a426f44395
- plug some memory leaks - correct phase 2 proposal reqid handling - check for fd_set overrun
728 lines
21 KiB
Groff
728 lines
21 KiB
Groff
.\" $NetBSD: racoon.conf.5,v 1.14 2002/11/20 03:35:58 itojun Exp $
|
|
.\" $KAME: racoon.conf.5,v 1.101 2002/07/17 03:43:38 sakane Exp $
|
|
.\"
|
|
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the project nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.Dd November 20, 2000
|
|
.Dt RACOON.CONF 5
|
|
.Os
|
|
.\"
|
|
.Sh NAME
|
|
.Nm racoon.conf
|
|
.Nd configuration file for racoon
|
|
.\"
|
|
.\" .Sh SYNOPSIS
|
|
.\"
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is the configuration file for the
|
|
.Xr racoon 8
|
|
ISAKMP daemon.
|
|
.Xr racoon 8
|
|
negotiates security associations for itself (ISAKMP SA, or phase 1 SA)
|
|
and for kernel IPsec (IPsec SA, or phase 2 SA).
|
|
The file consists of a sequence of directives and statements.
|
|
Each directive is composed by a tag, and statements are enclosed by
|
|
.Ql {
|
|
and
|
|
.Ql } .
|
|
Lines beginning with
|
|
.Ql #
|
|
are comments.
|
|
.\"
|
|
.Ss Meta Syntax
|
|
Keywords and special characters that the parser expects exactly are
|
|
displayed using
|
|
.Ic this
|
|
font.
|
|
Parameters are specified with
|
|
.Ar this
|
|
font.
|
|
Square brackets
|
|
.Po
|
|
.Ql \*(lB
|
|
and
|
|
.Ql \*(rB
|
|
.Pc
|
|
are used to show optional keywords and parameters.
|
|
Note that
|
|
you have to pay attention when this manual is describing
|
|
.Ar port
|
|
numbers.
|
|
The
|
|
.Ar port
|
|
number is always enclosed by
|
|
.Ql \*(lB
|
|
and
|
|
.Ql \*(rB .
|
|
In this case, the port number is not an optional keyword.
|
|
If it is possible to omit
|
|
.Ar port
|
|
number,
|
|
the expression becomes
|
|
.Bq Ic Bq Ar port .
|
|
The vertical bar
|
|
.Pq Ql \*(Ba
|
|
is used to indicate
|
|
a choice between optional parameters.
|
|
Parentheses
|
|
.Po
|
|
.Ql \*(lP
|
|
and
|
|
.Ql \*(rP
|
|
.Pc
|
|
are used to group keywords and parameters when necessary.
|
|
Major parameters are listed below.
|
|
.Pp
|
|
.Bl -tag -width addressx -compact
|
|
.It Ar number
|
|
means a hexadecimal or a decimal number.
|
|
The former must be prefixed with
|
|
.Ql Li 0x .
|
|
.It Ar string
|
|
.It Ar path
|
|
.It Ar file
|
|
means any string enclosed in
|
|
.Ql \&"
|
|
.Pq double quote .
|
|
.It Ar address
|
|
means IPv6 and/or IPv4 address.
|
|
.It Ar port
|
|
means a TCP/UDP port number.
|
|
The port number is always enclosed by
|
|
.Ql \*(lB
|
|
and
|
|
.Ql \*(rB .
|
|
.It Ar timeunit
|
|
is one of following:
|
|
.Ic sec , secs , second , seconds ,
|
|
.Ic min , mins , minute , minutes ,
|
|
.Ic hour , hours .
|
|
.El
|
|
.\"
|
|
.Ss Path Specification
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic path include Ar path ;
|
|
specifies a path to include a file.
|
|
See
|
|
.Sx File Inclusion .
|
|
.It Ic path pre_shared_key Ar file ;
|
|
specifies a file containing pre-shared key(s) for various ID(s).
|
|
See
|
|
.Sx Pre-shared key File .
|
|
.It Ic path certificate Ar path ;
|
|
.Xr racoon 8
|
|
will search this directory if a certificate or certificate request is received.
|
|
.It Ic path backupsa Ar file ;
|
|
specifies a file to be stored a SA information which is negotiated by racoon.
|
|
.Xr racoon 8
|
|
will install SA(s) from the file with a boot option
|
|
.Fl B .
|
|
The file is increasing because
|
|
.Xr racoon 8
|
|
simply add a SA to the file at the moment.
|
|
You should maintain the file manually.
|
|
.El
|
|
.\"
|
|
.Ss File Inclusion
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic include Ar file
|
|
other configuration files can be included.
|
|
.El
|
|
.\"
|
|
.Ss Identifier Specification
|
|
is obsolete.
|
|
It must be defined at each
|
|
.Ic remote
|
|
directive.
|
|
.\"
|
|
.Ss Timer Specification
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic timer { Ar statements Ic }
|
|
specifies various timer values.
|
|
.Pp
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic counter Ar number ;
|
|
the maximum number of retries to send.
|
|
The default is 5.
|
|
.It Ic interval Ar number Ar timeunit ;
|
|
the interval to resend, in seconds.
|
|
The default time is 10 seconds.
|
|
.It Ic persend Ar number ;
|
|
the number of packets per send.
|
|
The default is 1.
|
|
.It Ic phase1 Ar number Ar timeunit ;
|
|
the maximum time it should take to complete phase 1.
|
|
The default time is 15 seconds.
|
|
.It Ic phase2 Ar number Ar timeunit ;
|
|
the maximum time it should take to complete phase 2.
|
|
The default time is 10 seconds.
|
|
.El
|
|
.El
|
|
.\"
|
|
.Ss Listening Port Specification
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic listen { Ar statements Ic }
|
|
If no
|
|
.Ar listen
|
|
directive is specified,
|
|
.Xr racoon 8
|
|
will listen on all of the available interface addresses.
|
|
The following is the list of valid statements:
|
|
.Pp
|
|
.Bl -tag -width Ds -compact
|
|
.\" How do I express bold brackets; `[' and `]' .
|
|
.\" Is the "Bq Ic [ Ar port ] ;" buggy ?
|
|
.It Ic isakmp Ar address Bq Bq Ar port ;
|
|
If this is specified,
|
|
.Xr racoon 8
|
|
will only listen on
|
|
.Ar address .
|
|
The default port is 500, which is specified by IANA.
|
|
You can provide more than one address definition.
|
|
.It Ic strict_address ;
|
|
require that all addresses for ISAKMP must be bound.
|
|
This statement will be ignored if you do not specify any addresses.
|
|
.El
|
|
.El
|
|
.\"
|
|
.Ss Remote Nodes Specifications
|
|
.Bl -tag -width Ds -compact
|
|
.It Xo
|
|
.Ic remote ( Ar address \*(Ba Ic anonymous )
|
|
.Bq Bq Ar port
|
|
.Ic { Ar statements Ic }
|
|
.Xc
|
|
specifies the parameters for IKE phase 1 for each remote node.
|
|
The default port is 500.
|
|
If
|
|
.Ic anonymous
|
|
is specified, the statements apply to all peers which do not match
|
|
any other
|
|
.Ic remote
|
|
directive.
|
|
.Pp
|
|
The following are valid statements.
|
|
.Pp
|
|
.Bl -tag -width Ds -compact
|
|
.\"
|
|
.It Ic exchange_mode ( main \*(Ba aggressive \*(Ba base ) ;
|
|
defines the exchange mode for phase 1 when racoon is the initiator.
|
|
Also it means the acceptable exchange mode when racoon is responder.
|
|
More than one mode can be specified by separating them with a comma.
|
|
All of the modes are acceptable.
|
|
The first exchange mode is what racoon uses when it is the initiator.
|
|
.\"
|
|
.It Ic doi Ic ipsec_doi ;
|
|
means to use IPSEC-DOI as specified RFC 2407.
|
|
You can omit this statement.
|
|
.\"
|
|
.It Ic situation Ic identity_only ;
|
|
means to use SIT_IDENTITY_ONLY as specified RFC 2407.
|
|
You can omit this statement.
|
|
.\"
|
|
.It Ic identifier Ar idtype ;
|
|
is obsolete.
|
|
Instead, use
|
|
.Ic my_identifier .
|
|
.\"
|
|
.It Ic my_identifier Ar idtype ... ;
|
|
specifies the identifier sent to the remote host
|
|
and the type to use in the phase 1 negotiation.
|
|
.Ic address, fqdn , user_fqdn , keyid and asn1dn
|
|
can be used as an
|
|
.Ar idtype .
|
|
they are used like:
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic my_identifier Ic address Bq Ar address ;
|
|
the type is the IP address.
|
|
This is the default type if you do not specify an identifier to use.
|
|
.It Ic my_identifier Ic user_fqdn Ar string ;
|
|
the type is a USER_FQDN (user fully-qualified domain name).
|
|
.It Ic my_identifier Ic fqdn Ar string ;
|
|
the type is a FQDN (fully-qualified domain name).
|
|
.It Ic my_identifier Ic keyid Ar file ;
|
|
the type is a KEY_ID.
|
|
.It Ic my_identifier Ic asn1dn Bq Ar string ;
|
|
the type is an ASN.1 distinguished name.
|
|
If
|
|
.Ar string
|
|
is omitted,
|
|
.Xr racoon 8
|
|
will get DN from Subject field in the certificate.
|
|
.El
|
|
.\"
|
|
.It Ic peers_identifier Ar idtype ... ;
|
|
specifies the peer's identifier to be received.
|
|
If it is not defined then
|
|
.Xr racoon 8
|
|
will not verify the peer's identifier in ID payload transmitted from the peer.
|
|
If it is defined, the behavior of the verification depends on the flag of
|
|
.Ic verify_identifier .
|
|
The usage of
|
|
.Ar idtype
|
|
is same to
|
|
.Ic my_identifier .
|
|
.\"
|
|
.It Ic verify_identifier (on \(ba off) ;
|
|
If you want to verify the peer's identifier,
|
|
set this to on.
|
|
In this case, if the value defined by
|
|
.Ic peers_identifier
|
|
is not same to the peer's identifier in the ID payload,
|
|
the negotiation will failed.
|
|
The default is off.
|
|
.\"
|
|
.It Ic certificate_type Ar certspec ;
|
|
specifies a certificate specification.
|
|
.Ar certspec
|
|
is one of followings:
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic x509 Ar certfile Ar privkeyfile;
|
|
.Ar certfile
|
|
means a file name of certificate.
|
|
.Ar privkeyfile
|
|
means a file name of secret key.
|
|
.El
|
|
.\"
|
|
.It Ic peers_certfile ( dnssec \*(Ba Ar certfile ) ;
|
|
If
|
|
.Ic dnssec
|
|
is defined,
|
|
.Xr racoon 8
|
|
will ignore the CERT payload from the peer,
|
|
and try to get the peer's certificate from DNS instead.
|
|
If
|
|
.Ar certfile
|
|
is defined,
|
|
.Xr racoon 8
|
|
will ignore the CERT payload from the peer,
|
|
and will use this certificate as the peer's certificate.
|
|
.\"
|
|
.It Ic send_cert (on \(ba off) ;
|
|
If you do not want to send a certificate for some reason, set this to off.
|
|
The default is on.
|
|
.\"
|
|
.It Ic send_cr (on \(ba off) ;
|
|
If you do not want to send a certificate request for some reason, set this to off.
|
|
The default is on.
|
|
.\"
|
|
.It Ic verify_cert (on \(ba off) ;
|
|
If you do not want to verify the peer's certificate for some reason,
|
|
set this to off.
|
|
The default is on.
|
|
.\"
|
|
.It Ic lifetime time Ar number Ar timeunit ;
|
|
define a lifetime of a certain time
|
|
which will be proposed in the phase 1 negotiations.
|
|
Any proposal will be accepted, and the attribute(s) will be not proposed to
|
|
the peer if you do not specify it(them).
|
|
They can be individually specified in each proposal.
|
|
.\"
|
|
.It Ic initial_contact (on \(ba off) ;
|
|
enable this to send an INITIAL-CONTACT message.
|
|
The default value is
|
|
.Ic on .
|
|
This message is useful only when
|
|
the implementation of the responder choices an old SA when there are multiple
|
|
SAs which are different established time, and the initiator reboots.
|
|
If racoon did not use the message,
|
|
the responder would use an old SA even when an new SA was established.
|
|
The KAME stack has the switch in the system wide value,
|
|
net.key.preferred_oldsa.
|
|
when the value is zero, the stack always use an new SA.
|
|
.\"
|
|
.It Ic passive (on \(ba off) ;
|
|
If you do not want to initiate the negotiation, set this to on.
|
|
The default value is
|
|
.Ic off .
|
|
It is useful for a server.
|
|
.\"
|
|
.It Ic proposal_check Ar level ;
|
|
specifies the action of lifetime length and PFS of the phase 2
|
|
selection on the responder side.
|
|
The default level is
|
|
.Ic strict .
|
|
If the
|
|
.Ar level
|
|
is;
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic obey
|
|
the responder will obey the initiator anytime.
|
|
.It Ic strict
|
|
If the responder's length is longer than the initiator's one, the
|
|
responder uses the initiator's one.
|
|
Otherwise it rejects the proposal.
|
|
If PFS is not required by the responder, the responder will obey the proposal.
|
|
If PFS is required by both sides and if the responder's group is not equal to
|
|
the initiator's one, then the responder will reject the proposal.
|
|
.It Ic claim
|
|
If the responder's length is longer than the initiator's one, the
|
|
responder will use the initiator's one.
|
|
If the responder's length is
|
|
shorter than the initiator's one, the responder uses its own length
|
|
AND sends a RESPONDER-LIFETIME notify message to an initiator in the
|
|
case of lifetime.
|
|
About PFS, this directive is same as
|
|
.Ic strict .
|
|
.It Ic exact
|
|
If the initiator's length is not equal to the responder's one, the
|
|
responder will reject the proposal.
|
|
If PFS is required by both sides and if the responder's group is not equal to
|
|
the initiator's one, then the responder will reject the proposal.
|
|
.El
|
|
.\"
|
|
.It Ic support_mip6 (on \(ba off) ;
|
|
If this value is set on then both values of ID payloads in phase 2 exchange
|
|
are always used as the addresses of end-point of IPsec-SAs.
|
|
The default is off.
|
|
.\"
|
|
.It Ic generate_policy (on \(ba off) ;
|
|
This directive is for the responder.
|
|
Therefore you should set
|
|
.Ic passive
|
|
on in order that
|
|
.Xr racoon 8
|
|
only becomes a responder.
|
|
If the responder does not have any policy in SPD during phase 2 negotiation,
|
|
and the directive is set on, then
|
|
.Xr racoon 8
|
|
will choice the first proposal in the
|
|
SA payload from the initiator, and generate policy entries from the proposal.
|
|
It is useful to negotiate with the client which is allocated IP address
|
|
dynamically.
|
|
Note that inappropriate policy might be installed into the responder's SPD
|
|
by the initiator.
|
|
So that other communication might fail if such policies installed
|
|
due to some policy mismatches between the initiator and the responder.
|
|
This directive is ignored in the initiator case.
|
|
The default value is
|
|
.Ic off .
|
|
.\"
|
|
.It Ic nonce_size Ar number ;
|
|
define the byte size of nonce value.
|
|
Racoon can send any value although
|
|
RFC2409 specifies that the value MUST be between 8 and 256 bytes.
|
|
The default size is 16 bytes.
|
|
.\"
|
|
.It Xo
|
|
.Ic proposal { Ar sub-substatements Ic }
|
|
.Xc
|
|
.Bl -tag -width Ds -compact
|
|
.\"
|
|
.It Ic encryption_algorithm Ar algorithm ;
|
|
specify the encryption algorithm used for the phase 1 negotiation.
|
|
This directive must be defined.
|
|
.Ar algorithm
|
|
is one of following:
|
|
.Ic des , 3des , blowfish , cast128
|
|
.\".Ic rc5 , idea
|
|
for oakley.
|
|
For other transforms, this statement should not be used.
|
|
.\"
|
|
.It Ic hash_algorithm Ar algorithm;
|
|
define the hash algorithm used for the phase 1 negotiation.
|
|
This directive must be defined.
|
|
.Ar algorithm
|
|
is one of following:
|
|
.Ic md5, sha1
|
|
for oakley.
|
|
.\"
|
|
.It Ic authentication_method Ar type ;
|
|
defines the authentication method used for the phase 1 negotiation.
|
|
This directive must be defined.
|
|
.Ar type
|
|
is one of:
|
|
.Ic pre_shared_key, rsasig , gssapi_krb .
|
|
.\"
|
|
.It Ic dh_group Ar group ;
|
|
define the group used for the Diffie-Hellman exponentiations.
|
|
This directive must be defined.
|
|
.Ar group
|
|
is one of following:
|
|
.Ic modp768 , modp1024 , modp1536 .
|
|
Or you can define 1, 2, or 5 as the DH group number.
|
|
When you want to use aggressive mode,
|
|
you must define same DH group in each proposal.
|
|
.It Ic lifetime time Ar number Ar timeunit ;
|
|
define lifetime of the phase 1 SA proposal.
|
|
Refer to the description of
|
|
.Ic lifetime
|
|
directive immediately defined in
|
|
.Ic remote
|
|
directive.
|
|
.It Ic gssapi_id Ar string ;
|
|
define the GSS-API endpoint name, to be included as an attribute in the SA,
|
|
if the
|
|
.Ic gssapi_krb
|
|
authentication method is used. If this is not defined, the default value of
|
|
.Ql ike/hostname
|
|
is used, where hostname is the FQDN of the interface being used.
|
|
.El
|
|
.El
|
|
.El
|
|
.\"
|
|
.Ss Policy Specifications
|
|
The policy directive is obsolete, policies are now in the SPD.
|
|
.Xr racoon 8
|
|
will obey the policy configured into the kernel by
|
|
.Xr setkey 8 ,
|
|
and will construct phase 2 proposals by combining
|
|
.Ic sainfo
|
|
specifications in
|
|
.Nm Ns ,
|
|
and policies in the kernel.
|
|
.\"
|
|
.Ss Sainfo Specifications
|
|
.Bl -tag -width Ds -compact
|
|
.It Xo
|
|
.Ic sainfo ( Ar source_id destination_id \*(Ba Ic anonymous )
|
|
.Ic { Ar statements Ic }
|
|
.Xc
|
|
defines the parameters of the IKE phase 2 (IPsec-SA establishment).
|
|
.Ar source_id
|
|
and
|
|
.Ar destination_id
|
|
are constructed like:
|
|
.Pp
|
|
.Ic address Ar address
|
|
.Bq Ic / Ar prefix
|
|
.Bq Ic [ Ar port ]
|
|
.Ar ul_proto
|
|
.Pp
|
|
or
|
|
.Pp
|
|
.Ar idtype Ar string
|
|
.Pp
|
|
It means exactly the content of ID payload.
|
|
This is not like a filter rule.
|
|
For example, if you define 3ffe:501:4819::/48 as
|
|
.Ar source_id .
|
|
3ffe:501:4819:1000:/64 will not match.
|
|
.Pp
|
|
.Bl -tag -width Ds -compact
|
|
.\"
|
|
.It Ic pfs_group Ar group ;
|
|
define the group of Diffie-Hellman exponentiations.
|
|
If you do not require PFS then you can omit this directive.
|
|
Any proposal will be accepted if you do not specify one.
|
|
.Ar group
|
|
is one of following:
|
|
.Ic modp768 , modp1024 , modp1536 .
|
|
Or you can define 1, 2, or 5 as the DH group number.
|
|
.\"
|
|
.It Ic lifetime time Ar number Ar timeunit ;
|
|
define the lifetime of amount of time
|
|
which are to be used IPsec-SA.
|
|
Any proposal will be accepted, and no attribute(s) will be proposed to
|
|
the peer if you do not specify it(them).
|
|
See the
|
|
.Ic proposal_check
|
|
directive.
|
|
.\"
|
|
.It Ic my_identifier Ar idtype ... ;
|
|
is obsolete.
|
|
It does not make sense to specify a identifier in the phase 2.
|
|
.El
|
|
.\"
|
|
.Pp
|
|
.Xr racoon 8
|
|
does not have the list of security protocols to be negotiated.
|
|
The list of security protocols are passed by SPD in the kernel.
|
|
Therefore you have to define all of the potential algorithms
|
|
in the phase 2 proposals even if there is a algorithm which will not be used.
|
|
These algorithms are define by using the following three directives,
|
|
and they are lined with single comma as the separator.
|
|
For algorithms that can take variable-length keys, algorithm names
|
|
can be followed by a key length, like
|
|
.Dq Li blowfish 448 .
|
|
.Xr racoon 8
|
|
will compute the actual phase 2 proposals by computing
|
|
the permutation of the specified algorithms,
|
|
and then combining them with the security protocol specified by the SPD.
|
|
For example, if
|
|
.Ic des, 3des, hmac_md5,
|
|
and
|
|
.Ic hmac_sha1
|
|
are specified as algorithms, we have four combinations for use with ESP,
|
|
and two for AH.
|
|
Then, based on the SPD settings,
|
|
.Xr racoon 8
|
|
will construct the actual proposals.
|
|
If the SPD entry asks for ESP only, there will be 4 proposals.
|
|
If it asks for both AH and ESP, there will be 8 proposals.
|
|
Note that the kernel may not support the algorithm you have specified.
|
|
.\"
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic encryption_algorithm Ar algorithms ;
|
|
.Ic des , 3des , des_iv64 , des_iv32 ,
|
|
.Ic rc5 , rc4 , idea , 3idea ,
|
|
.Ic cast128 , blowfish , null_enc ,
|
|
.Ic twofish , rijndael
|
|
.Pq used with ESP
|
|
.\"
|
|
.It Ic authentication_algorithm Ar algorithms ;
|
|
.Ic des , 3des , des_iv64 , des_iv32 ,
|
|
.Ic hmac_md5 , hmac_sha1 , non_auth
|
|
.Pq used with ESP authentication and AH
|
|
.\"
|
|
.It Ic compression_algorithm Ar algorithms ;
|
|
.Ic deflate
|
|
.Pq used with IPComp
|
|
.El
|
|
.El
|
|
.\"
|
|
.Ss Logging level
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic log Ar level ;
|
|
define logging level.
|
|
.Ar level
|
|
is one of following:
|
|
.Ic notify , debug
|
|
and
|
|
.Ic debug2 .
|
|
The default is
|
|
.Ic notify .
|
|
If you put too high logging level on slower machines,
|
|
IKE negotiation can fail due to timing constraint changes.
|
|
.El
|
|
.\"
|
|
.Ss Specifying the way to pad
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic padding { Ar statements Ic }
|
|
specified padding format.
|
|
The following are valid statements:
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic randomize (on \(ba off) ;
|
|
enable using a randomized value for padding.
|
|
The default is on.
|
|
.It Ic randomize_length (on \(ba off) ;
|
|
the pad length is random.
|
|
The default is off.
|
|
.It Ic maximum_length Ar number ;
|
|
define a maximum padding length.
|
|
If
|
|
.Ic randomize_length is off, this is ignored.
|
|
The default is 20 bytes.
|
|
.It Ic exclusive_tail (on \(ba off) ;
|
|
means to put the number of pad bytes minus one into last part of the padding.
|
|
The default is on.
|
|
.It Ic strict_check (on \(ba off) ;
|
|
means to be constrained the peer to set the number of pad bytes.
|
|
The default is off.
|
|
.El
|
|
.El
|
|
.Ss Special directives
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic complex_bundle (on \(ba off) ;
|
|
defines the interpretation of proposal in the case of SA bundle.
|
|
Normally
|
|
.Dq IP AH ESP IP payload
|
|
is proposed as
|
|
.Dq AH tunnel and ESP tunnel .
|
|
The interpretation is more common to other IKE implementations, however,
|
|
it allows very limited set of combinations for proposals.
|
|
With the option enabled, it will be proposed as
|
|
.Dq AH transport and ESP tunnel .
|
|
The default value is
|
|
.Ic off .
|
|
.El
|
|
.\"
|
|
.Ss Pre-shared key File
|
|
Pre-shared key file defines a pair of the identifier and the shared secret key
|
|
which are used at Pre-shared key authentication method in phase 1.
|
|
The pair in each lines are separated by some number of blanks and/or tab
|
|
characters like
|
|
.Xr hosts 5 .
|
|
Key can be included any blanks because all of the words after 2nd column
|
|
are interpreted as a secret key.
|
|
Lines start with
|
|
.Ql #
|
|
are ignored.
|
|
Keys which start with
|
|
.Ql 0x
|
|
are hexa-decimal strings.
|
|
Note that the file must be owned by the user ID running
|
|
.Xr racoon 8
|
|
.Pq usually the privileged user ,
|
|
and must not be accessible by others.
|
|
.\"
|
|
.Sh EXAMPLES
|
|
The following shows how the remote directive should be configured.
|
|
.Bd -literal -offset
|
|
path pre_shared_key "/etc/racoon/psk.txt" ;
|
|
remote anonymous
|
|
{
|
|
exchange_mode aggressive,main,base;
|
|
lifetime time 24 hour;
|
|
proposal {
|
|
encryption_algorithm 3des;
|
|
hash_algorithm sha1;
|
|
authentication_method pre_shared_key;
|
|
dh_group 2;
|
|
}
|
|
}
|
|
|
|
sainfo anonymous
|
|
{
|
|
pfs_group 2;
|
|
lifetime time 12 hour ;
|
|
encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
|
|
authentication_algorithm hmac_sha1, hmac_md5 ;
|
|
compression_algorithm deflate ;
|
|
}
|
|
.Ed
|
|
.Pp
|
|
The following is a sample of the file defined pre-shared key.
|
|
.Bd -literal -offset
|
|
10.160.94.3 mekmitasdigoat
|
|
172.16.1.133 0x12345678
|
|
194.100.55.1 whatcertificatereally
|
|
3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
|
|
3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
|
|
foo@kame.net mekmitasdigoat
|
|
foo.kame.net hoge
|
|
.Ed
|
|
.\"
|
|
.Sh SEE ALSO
|
|
.\".Xr racoonctl 8 ,
|
|
.Xr racoon 8 ,
|
|
.Xr setkey 8
|
|
.\"
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
configuration file first appeared in
|
|
.Dq YIPS
|
|
Yokogawa IPsec implementation.
|
|
.\"
|
|
.Sh BUGS
|
|
Some statements may not be handled by
|
|
.Xr racoon 8
|
|
yet.
|