).

BUGS

       This man page is by no means complete.

AUTHOR

       This manual page was written by Matthew Grant <grantma@anathoth.gen.nz>
       for the Debian GNU/Linux system (but may be used by others).

                                                           RACOON-TOOL.CONF(5)