bionic (5) racoon-tool.conf.5.gz

Provided by: racoon_0.8.2+20140711-10build1_amd64 bug

NAME

       racoon-tool.conf - configuration file for racoon-tool(8).

DESCRIPTION

       This manual page documents briefly the racoon-tool.conf(5), configuration file format.

       Please consult the racoon.conf(5) man-page first to better understand what is written about here.

SYNTAX

       The racoon-tool.conf(5) file is laid out in sections.

       Comments are delimited on the left by `#', and can be on a line by themselves, or at the end of a line.

       The   possible   sections  are  global,  connection,  and  peer.   The  possible  templates  are  spdadd,
       spdadd_transport_ip4, spdadd_transport_ip6, spdinit, sadinit, sadadd, remote, sainfo, and racooninit.

       Sections start with section: and then continue with their properties (name terminated by `:' then value),
       and  templates  ALWAYS have to have each line started with template: Sections and templates can be named,
       with the name occurring in parenthesis between the last character of their type and the final colon.

SECTIONS

       The possible sections are:

       global:
              Contains global parameters for the generated racoon.conf(5), and global settings used  by  racoon-
              tool(8).    Available   settings  are:  path_pre_shared_key,  path_certificate,  path_racoon_conf,
              privsep,  privsep_chroot,  privsep_user,  privsep_group,  racoon_command,  racoon_pid_file,   log,
              listen[[0-9a-z]], and complex_bundle.

              Apart  from  racoon_command,  and  racoon_pid_file, the setting map across to the similar names in
              racoon.conf(5).

              These items privsep, privsep_chroot, privsep_user,  privsep_group,  are  related  to  the  privsep
              section in racoon.conf(5) Privsep is a boolean option to turn on privilege separation. The default
              is to chroot to '/', as quite a bit of setup is required in the chroot directory.

              The listen directive is a bit different from the man-page and takes multiple {ip-address} [[port]]
              statements by attaching an index `0-9',`a-z' in square brackets immediately before the colon.

       connection(%default|%anonymous|[-_a-z0-9]+):
              Connection  as  described  by  the  complementary  SPD  entries.  Creates `sainfo' sections in the
              generated racoon.conf(5), and associated SPD entries.

              Directives and values are basically one for one  with  the  relevant  entries  in  racoon.conf(5).
              Spdadd:  can  be  used  to  override  the template automatically selected.  The templates that are
              automatically selected depending om connection mode and  IPv4  or  IPv6  addresssing  are  spdadd,
              spdadd_transport_ip4,  and spdadd_transport_ip6.  The supplied default transport mode templates do
              not encrypt ICMP as this can  easily  result  in  SPD  policy  difficulties.   Boolean  parameters
              auto_ah_on_esp,  always_ah_on_esp  can be used to add AH encapsulation to the `esp' mode transform
              supplied by the default spdadd templates.  The IKE phase 2 identifier type can  be  set  with  the
              id_type  option, either `address' or `subnet'.  Compression can be added to the default transforms
              by using the compression boolean.

              Multiple SPD rule pairs can be entered in place  of  the  pair  supplied  by  the  default  spdadd
              templates. They are signified by adding an index made up from the characters (case-insensitive) in
              the regular expression `[-_0-9a-z]+' to the  src_port,  and/or  dst_port  entries,  within  square
              brackets  immediately  before  the  colon.  Only  one  port  needs  to  be defined, with the other
              defaulting to `[any]'. Additional properties for the rule pair can be given by encap,  and  policy
              entries, with the appropriate index entry in square brackets before the colon.

              Please  note  that  on  the  FreeBSD  kernel  (  ipsec(4) ) nested ipsec policy transforms are not
              supported, and that ipcomp is buggy.

              The `%default' VPN connection fills in entries in other specified  connections,  unless  they  are
              otherwise  defined  within  the  specific  connection.  The `%anonymous' connection is there for a
              passive VPN server.

       peer(%default|%anonymous|[a-f0-9:.]+):
              Defines the phase 1 attributes associated with a peer.   This  creates  `remote'  entries  in  the
              generated racoon.conf(5).

              Directives  and  values  are  basically  one  for one with the relevant entries in racoon.conf(5).
              Different proposals are signified by adding an index `0-9', `a-z',  or  made  up  from  characters
              (case-insensitive)   in   the   regular  expression  `[-_0-9a-z]+'  to  the  encryption_algorithm,
              hash_algorithm, dh_group, and authentication_method entries, within  square  brackets  immediately
              before the colon.

              The  `%default'  VPN  connection  fills in entries in other specified connections, unless they are
              otherwise defined within the specific connection. The  `%anonymous'  connection  is  there  for  a
              passive VPN server.

TEMPLATES

       Templates are described briefly here.  You will have to look inside the racoon-tool(8) perl script to see
       exactly what you can do.

       spdinit:
              Portion that can be used to initialise the SPD.  Uses setkey syntax.  See setkey(8).

       sadinit:
              Portion that can be used to initialise the SAD.  Uses setkey syntax.  See setkey(8).

       spdadd(%default|[-_a-z0-9]+):
              Template for adding SPD entries. Different templates can be used.  Keys for replacement are of the
              form  `___setkey_name___',  with  names  found  in  setkey(8).   The  built  in  template is named
              `%default'.

       spdadd_transport_ip4(%transport_ip4_default|[-_a-z0-9]+):
              Template for adding SPD entries for IPv4 when transport mode is desired. Different  templates  can
              be used, but have to be selected with the spdadd connection property.  Keys for replacement are of
              the form `___setkey_name___', with names found in setkey(8).   The  built  in  template  is  named
              `%transport_ip4_default'.

       spdadd_transport_ip6(%transport_ip6_default|[-_a-z0-9]+):
              Template  for  adding SPD entries for IPv6 when transport mode is desired. Different templates can
              be used, but have to be selected with the spdadd connection property.  Keys for replacement are of
              the  form  `___setkey_name___',  with  names  found  in setkey(8).  The built in template is named
              `%transport_ip4_default'.

       sadadd(%default|[-_a-z0-9]+):
              Template for adding SAD entries. Different templates can be used.  Keys for replacement are of the
              form  `___setkey_name___',  with  names  found  in  setkey(8).   The  built  in  template is named
              `%default'.

       remote(%default|[-_a-z0-9]+):
              Template for adding 'remote' entries to the generated racoon.conf(5).  Different templates can  be
              used.   Keys  for  replacement are of the form `___setkey_name___', with names found in setkey(8).
              The built in template is named `%default'.

       sainfo(%default|[-_a-z0-9]+):
              Template for adding 'sainfo' entries to the generated racoon.conf(5).  Different templates can  be
              used.   Keys  for  replacement are of the form `___setkey_name___', with names found in setkey(8).
              The built in template is named `%default'.

       racooninit:
              Template for adding your own section to the start of the generated racoon.conf(5).

EXAMPLES

       Example of a simple configuration using PSK authentication.

       #
       # Configuration file for racoon-tool
       #
       # See racoon-tool.conf(5) for details
       #

       #
       # Simple PSK - authentication defaults to pre_shared_key
       #
       connection(bacckdoor-doormat):
            src_range: 192.168.223.1/32
            dst_range: 192.168.200.0/24
            src_ip: 172.31.1.1
            dst_ip: 10.0.0.1
            admin_status: enabled
            compression: no
            lifetime: time 20 min
            authentication_algorithm: hmac_sha1
            encryption_algorithm: 3des

       peer(10.0.0.1):
            verify_cert: on
            passive: off
            verify_identifier: off
            lifetime: time 60 min
            hash_algorithm[0]: sha1
            encryption_algorithm[0]: 3des

       Example of a complex configuration with multple networks betweenthe same endpoints, as  well  as  use  of
       `%default' for common settings.

       #
       # Configuration file for racoon-tool
       #

       global:
            log: notify

       # default settings to save typing
       peer(%default):
            certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key
            my_identifier: fqdn blurke.bar.com
            lifetime: time 60 min
            verify_identifier: on
            verify_cert: on
            hash_algorithm[0]: sha1
            encryption_algorithm[0]: 3des
            authentication_method[0]: rsasig

       connection(%default):
            authentication_algorithm: hmac_sha1
            encryption_algorithm: 3des
            src_ip: 172.31.1.1
            lifetime: time 20 min

       # Connection to work
       peer(10.0.0.1):
            peers_identifier: fqdn blue.sky.com

       connection(blurke-blue-sky-work):
            src_range: 192.168.203.1/32
            dst_range: 172.16.0.0/24
            dst_ip: 10.0.0.1
            admin_status: enabled

       # Connection to telehoused servers
       connection(blurke-mail):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.1
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            compression: on
            admin_status: yes

       peer(10.100.0.1):
            peers_identifier: fqdn mail.bar.com

       connection(blurke-web1):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.23
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            admin_status: yes

       connection(blurke-web2):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.24
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            admin_status: yes

       # Test connection to Free S/WAN
       connection(blurke-freeswan):
            src_range: 192.168.203.0/24
            dst_range: 172.17.100.0/24
            dst_ip: 172.30.1.1
            admin_status: yes

       peer(172.30.1.1):
            peers_identifier: fqdn banshee

FILES

       /etc/racoon/racoon-tool.conf
              (configuration header file)

       /etc/racoon/racoon-tool.conf.d/*.conf
              optional portions.  The file(s) that this man page describes.

       /var/lib/racoon/racoon.conf
              The generated racoon.conf.

SEE ALSO

       racoon.conf(5), racoon-tool(8), racoon(8), setkey(8), ipsec(4) on FreeBSD.

BUGS

       This man page is by no means complete.

AUTHOR

       This  manual  page was written by Matthew Grant <matthewgrant5@gmail.com> for the Debian GNU/Linux system
       (but may be used by others).

                                                                                             RACOON-TOOL.CONF(5)