0x
'.
/dev/random
/dev/urandom
The PSK file, the private keys, and the hook scripts are accessed through the privileged instance of racoon(8) and do not need to be reachable in the chroot(2)Ap ed tree.
/
it is treated as an absolute path. Otherwise, it is treated as a relative
path to the VARRUN directory specified at compilation time.
Default is
racoon.pid
.
The listen section can also be used to specify the admin socket mode and ownership if racoon was built with support for admin port.
/var/racoon/racoon.sock
,
UID 0, and GID 0.
mode
is the access mode in octal. The default is 0600.
Sections with inherit parent statements (where parent is either address or a keyword anonymous) that have all values predefined to those of a given parent. In these sections it is enough to redefine only the changed parameters.
The following are valid statements.
/etc/openssl/cert.pem
LOCAL_ADDR
LOCAL_PORT
REMOTE_ADDR
REMOTE_PORT
Note that because PMTU discovery is broken on many sites, you will have to use MSS clamping if you want TCP to work correctly.
address address [/ prefix] [[port]] ul_proto
or
subnet address [/ prefix] [[port]] ul_proto
or
idtype string
An id string should be expressed to match the exact value of an ID payload (source is the local end, destination is the remote end). This is not like a filter rule. For example, if you define 3ffe:501:4819::/48 as source_id. 3ffe:501:4819:1000:/64 will not match.
In the case of a longest prefix (selecting a single host), address instructs to send ID type of ADDRESS while subnet instructs to send ID type of SUBNET. Otherwise, these instructions are identical.
The group keyword allows an XAuth group membership check to be performed for this sainfo section. When the mode_cfg auth source is set to system or ldap, the XAuth user is verified to be a member of the specified group before allowing a matching SA to be negotiated.
racoon(8)
does not have a list of security protocols to be negotiated.
The list of security protocols are passed by SPD in the kernel.
Therefore you have to define all of the potential algorithms
in the phase 2 proposals even if there are algorithms which will not be used.
These algorithms are define by using the following three directives,
with a single comma as the separator.
For algorithms that can take variable-length keys, algorithm names
can be followed by a key length, like
``blowfish
448
''.
racoon(8)
will compute the actual phase 2 proposals by computing
the permutation of the specified algorithms,
and then combining them with the security protocol specified by the SPD.
For example, if
des, 3des, hmac_md5,
and
hmac_sha1
are specified as algorithms, we have four combinations for use with ESP,
and two for AH.
Then, based on the SPD settings,
racoon(8)
will construct the actual proposals.
If the SPD entry asks for ESP only, there will be 4 proposals.
If it asks for both AH and ESP, there will be 8 proposals.
Note that the kernel may not support the algorithm you have specified.
The following are valid statements:
The following are valid statements:
path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
remote anonymous
{
exchange_mode aggressive,main,base;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
If you are configuring plain RSA authentication, the remote directive should look like the following:
path certificate "/usr/local/v6/etc" ;
remote anonymous
{
exchange_mode main,base ;
lifetime time 12 hour ;
certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv";
peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub";
proposal {
encryption_algorithm aes ;
hash_algorithm sha1 ;
authentication_method rsasig ;
dh_group 2 ;
}
}
The following is a sample for the pre-shared key file.
10.160.94.3 mekmitasdigoat
172.16.1.133 0x12345678
194.100.55.1 whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
foo@kame.net mekmitasdigoat
foo.kame.net hoge
Diffie-Hellman computation can take a very long time, and may cause unwanted timeouts, specifically when a large D-H group is used.
http://www.kb.cert.org/vuls/id/886601
.