Provided by: racoon_0.8.2+20140711-10build1_amd64 bug

NAME

       racoon-tool.conf - configuration file for racoon-tool(8).

DESCRIPTION

       This manual page documents briefly the racoon-tool.conf(5), configuration file format.

       Please  consult  the  racoon.conf(5)  man-page  first to better understand what is written
       about here.

SYNTAX

       The racoon-tool.conf(5) file is laid out in sections.

       Comments are delimited on the left by `#', and can be on a line by themselves, or  at  the
       end of a line.

       The  possible  sections  are  global,  connection,  and  peer.  The possible templates are
       spdadd, spdadd_transport_ip4,  spdadd_transport_ip6,  spdinit,  sadinit,  sadadd,  remote,
       sainfo, and racooninit.

       Sections  start  with section: and then continue with their properties (name terminated by
       `:' then value), and templates ALWAYS have  to  have  each  line  started  with  template:
       Sections  and  templates  can be named, with the name occurring in parenthesis between the
       last character of their type and the final colon.

SECTIONS

       The possible sections are:

       global:
              Contains global parameters for the generated racoon.conf(5),  and  global  settings
              used    by    racoon-tool(8).    Available   settings   are:   path_pre_shared_key,
              path_certificate,   path_racoon_conf,   privsep,   privsep_chroot,    privsep_user,
              privsep_group,   racoon_command,   racoon_pid_file,   log,   listen[[0-9a-z]],  and
              complex_bundle.

              Apart from racoon_command, and racoon_pid_file,  the  setting  map  across  to  the
              similar names in racoon.conf(5).

              These  items  privsep,  privsep_chroot, privsep_user, privsep_group, are related to
              the privsep section in racoon.conf(5) Privsep  is  a  boolean  option  to  turn  on
              privilege  separation.  The default is to chroot to '/', as quite a bit of setup is
              required in the chroot directory.

              The listen directive is a bit different from the man-page and takes  multiple  {ip-
              address}  [[port]]  statements by attaching an index `0-9',`a-z' in square brackets
              immediately before the colon.

       connection(%default|%anonymous|[-_a-z0-9]+):
              Connection as  described  by  the  complementary  SPD  entries.   Creates  `sainfo'
              sections in the generated racoon.conf(5), and associated SPD entries.

              Directives  and  values  are  basically  one  for  one with the relevant entries in
              racoon.conf(5).  Spdadd:  can  be  used  to  override  the  template  automatically
              selected.   The  templates  that are automatically selected depending om connection
              mode  and  IPv4  or  IPv6  addresssing  are   spdadd,   spdadd_transport_ip4,   and
              spdadd_transport_ip6.  The supplied default transport mode templates do not encrypt
              ICMP as this can easily result in  SPD  policy  difficulties.   Boolean  parameters
              auto_ah_on_esp,  always_ah_on_esp  can be used to add AH encapsulation to the `esp'
              mode transform  supplied  by  the  default  spdadd  templates.   The  IKE  phase  2
              identifier  type  can be set with the id_type option, either `address' or `subnet'.
              Compression can be added  to  the  default  transforms  by  using  the  compression
              boolean.

              Multiple SPD rule pairs can be entered in place of the pair supplied by the default
              spdadd templates. They are signified by adding an index made up from the characters
              (case-insensitive)  in the regular expression `[-_0-9a-z]+' to the src_port, and/or
              dst_port entries, within square brackets immediately before  the  colon.  Only  one
              port  needs  to  be  defined,  with  the  other  defaulting  to `[any]'. Additional
              properties for the rule pair can be given by encap, and policy  entries,  with  the
              appropriate index entry in square brackets before the colon.

              Please  note that on the FreeBSD kernel ( ipsec(4) ) nested ipsec policy transforms
              are not supported, and that ipcomp is buggy.

              The `%default' VPN connection fills in  entries  in  other  specified  connections,
              unless  they are otherwise defined within the specific connection. The `%anonymous'
              connection is there for a passive VPN server.

       peer(%default|%anonymous|[a-f0-9:.]+):
              Defines the phase 1 attributes associated  with  a  peer.   This  creates  `remote'
              entries in the generated racoon.conf(5).

              Directives  and  values  are  basically  one  for  one with the relevant entries in
              racoon.conf(5).  Different proposals are signified by adding an index `0-9', `a-z',
              or  made  up from characters (case-insensitive) in the regular expression `[-_0-9a-
              z]+'    to    the    encryption_algorithm,    hash_algorithm,     dh_group,     and
              authentication_method entries, within square brackets immediately before the colon.

              The  `%default'  VPN  connection  fills  in entries in other specified connections,
              unless they are otherwise defined within the specific connection. The  `%anonymous'
              connection is there for a passive VPN server.

TEMPLATES

       Templates  are  described  briefly  here.  You will have to look inside the racoon-tool(8)
       perl script to see exactly what you can do.

       spdinit:
              Portion that can  be  used  to  initialise  the  SPD.   Uses  setkey  syntax.   See
              setkey(8).

       sadinit:
              Portion  that  can  be  used  to  initialise  the  SAD.   Uses  setkey syntax.  See
              setkey(8).

       spdadd(%default|[-_a-z0-9]+):
              Template for adding SPD  entries.  Different  templates  can  be  used.   Keys  for
              replacement  are  of  the  form `___setkey_name___', with names found in setkey(8).
              The built in template is named `%default'.

       spdadd_transport_ip4(%transport_ip4_default|[-_a-z0-9]+):
              Template for adding SPD entries for IPv4 when transport mode is desired.  Different
              templates can be used, but have to be selected with the spdadd connection property.
              Keys for replacement are of the  form  `___setkey_name___',  with  names  found  in
              setkey(8).  The built in template is named `%transport_ip4_default'.

       spdadd_transport_ip6(%transport_ip6_default|[-_a-z0-9]+):
              Template  for adding SPD entries for IPv6 when transport mode is desired. Different
              templates can be used, but have to be selected with the spdadd connection property.
              Keys  for  replacement  are  of  the  form `___setkey_name___', with names found in
              setkey(8).  The built in template is named `%transport_ip4_default'.

       sadadd(%default|[-_a-z0-9]+):
              Template for adding SAD  entries.  Different  templates  can  be  used.   Keys  for
              replacement  are  of  the  form `___setkey_name___', with names found in setkey(8).
              The built in template is named `%default'.

       remote(%default|[-_a-z0-9]+):
              Template for adding 'remote' entries to the  generated  racoon.conf(5).   Different
              templates  can  be used.  Keys for replacement are of the form `___setkey_name___',
              with names found in setkey(8).  The built in template is named `%default'.

       sainfo(%default|[-_a-z0-9]+):
              Template for adding 'sainfo' entries to the  generated  racoon.conf(5).   Different
              templates  can  be used.  Keys for replacement are of the form `___setkey_name___',
              with names found in setkey(8).  The built in template is named `%default'.

       racooninit:
              Template for adding your own section to the start of the generated racoon.conf(5).

EXAMPLES

       Example of a simple configuration using PSK authentication.

       #
       # Configuration file for racoon-tool
       #
       # See racoon-tool.conf(5) for details
       #

       #
       # Simple PSK - authentication defaults to pre_shared_key
       #
       connection(bacckdoor-doormat):
            src_range: 192.168.223.1/32
            dst_range: 192.168.200.0/24
            src_ip: 172.31.1.1
            dst_ip: 10.0.0.1
            admin_status: enabled
            compression: no
            lifetime: time 20 min
            authentication_algorithm: hmac_sha1
            encryption_algorithm: 3des

       peer(10.0.0.1):
            verify_cert: on
            passive: off
            verify_identifier: off
            lifetime: time 60 min
            hash_algorithm[0]: sha1
            encryption_algorithm[0]: 3des

       Example of a complex configuration with multple networks  betweenthe  same  endpoints,  as
       well as use of `%default' for common settings.

       #
       # Configuration file for racoon-tool
       #

       global:
            log: notify

       # default settings to save typing
       peer(%default):
            certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key
            my_identifier: fqdn blurke.bar.com
            lifetime: time 60 min
            verify_identifier: on
            verify_cert: on
            hash_algorithm[0]: sha1
            encryption_algorithm[0]: 3des
            authentication_method[0]: rsasig

       connection(%default):
            authentication_algorithm: hmac_sha1
            encryption_algorithm: 3des
            src_ip: 172.31.1.1
            lifetime: time 20 min

       # Connection to work
       peer(10.0.0.1):
            peers_identifier: fqdn blue.sky.com

       connection(blurke-blue-sky-work):
            src_range: 192.168.203.1/32
            dst_range: 172.16.0.0/24
            dst_ip: 10.0.0.1
            admin_status: enabled

       # Connection to telehoused servers
       connection(blurke-mail):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.1
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            compression: on
            admin_status: yes

       peer(10.100.0.1):
            peers_identifier: fqdn mail.bar.com

       connection(blurke-web1):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.23
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            admin_status: yes

       connection(blurke-web2):
            src_range: 192.168.203.0/24
            dst_range: 172.20.1.24
            dst_ip: 10.100.0.1
            encryption_algorithm: blowfish
            admin_status: yes

       # Test connection to Free S/WAN
       connection(blurke-freeswan):
            src_range: 192.168.203.0/24
            dst_range: 172.17.100.0/24
            dst_ip: 172.30.1.1
            admin_status: yes

       peer(172.30.1.1):
            peers_identifier: fqdn banshee

FILES

       /etc/racoon/racoon-tool.conf
              (configuration header file)

       /etc/racoon/racoon-tool.conf.d/*.conf
              optional portions.  The file(s) that this man page describes.

       /var/lib/racoon/racoon.conf
              The generated racoon.conf.

SEE ALSO

       racoon.conf(5), racoon-tool(8), racoon(8), setkey(8), ipsec(4) on FreeBSD.

BUGS

       This man page is by no means complete.

AUTHOR

       This  manual  page  was  written by Matthew Grant <matthewgrant5@gmail.com> for the Debian
       GNU/Linux system (but may be used by others).

                                                                              RACOON-TOOL.CONF(5)