Provided by: racoon_0.8.0-9ubuntu1_i386 bug

NAME

       racoon-tool.conf - configuration file for racoon-tool(8).

DESCRIPTION

       This   manual   page   documents   briefly   the   racoon-tool.conf(5),
       configuration file format.

       Please consult the racoon.conf(5) man-page first to  better  understand
       what is written about here.

SYNTAX

       The racoon-tool.conf(5) file is laid out in sections.

       Comments  are  delimited  on  the  left by `#', and can be on a line by
       themselves, or at the end of a line.

       The possible sections are global, connection, and peer.   The  possible
       templates   are   spdadd,  spdadd_transport_ip4,  spdadd_transport_ip6,
       spdinit, sadinit, sadadd, remote, sainfo, and racooninit.

       Sections start with section: and then continue  with  their  properties
       (name  terminated by `:' then value), and templates ALWAYS have to have
       each line started with template: Sections and templates can  be  named,
       with  the  name  occurring in parenthesis between the last character of
       their type and the final colon.

SECTIONS

       The possible sections are:

       global:
              Contains global parameters for the generated racoon.conf(5), and
              global settings used by racoon-tool(8).  Available settings are:
              path_pre_shared_key,     path_certificate,     path_racoon_conf,
              racoon_command,   racoon_pid_file,  log,  listen[[0-9a-z]],  and
              complex_bundle.

              Apart from racoon-command and racoon_pid_file, the  setting  map
              across to the similar names in racoon.conf(5).

              The  listen  directive  is a bit different from the man-page and
              takes multiple {ip-address} [[port]] statements by attaching  an
              index  `0-9',`a-z'  in  square  brackets  immediately before the
              colon.

       connection(%default|%anonymous|[-_a-z0-9]+):
              Connection  as  described  by  the  complementary  SPD  entries.
              Creates  `sainfo'  sections in the generated racoon.conf(5), and
              associated SPD entries.

              Directives and  values  are  basically  one  for  one  with  the
              relevant  entries  in  racoon.conf(5).   Spdadd:  can be used to
              override the template  automatically  selected.   The  templates
              that are automatically selected depending om connection mode and
              IPv4 or IPv6 addresssing are spdadd,  spdadd_transport_ip4,  and
              spdadd_transport_ip6.    The  supplied  default  transport  mode
              templates do not encrypt ICMP as this can easily result  in  SPD
              policy   difficulties.    Boolean   parameters   auto_ah_on_esp,
              always_ah_on_esp can be used to  add  AH  encapsulation  to  the
              `esp'  mode  transform supplied by the default spdadd templates.
              The IKE phase 2 identifier type can  be  set  with  the  id_type
              option,  either `address' or `subnet'.  Compression can be added
              to the default transforms by using the compression boolean.

              Multiple SPD rule pairs can be entered  in  place  of  the  pair
              supplied  by the default spdadd templates. They are signified by
              adding an index made up from the  characters  (case-insensitive)
              in  the regular expression `[-_0-9a-z]+' to the src_port, and/or
              dst_port entries, within square brackets immediately before  the
              colon.  Only  one  port  needs  to  be  defined,  with the other
              defaulting to `[any]'. Additional properties for the  rule  pair
              can  be given by encap, and policy entries, with the appropriate
              index entry in square brackets before the colon.

              Please note that on the FreeBSD kernel ( ipsec(4) ) nested ipsec
              policy transforms are not supported, and that ipcomp is buggy.

              The   `%default'  VPN  connection  fills  in  entries  in  other
              specified connections, unless they are otherwise defined  within
              the  specific  connection.  The `%anonymous' connection is there
              for a passive VPN server.

       peer(%default|%anonymous|[a-f0-9:.]+):
              Defines the phase 1 attributes associated  with  a  peer.   This
              creates `remote' entries in the generated racoon.conf(5).

              Directives  and  values  are  basically  one  for  one  with the
              relevant entries in  racoon.conf(5).   Different  proposals  are
              signified  by  adding  an  index  `0-9',  `a-z', or made up from
              characters  (case-insensitive)   in   the   regular   expression
              `[-_0-9a-z]+'   to   the  encryption_algorithm,  hash_algorithm,
              dh_group,  and  authentication_method  entries,  within   square
              brackets immediately before the colon.

              The   `%default'  VPN  connection  fills  in  entries  in  other
              specified connections, unless they are otherwise defined  within
              the  specific  connection.  The `%anonymous' connection is there
              for a passive VPN server.

TEMPLATES

       Templates are described briefly here.  You will have to look inside the
       racoon-tool(8) perl script to see exactly what you can do.

       spdinit:
              Portion  that  can  be  used to initialise the SPD.  Uses setkey
              syntax.  See setkey(8).

       sadinit:
              Portion that can be used to initialise  the  SAD.   Uses  setkey
              syntax.  See setkey(8).

       spdadd(%default|[-_a-z0-9]+):
              Template  for  adding  SPD  entries.  Different templates can be
              used.  Keys for replacement are of the form `___setkey_name___',
              with  names  found in setkey(8).  The built in template is named
              `%default'.

       spdadd_transport_ip4(%transport_ip4_default|[-_a-z0-9]+):
              Template for adding SPD entries for IPv4 when transport mode  is
              desired.  Different  templates  can  be  used,  but  have  to be
              selected  with  the  spdadd  connection  property.    Keys   for
              replacement  are  of  the  form  `___setkey_name___', with names
              found  in  setkey(8).   The   built   in   template   is   named
              `%transport_ip4_default'.

       spdadd_transport_ip6(%transport_ip6_default|[-_a-z0-9]+):
              Template  for adding SPD entries for IPv6 when transport mode is
              desired. Different  templates  can  be  used,  but  have  to  be
              selected   with   the  spdadd  connection  property.   Keys  for
              replacement are of  the  form  `___setkey_name___',  with  names
              found   in   setkey(8).    The   built   in  template  is  named
              `%transport_ip4_default'.

       sadadd(%default|[-_a-z0-9]+):
              Template for adding SAD  entries.  Different  templates  can  be
              used.  Keys for replacement are of the form `___setkey_name___',
              with names found in setkey(8).  The built in template  is  named
              `%default'.

       remote(%default|[-_a-z0-9]+):
              Template   for   adding   'remote'   entries  to  the  generated
              racoon.conf(5).  Different templates  can  be  used.   Keys  for
              replacement  are  of  the  form  `___setkey_name___', with names
              found in setkey(8).  The built in template is named `%default'.

       sainfo(%default|[-_a-z0-9]+):
              Template  for  adding  'sainfo'   entries   to   the   generated
              racoon.conf(5).   Different  templates  can  be  used.  Keys for
              replacement are of  the  form  `___setkey_name___',  with  names
              found in setkey(8).  The built in template is named `%default'.

       racooninit:
              Template  for  adding  your  own  section  to  the  start of the
              generated racoon.conf(5).

EXAMPLES

       Example of a simple configuration using PSK authentication.

       #
       # Configuration file for racoon-tool
       #
       # See racoon-tool.conf(5) for details
       #

       #
       # Simple PSK - authentication defaults to pre_shared_key
       #
       connection(bacckdoor-doormat):
            src_range: 192.168.223.1/32
            dst_range: 192.168.200.0/24
            src_ip: 172.31.1.1
            dst_ip: 10.0.0.1
            admin_status: enabled
            compression: no
            lifetime: time 20 min
            authentication_algorithm: hmac_sha1
            encryption_algorithm: 3des

       peer(10.0.0.1):
            verify_cert: on
            passive: off
            verify_identifier: off
            lifetime: time 60 min
            hash_algorithm[0]: sha1
            encryption_algorithm[0]: 3des

       Example of a complex configuration  with  multple  networks  betweenthe
       same endpoints, as well as use of `%default' for common settings.

       #
       # Configuration file for racoon-tool
       #

       global:
            log: notify

       # default settings to save typing
       peer(%default):
            certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key
            my_identifier: fqdn blurke.bar.com
            lifetime: time 60 min
            verify_identifier: on
            verify_cert: on
            hash_algorithm[0]: sha1
            encryption_algorithm[0]: 3des
            authentication_method[0]: rsasig

       connection(%default):
            authentication_algorithm: hmac_sha1
            encryption_algorithm: 3des
            src_ip: 172.31.1.1
            lifetime: time 20 min

       # Connection to work
       peer(10.0.0.1):
            peers_identifier: fqdn blue.sky.com

       connection(blurke-blue-sky-work):
            src_range: 192.168.203.1/32
            dst_range: 172.16.0.0/24
            dst_ip: 10.0.0.1
            admin_status: enabled

       # Connection to telehoused servers
       connection(blurke-mail):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.1
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            compression: on
            admin_status: yes

       peer(10.100.0.1):
            peers_identifier: fqdn mail.bar.com

       connection(blurke-web1):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.23
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            admin_status: yes

       connection(blurke-web2):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.24
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            admin_status: yes

       # Test connection to Free S/WAN
       connection(blurke-freeswan):
            src_range: 192.168.203.0/24
            dst_range: 172.17.100.0/24
            dst_ip: 172.30.1.1
            admin_status: yes

       peer(172.30.1.1):
            peers_identifier: fqdn banshee

FILES

       /etc/racoon/racoon-tool.conf
              (configuration header file)

       /etc/racoon/racoon-tool.conf.d/*.conf
              optional portions.  The file(s) that this man page describes.

       /var/lib/racoon/racoon.conf
              The generated racoon.conf.

SEE ALSO

       racoon.conf(5),   racoon-tool(8),  racoon(8),  setkey(8),  ipsec(4)  on
       FreeBSD.

BUGS

       This man page is by no means complete.

AUTHOR

       This manual page was written by Matthew Grant <matthewgrant5@gmail.com>
       for the Debian GNU/Linux system (but may be used by others).

                                                           RACOON-TOOL.CONF(5)