| @@ -1,1553 +1,1553 @@ | | | @@ -1,1553 +1,1553 @@ |
1 | .\" $NetBSD: racoon.conf.5,v 1.55 2009/03/12 15:18:57 wiz Exp $ | | 1 | .\" $NetBSD: racoon.conf.5,v 1.56 2009/05/04 22:28:30 wiz Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp | | 3 | .\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp |
4 | .\" | | 4 | .\" |
5 | .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | | 5 | .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
6 | .\" All rights reserved. | | 6 | .\" All rights reserved. |
7 | .\" | | 7 | .\" |
8 | .\" Redistribution and use in source and binary forms, with or without | | 8 | .\" Redistribution and use in source and binary forms, with or without |
9 | .\" modification, are permitted provided that the following conditions | | 9 | .\" modification, are permitted provided that the following conditions |
10 | .\" are met: | | 10 | .\" are met: |
11 | .\" 1. Redistributions of source code must retain the above copyright | | 11 | .\" 1. Redistributions of source code must retain the above copyright |
12 | .\" notice, this list of conditions and the following disclaimer. | | 12 | .\" notice, this list of conditions and the following disclaimer. |
13 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 13 | .\" 2. Redistributions in binary form must reproduce the above copyright |
14 | .\" notice, this list of conditions and the following disclaimer in the | | 14 | .\" notice, this list of conditions and the following disclaimer in the |
15 | .\" documentation and/or other materials provided with the distribution. | | 15 | .\" documentation and/or other materials provided with the distribution. |
16 | .\" 3. Neither the name of the project nor the names of its contributors | | 16 | .\" 3. Neither the name of the project nor the names of its contributors |
17 | .\" may be used to endorse or promote products derived from this software | | 17 | .\" may be used to endorse or promote products derived from this software |
18 | .\" without specific prior written permission. | | 18 | .\" without specific prior written permission. |
19 | .\" | | 19 | .\" |
20 | .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | | 20 | .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
21 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | | 21 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
22 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | | 22 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
23 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | | 23 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
24 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | | 24 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
25 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | | 25 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
26 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | | 26 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
27 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | | 27 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
28 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | | 28 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
29 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | | 29 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
30 | .\" SUCH DAMAGE. | | 30 | .\" SUCH DAMAGE. |
31 | .\" | | 31 | .\" |
32 | .Dd March 12, 2009 | | 32 | .Dd March 12, 2009 |
33 | .Dt RACOON.CONF 5 | | 33 | .Dt RACOON.CONF 5 |
34 | .Os | | 34 | .Os |
35 | .\" | | 35 | .\" |
36 | .Sh NAME | | 36 | .Sh NAME |
37 | .Nm racoon.conf | | 37 | .Nm racoon.conf |
38 | .Nd configuration file for racoon | | 38 | .Nd configuration file for racoon |
39 | .\" | | 39 | .\" |
40 | .\" .Sh SYNOPSIS | | 40 | .\" .Sh SYNOPSIS |
41 | .\" | | 41 | .\" |
42 | .Sh DESCRIPTION | | 42 | .Sh DESCRIPTION |
43 | .Nm | | 43 | .Nm |
44 | is the configuration file for the | | 44 | is the configuration file for the |
45 | .Xr racoon 8 | | 45 | .Xr racoon 8 |
46 | ISAKMP daemon. | | 46 | ISAKMP daemon. |
47 | .Xr racoon 8 | | 47 | .Xr racoon 8 |
48 | negotiates security associations for itself (ISAKMP SA, or phase 1 SA) | | 48 | negotiates security associations for itself (ISAKMP SA, or phase 1 SA) |
49 | and for kernel IPsec (IPsec SA, or phase 2 SA). | | 49 | and for kernel IPsec (IPsec SA, or phase 2 SA). |
50 | The file consists of a sequence of directives and statements. | | 50 | The file consists of a sequence of directives and statements. |
51 | Each directive is composed by a tag and statements, enclosed by | | 51 | Each directive is composed by a tag and statements, enclosed by |
52 | .Ql { | | 52 | .Ql { |
53 | and | | 53 | and |
54 | .Ql } . | | 54 | .Ql } . |
55 | Lines beginning with | | 55 | Lines beginning with |
56 | .Ql # | | 56 | .Ql # |
57 | are comments. | | 57 | are comments. |
58 | .\" | | 58 | .\" |
59 | .Ss Meta Syntax | | 59 | .Ss Meta Syntax |
60 | Keywords and special characters that the parser expects exactly are | | 60 | Keywords and special characters that the parser expects exactly are |
61 | displayed using | | 61 | displayed using |
62 | .Ic this | | 62 | .Ic this |
63 | font. | | 63 | font. |
64 | Parameters are specified with | | 64 | Parameters are specified with |
65 | .Ar this | | 65 | .Ar this |
66 | font. | | 66 | font. |
67 | Square brackets | | 67 | Square brackets |
68 | .Po | | 68 | .Po |
69 | .Ql \&[ | | 69 | .Ql \&[ |
70 | and | | 70 | and |
71 | .Ql \&] | | 71 | .Ql \&] |
72 | .Pc | | 72 | .Pc |
73 | are used to show optional keywords and parameters. | | 73 | are used to show optional keywords and parameters. |
74 | Note that | | 74 | Note that |
75 | you have to pay attention when this manual is describing | | 75 | you have to pay attention when this manual is describing |
76 | .Ar port | | 76 | .Ar port |
77 | numbers. | | 77 | numbers. |
78 | The | | 78 | The |
79 | .Ar port | | 79 | .Ar port |
80 | number is always enclosed by | | 80 | number is always enclosed by |
81 | .Ql \&[ | | 81 | .Ql \&[ |
82 | and | | 82 | and |
83 | .Ql \&] . | | 83 | .Ql \&] . |
84 | In this case, the port number is not an optional keyword. | | 84 | In this case, the port number is not an optional keyword. |
85 | If it is possible to omit the | | 85 | If it is possible to omit the |
86 | .Ar port | | 86 | .Ar port |
87 | number, | | 87 | number, |
88 | the expression becomes | | 88 | the expression becomes |
89 | .Bq Bq Ar port . | | 89 | .Bq Bq Ar port . |
90 | The vertical bar | | 90 | The vertical bar |
91 | .Pq Ql \&| | | 91 | .Pq Ql \&| |
92 | is used to indicate | | 92 | is used to indicate |
93 | a choice between optional parameters. | | 93 | a choice between optional parameters. |
94 | Parentheses | | 94 | Parentheses |
95 | .Po | | 95 | .Po |
96 | .Ql \&( | | 96 | .Ql \&( |
97 | and | | 97 | and |
98 | .Ql \&) | | 98 | .Ql \&) |
99 | .Pc | | 99 | .Pc |
100 | are used to group keywords and parameters when necessary. | | 100 | are used to group keywords and parameters when necessary. |
101 | Major parameters are listed below. | | 101 | Major parameters are listed below. |
102 | .Pp | | 102 | .Pp |
103 | .Bl -tag -width addressx -compact | | 103 | .Bl -tag -width addressx -compact |
104 | .It Ar number | | 104 | .It Ar number |
105 | means a hexadecimal or a decimal number. | | 105 | means a hexadecimal or a decimal number. |
106 | The former must be prefixed with | | 106 | The former must be prefixed with |
107 | .Ql Li 0x . | | 107 | .Ql Li 0x . |
108 | .It Ar string | | 108 | .It Ar string |
109 | .It Ar path | | 109 | .It Ar path |
110 | .It Ar file | | 110 | .It Ar file |
111 | means any string enclosed in | | 111 | means any string enclosed in |
112 | .Ql \&" | | 112 | .Ql \&" |
113 | .Pq double quotes . | | 113 | .Pq double quotes . |
114 | .It Ar address | | 114 | .It Ar address |
115 | means IPv6 and/or IPv4 address. | | 115 | means IPv6 and/or IPv4 address. |
116 | .It Ar port | | 116 | .It Ar port |
117 | means a TCP/UDP port number. | | 117 | means a TCP/UDP port number. |
118 | The port number is always enclosed by | | 118 | The port number is always enclosed by |
119 | .Ql \&[ | | 119 | .Ql \&[ |
120 | and | | 120 | and |
121 | .Ql \&] . | | 121 | .Ql \&] . |
122 | .It Ar timeunit | | 122 | .It Ar timeunit |
123 | is one of following: | | 123 | is one of following: |
124 | .Ic sec , secs , second , seconds , | | 124 | .Ic sec , secs , second , seconds , |
125 | .Ic min , mins , minute , minutes , | | 125 | .Ic min , mins , minute , minutes , |
126 | .Ic hour , hours . | | 126 | .Ic hour , hours . |
127 | .El | | 127 | .El |
128 | .\" | | 128 | .\" |
129 | .Ss Privilege separation | | 129 | .Ss Privilege separation |
130 | .Bl -tag -width Ds -compact | | 130 | .Bl -tag -width Ds -compact |
131 | .It Ic privsep { Ar statements Ic } | | 131 | .It Ic privsep { Ar statements Ic } |
132 | Specifies privilege separation parameters. | | 132 | Specifies privilege separation parameters. |
133 | When enabled, these enable | | 133 | When enabled, these enable |
134 | .Xr racoon 8 | | 134 | .Xr racoon 8 |
135 | to operate with an unprivileged instance doing most of the work, while | | 135 | to operate with an unprivileged instance doing most of the work, while |
136 | a privileged instance takes care of performing the following operations | | 136 | a privileged instance takes care of performing the following operations |
137 | as root: reading PSK and private keys, launching hook scripts, and | | 137 | as root: reading PSK and private keys, launching hook scripts, and |
138 | validating passwords against system databases or against PAM. | | 138 | validating passwords against system databases or against PAM. |
139 | Please note that using privilege separation makes changes to the | | 139 | Please note that using privilege separation makes changes to the |
140 | .Ar listen | | 140 | .Ar listen |
141 | and | | 141 | and |
142 | .Ar paths | | 142 | .Ar paths |
143 | sections ignored upon configuration reloads. | | 143 | sections ignored upon configuration reloads. |
144 | A | | 144 | A |
145 | .Xr racoon 8 | | 145 | .Xr racoon 8 |
146 | restart is required if you want such changes to be taken into account. | | 146 | restart is required if you want such changes to be taken into account. |
147 | .Pp | | 147 | .Pp |
148 | .Bl -tag -width Ds -compact | | 148 | .Bl -tag -width Ds -compact |
149 | .It Ic user Ar user ; | | 149 | .It Ic user Ar user ; |
150 | The user to which the unprivileged instance of | | 150 | The user to which the unprivileged instance of |
151 | .Xr racoon 8 , | | 151 | .Xr racoon 8 , |
152 | should switch. | | 152 | should switch. |
153 | This can be a quoted user name or a numeric UID. | | 153 | This can be a quoted user name or a numeric UID. |
154 | .It Ic group Ar group ; | | 154 | .It Ic group Ar group ; |
155 | The group the unprivileged instance of | | 155 | The group the unprivileged instance of |
156 | .Xr racoon 8 , | | 156 | .Xr racoon 8 , |
157 | should switch. | | 157 | should switch. |
158 | This can be a quoted group name or a numeric GID. | | 158 | This can be a quoted group name or a numeric GID. |
159 | .It Ic chroot Ar path ; | | 159 | .It Ic chroot Ar path ; |
160 | A directory to which the unprivileged instance of | | 160 | A directory to which the unprivileged instance of |
161 | .Xr racoon 8 | | 161 | .Xr racoon 8 |
162 | should | | 162 | should |
163 | .Xr chroot 2 . | | 163 | .Xr chroot 2 . |
164 | This directory should hold a tree where the following files must be | | 164 | This directory should hold a tree where the following files must be |
165 | reachable: | | 165 | reachable: |
166 | .Bl -tag -width Ds -compact | | 166 | .Bl -tag -width Ds -compact |
167 | .It Pa /dev/random | | 167 | .It Pa /dev/random |
168 | .It Pa /dev/urandom | | 168 | .It Pa /dev/urandom |
169 | .It The certificates | | 169 | .It The certificates |
170 | .It The file containing the Xauth banner | | 170 | .It The file containing the Xauth banner |
171 | .El | | 171 | .El |
172 | .Pp | | 172 | .Pp |
173 | The PSK file, the private keys, and the hook scripts are accessed through the | | 173 | The PSK file, the private keys, and the hook scripts are accessed through the |
174 | privileged instance of | | 174 | privileged instance of |
175 | .Xr racoon 8 | | 175 | .Xr racoon 8 |
176 | and do not need to be reachable in the | | 176 | and do not need to be reachable in the |
177 | .Xr chroot 2 Ap ed | | 177 | .Xr chroot 2 Ap ed |
178 | tree. | | 178 | tree. |
179 | .El | | 179 | .El |
180 | .El | | 180 | .El |
181 | .Ss Path Specification | | 181 | .Ss Path Specification |
182 | This section specifies various paths used by racoon. | | 182 | This section specifies various paths used by racoon. |
183 | When running in privilege separation mode, | | 183 | When running in privilege separation mode, |
184 | .Ic certificate | | 184 | .Ic certificate |
185 | and | | 185 | and |
186 | .Ic script | | 186 | .Ic script |
187 | paths are mandatory. | | 187 | paths are mandatory. |
188 | A | | 188 | A |
189 | .Xr racoon 8 | | 189 | .Xr racoon 8 |
190 | restart is required if you want path changes to be taken into account. | | 190 | restart is required if you want path changes to be taken into account. |
191 | .Bl -tag -width Ds -compact | | 191 | .Bl -tag -width Ds -compact |
192 | .It Ic path include Ar path ; | | 192 | .It Ic path include Ar path ; |
193 | Specifies a path to include a file. | | 193 | Specifies a path to include a file. |
194 | See | | 194 | See |
195 | .Sx File Inclusion . | | 195 | .Sx File Inclusion . |
196 | .It Ic path pre_shared_key Ar file ; | | 196 | .It Ic path pre_shared_key Ar file ; |
197 | Specifies a file containing pre-shared key(s) for various ID(s). | | 197 | Specifies a file containing pre-shared key(s) for various ID(s). |
198 | See | | 198 | See |
199 | .Sx Pre-shared key File . | | 199 | .Sx Pre-shared key File . |
200 | .It Ic path certificate Ar path ; | | 200 | .It Ic path certificate Ar path ; |
201 | .Xr racoon 8 | | 201 | .Xr racoon 8 |
202 | will search this directory if a certificate or certificate request is received. | | 202 | will search this directory if a certificate or certificate request is received. |
203 | If you run with privilege separation, | | 203 | If you run with privilege separation, |
204 | .Xr racoon 8 | | 204 | .Xr racoon 8 |
205 | will refuse to use a certificate stored outside of this directory. | | 205 | will refuse to use a certificate stored outside of this directory. |
206 | .It Ic path backupsa Ar file ; | | 206 | .It Ic path backupsa Ar file ; |
207 | Specifies a file to which SA information negotiated by | | 207 | Specifies a file to which SA information negotiated by |
208 | racoon should be stored. | | 208 | racoon should be stored. |
209 | .Xr racoon 8 | | 209 | .Xr racoon 8 |
210 | will install SA(s) from the file when started with the | | 210 | will install SA(s) from the file when started with the |
211 | .Fl B | | 211 | .Fl B |
212 | flag. | | 212 | flag. |
213 | The file is growing because | | 213 | The file is growing because |
214 | .Xr racoon 8 | | 214 | .Xr racoon 8 |
215 | simply adds SAs to it. | | 215 | simply adds SAs to it. |
216 | You should maintain the file manually. | | 216 | You should maintain the file manually. |
217 | .It Ic path script Ar path ; | | 217 | .It Ic path script Ar path ; |
218 | .Xr racoon 8 | | 218 | .Xr racoon 8 |
219 | will search this directory for scripts hooks. | | 219 | will search this directory for scripts hooks. |
220 | If you run with privilege separation, | | 220 | If you run with privilege separation, |
221 | .Xr racoon 8 | | 221 | .Xr racoon 8 |
222 | will refuse to execute a script stored outside of this directory. | | 222 | will refuse to execute a script stored outside of this directory. |
223 | .It Ic path pidfile Ar file ; | | 223 | .It Ic path pidfile Ar file ; |
224 | Specifies file where to store PID of process. | | 224 | Specifies file where to store PID of process. |
225 | If path starts with | | 225 | If path starts with |
226 | .Pa / | | 226 | .Pa / |
227 | it is treated as an absolute path. | | 227 | it is treated as an absolute path. |
228 | Otherwise, it is treated as a relative | | 228 | Otherwise, it is treated as a relative |
229 | path to the VARRUN directory specified at compilation time. | | 229 | path to the VARRUN directory specified at compilation time. |
230 | Default is | | 230 | Default is |
231 | .Pa racoon.pid . | | 231 | .Pa racoon.pid . |
232 | .El | | 232 | .El |
233 | .\" | | 233 | .\" |
234 | .Ss File Inclusion | | 234 | .Ss File Inclusion |
235 | .Bl -tag -width Ds -compact | | 235 | .Bl -tag -width Ds -compact |
236 | .It Ic include Ar file | | 236 | .It Ic include Ar file |
237 | Specifies other configuration files to be included. | | 237 | Specifies other configuration files to be included. |
238 | .El | | 238 | .El |
239 | .\" | | 239 | .\" |
240 | .Ss Timer Specification | | 240 | .Ss Timer Specification |
241 | .Bl -tag -width Ds -compact | | 241 | .Bl -tag -width Ds -compact |
242 | .It Ic timer { Ar statements Ic } | | 242 | .It Ic timer { Ar statements Ic } |
243 | This section specifies various timer values used by racoon. | | 243 | This section specifies various timer values used by racoon. |
244 | .Pp | | 244 | .Pp |
245 | .Bl -tag -width Ds -compact | | 245 | .Bl -tag -width Ds -compact |
246 | .It Ic counter Ar number ; | | 246 | .It Ic counter Ar number ; |
247 | The maximum number of retries to send. | | 247 | The maximum number of retries to send. |
248 | The default is 5. | | 248 | The default is 5. |
249 | .It Ic interval Ar number Ar timeunit ; | | 249 | .It Ic interval Ar number Ar timeunit ; |
250 | The interval to resend, in seconds. | | 250 | The interval to resend, in seconds. |
251 | The default time is 10 seconds. | | 251 | The default time is 10 seconds. |
252 | .It Ic persend Ar number ; | | 252 | .It Ic persend Ar number ; |
253 | The number of packets per send. | | 253 | The number of packets per send. |
254 | The default is 1. | | 254 | The default is 1. |
255 | .It Ic phase1 Ar number Ar timeunit ; | | 255 | .It Ic phase1 Ar number Ar timeunit ; |
256 | The maximum time it should take to complete phase 1. | | 256 | The maximum time it should take to complete phase 1. |
257 | The default time is 15 seconds. | | 257 | The default time is 15 seconds. |
258 | .It Ic phase2 Ar number Ar timeunit ; | | 258 | .It Ic phase2 Ar number Ar timeunit ; |
259 | The maximum time it should take to complete phase 2. | | 259 | The maximum time it should take to complete phase 2. |
260 | The default time is 10 seconds. | | 260 | The default time is 10 seconds. |
261 | .It Ic natt_keepalive Ar number Ar timeunit ; | | 261 | .It Ic natt_keepalive Ar number Ar timeunit ; |
262 | The interval between sending NAT-Traversal keep-alive packets. | | 262 | The interval between sending NAT-Traversal keep-alive packets. |
263 | The default time is 20 seconds. | | 263 | The default time is 20 seconds. |
264 | Set to 0s to disable keep-alive packets. | | 264 | Set to 0s to disable keep-alive packets. |
265 | .El | | 265 | .El |
266 | .El | | 266 | .El |
267 | .\" | | 267 | .\" |
268 | .Ss Listening Port Specification | | 268 | .Ss Listening Port Specification |
269 | .Bl -tag -width Ds -compact | | 269 | .Bl -tag -width Ds -compact |
270 | .It Ic listen { Ar statements Ic } | | 270 | .It Ic listen { Ar statements Ic } |
271 | If no | | 271 | If no |
272 | .Ar listen | | 272 | .Ar listen |
273 | directive is specified, | | 273 | directive is specified, |
274 | .Xr racoon 8 | | 274 | .Xr racoon 8 |
275 | will listen on all available interface addresses. | | 275 | will listen on all available interface addresses. |
276 | The following is the list of valid statements: | | 276 | The following is the list of valid statements: |
277 | .Pp | | 277 | .Pp |
278 | .Bl -tag -width Ds -compact | | 278 | .Bl -tag -width Ds -compact |
279 | .\" How do I express bold brackets; `[' and `]' . | | 279 | .\" How do I express bold brackets; `[' and `]' . |
280 | .\" Answer: For bold brackets, do "Ic \&[ foo \&]". | | 280 | .\" Answer: For bold brackets, do "Ic \&[ foo \&]". |
281 | .\" Is the "Bq Ic [ Ar port ] ;" buggy ? | | 281 | .\" Is the "Bq Ic [ Ar port ] ;" buggy ? |
282 | .It Ic isakmp Ar address Bq Bq Ar port ; | | 282 | .It Ic isakmp Ar address Bq Bq Ar port ; |
283 | If this is specified, | | 283 | If this is specified, |
284 | .Xr racoon 8 | | 284 | .Xr racoon 8 |
285 | will only listen on the defined | | 285 | will only listen on the defined |
286 | .Ar address . | | 286 | .Ar address . |
287 | The default port is 500, which is specified by IANA. | | 287 | The default port is 500, which is specified by IANA. |
288 | You can provide more than one address definition. | | 288 | You can provide more than one address definition. |
289 | .It Ic isakmp_natt Ar address Bq Ar port ; | | 289 | .It Ic isakmp_natt Ar address Bq Ar port ; |
290 | Same as | | 290 | Same as |
291 | .Ic isakmp | | 291 | .Ic isakmp |
292 | but also sets the socket options to accept UDP-encapsulated ESP traffic for | | 292 | but also sets the socket options to accept UDP-encapsulated ESP traffic for |
293 | NAT-Traversal. | | 293 | NAT-Traversal. |
294 | If you plan to use NAT-T, you should provide at least one address | | 294 | If you plan to use NAT-T, you should provide at least one address |
295 | with port 4500, which is specified by IANA. | | 295 | with port 4500, which is specified by IANA. |
296 | There is no default. | | 296 | There is no default. |
297 | .It Ic strict_address ; | | 297 | .It Ic strict_address ; |
298 | Requires that all addresses for ISAKMP be bound. | | 298 | Requires that all addresses for ISAKMP be bound. |
299 | This statement will be ignored if you do not specify address definitions. | | 299 | This statement will be ignored if you do not specify address definitions. |
300 | .El | | 300 | .El |
301 | When running in privilege separation mode, you need to restart | | 301 | When running in privilege separation mode, you need to restart |
302 | .Xr racoon 8 | | 302 | .Xr racoon 8 |
303 | to have changes to the | | 303 | to have changes to the |
304 | .Ar listen | | 304 | .Ar listen |
305 | section taken into account. | | 305 | section taken into account. |
306 | .Pp | | 306 | .Pp |
307 | The | | 307 | The |
308 | .Ar listen | | 308 | .Ar listen |
309 | section can also be used to specify the admin socket mode and ownership | | 309 | section can also be used to specify the admin socket mode and ownership |
310 | if racoon was built with support for admin port. | | 310 | if racoon was built with support for admin port. |
311 | .Bl -tag -width Ds -compact | | 311 | .Bl -tag -width Ds -compact |
312 | .It Ic adminsock Ar path Op Ar owner\ group\ mode ; | | 312 | .It Ic adminsock Ar path Op Ar owner\ group\ mode ; |
313 | The | | 313 | The |
314 | .Ar path , | | 314 | .Ar path , |
315 | .Ar owner , | | 315 | .Ar owner , |
316 | and | | 316 | and |
317 | .Ar group | | 317 | .Ar group |
318 | values specify the socket path, owner, and group. | | 318 | values specify the socket path, owner, and group. |
319 | They must be quoted. | | 319 | They must be quoted. |
320 | The defaults are | | 320 | The defaults are |
321 | .Pa /var/racoon/racoon.sock , | | 321 | .Pa /var/racoon/racoon.sock , |
322 | UID 0, and GID 0. | | 322 | UID 0, and GID 0. |
323 | .Ar mode | | 323 | .Ar mode |
324 | is the access mode in octal. | | 324 | is the access mode in octal. |
325 | The default is 0600. | | 325 | The default is 0600. |
326 | .It Ic adminsock disabled ; | | 326 | .It Ic adminsock disabled ; |
327 | This directive tells racoon to not listen on the admin socket. | | 327 | This directive tells racoon to not listen on the admin socket. |
328 | .El | | 328 | .El |
329 | .El | | 329 | .El |
330 | .\" | | 330 | .\" |
331 | .Ss Miscellaneous Global Parameters | | 331 | .Ss Miscellaneous Global Parameters |
332 | .Bl -tag -width Ds -compact | | 332 | .Bl -tag -width Ds -compact |
333 | .It Ic gss_id_enc Ar enctype ; | | 333 | .It Ic gss_id_enc Ar enctype ; |
334 | Older versions of | | 334 | Older versions of |
335 | .Xr racoon 8 | | 335 | .Xr racoon 8 |
336 | used ISO-Latin-1 as the encoding of the GSS-API identifier attribute. | | 336 | used ISO-Latin-1 as the encoding of the GSS-API identifier attribute. |
337 | For interoperability with Microsoft Windows' GSS-API authentication | | 337 | For interoperability with Microsoft Windows' GSS-API authentication |
338 | scheme, the default encoding has been changed to UTF-16LE. | | 338 | scheme, the default encoding has been changed to UTF-16LE. |
339 | The | | 339 | The |
340 | .Ic gss_id_enc | | 340 | .Ic gss_id_enc |
341 | parameter allows | | 341 | parameter allows |
342 | .Xr racoon 8 | | 342 | .Xr racoon 8 |
343 | to be configured to use the old encoding for compatibility with existing | | 343 | to be configured to use the old encoding for compatibility with existing |
344 | .Xr racoon 8 | | 344 | .Xr racoon 8 |
345 | installations. | | 345 | installations. |
346 | The following are valid values for | | 346 | The following are valid values for |
347 | .Ar enctype : | | 347 | .Ar enctype : |
348 | .Pp | | 348 | .Pp |
349 | .Bl -tag -width Ds -compact | | 349 | .Bl -tag -width Ds -compact |
350 | .It Ic utf-16le | | 350 | .It Ic utf-16le |
351 | Use UTF-16LE to encode the GSS-API identifier attribute. | | 351 | Use UTF-16LE to encode the GSS-API identifier attribute. |
352 | This is the default encoding. | | 352 | This is the default encoding. |
353 | This encoding is compatible with Microsoft Windows. | | 353 | This encoding is compatible with Microsoft Windows. |
354 | .It Ic latin1 | | 354 | .It Ic latin1 |
355 | Use ISO-Latin-1 to encode the GSS-API identifier attribute. | | 355 | Use ISO-Latin-1 to encode the GSS-API identifier attribute. |
356 | This is the encoding used by older versions of | | 356 | This is the encoding used by older versions of |
357 | .Xr racoon 8 . | | 357 | .Xr racoon 8 . |
358 | .El | | 358 | .El |
359 | .El | | 359 | .El |
360 | .\" | | 360 | .\" |
361 | .Pp | | 361 | .Pp |
362 | .Bl -tag -width Ds -compact | | 362 | .Bl -tag -width Ds -compact |
363 | .It Ic pfkey_buffer Ar kBytes | | 363 | .It Ic pfkey_buffer Ar kBytes |
364 | Specifies the socket send/receive buffer size in kilobytes. | | 364 | Specifies the socket send/receive buffer size in kilobytes. |
365 | Numerous kernel PF_KEY implementations have problems with dumping | | 365 | Numerous kernel PF_KEY implementations have problems with dumping |
366 | SAD/SDP with large amount of entries (this happens when 100s to | | 366 | SAD/SDP with large amount of entries (this happens when 100s to |
367 | 1000s of tunnels are configured). | | 367 | 1000s of tunnels are configured). |
368 | .Pp | | 368 | .Pp |
369 | The default value of 0 leaves everything at the OS-specific default value. | | 369 | The default value of 0 leaves everything at the OS-specific default value. |
370 | If the default buffer size is greater than what is specified here racoon | | 370 | If the default buffer size is greater than what is specified here racoon |
371 | will not decrease it. | | 371 | will not decrease it. |
372 | .Pp | | 372 | .Pp |
373 | This problem is known to be fixed in Linux 2.6.25 and later. | | 373 | This problem is known to be fixed in Linux 2.6.25 and later. |
374 | .El | | 374 | .El |
375 | .\" | | 375 | .\" |
376 | .Ss Remote Nodes Specifications | | 376 | .Ss Remote Nodes Specifications |
377 | .Bl -tag -width Ds -compact | | 377 | .Bl -tag -width Ds -compact |
378 | .It Xo | | 378 | .It Xo |
379 | .Ic remote Ar name | | 379 | .Ic remote Ar name |
380 | .Bq Ic inherit Ar parent_name | | 380 | .Bq Ic inherit Ar parent_name |
381 | .Ic { Ar statements Ic } | | 381 | .Ic { Ar statements Ic } |
382 | .Xc | | 382 | .Xc |
383 | Specifies the IKE phase 1 parameters for each remote node. | | 383 | Specifies the IKE phase 1 parameters for each remote node. |
384 | .Pp | | 384 | .Pp |
385 | If connection is initiated using racoonctl, a unique match using the | | 385 | If connection is initiated using racoonctl, a unique match using the |
386 | remote IP must be found or the remote block name has to be given. | | 386 | remote IP must be found or the remote block name has to be given. |
387 | For received acquires (kernel notices traffic requiring a new SA) the | | 387 | For received acquires (kernel notices traffic requiring a new SA) the |
388 | remote IP and remoteid from matching sainfo block are used to decide | | 388 | remote IP and remoteid from matching sainfo block are used to decide |
389 | the remoteblock. | | 389 | the remoteblock. |
390 | If no uniquely matching remoteblock is found using | | 390 | If no uniquely matching remoteblock is found using |
391 | these criteria, no connection attempt is done. | | 391 | these criteria, no connection attempt is done. |
392 | .Pp | | 392 | .Pp |
393 | When acting as responder, racoon picks the first proposal that has one | | 393 | When acting as responder, racoon picks the first proposal that has one |
394 | or more acceptable remote configurations. | | 394 | or more acceptable remote configurations. |
395 | When determining if a remote | | 395 | When determining if a remote |
396 | specification is matching the following information is checked: | | 396 | specification is matching the following information is checked: |
397 | .Bl -bullet -tag -width Ds -compact | | 397 | .Bl -bullet -tag -width Ds -compact |
398 | .It | | 398 | .It |
399 | The remote IP is checked against | | 399 | The remote IP is checked against |
400 | .Ic remote_address . | | 400 | .Ic remote_address . |
401 | .It | | 401 | .It |
402 | ISAKMP exchange type is checked against | | 402 | ISAKMP exchange type is checked against |
403 | .Ic exchange_mode . | | 403 | .Ic exchange_mode . |
404 | .It | | 404 | .It |
405 | ISAKMP SA attributes must match a | | 405 | ISAKMP SA attributes must match a |
406 | .Ic proposal | | 406 | .Ic proposal |
407 | block. | | 407 | block. |
408 | .It | | 408 | .It |
409 | The remote identity is matched against | | 409 | The remote identity is matched against |
410 | .Ic peers_identifier | | 410 | .Ic peers_identifier |
411 | if | | 411 | if |
412 | .Ic verify_identifier | | 412 | .Ic verify_identifier |
413 | is on. | | 413 | is on. |
414 | .It | | 414 | .It |
415 | If a certificate request was received, it must match the issuer of | | 415 | If a certificate request was received, it must match the issuer of |
416 | .Ic "certificate_type x509" | | 416 | .Ic "certificate_type x509" |
417 | certificate. | | 417 | certificate. |
418 | If certificate request without issuer name was sent, the | | 418 | If certificate request without issuer name was sent, the |
419 | .Ic match_empty_cr | | 419 | .Ic match_empty_cr |
420 | parameter specifies whether or not remote block matches. | | 420 | parameter specifies whether or not remote block matches. |
421 | .El | | 421 | .El |
422 | .Pp | | 422 | .Pp |
423 | Sections with | | 423 | Sections with |
424 | .Ic inherit Ar parent | | 424 | .Ic inherit Ar parent |
425 | statements (where | | 425 | statements (where |
426 | .Ar parent | | 426 | .Ar parent |
427 | is either | | 427 | is either |
428 | .Ar address | | 428 | .Ar address |
429 | or a keyword | | 429 | or a keyword |
430 | .Ic anonymous ) | | 430 | .Ic anonymous ) |
431 | that have all values predefined to those of a given | | 431 | that have all values predefined to those of a given |
432 | .Ar parent . | | 432 | .Ar parent . |
433 | In these sections it is enough to redefine only the changed parameters. | | 433 | In these sections it is enough to redefine only the changed parameters. |
434 | .Pp | | 434 | .Pp |
435 | The following are valid statements. | | 435 | The following are valid statements. |
436 | .Pp | | 436 | .Pp |
437 | .Bl -tag -width Ds -compact | | 437 | .Bl -tag -width Ds -compact |
438 | .\" | | 438 | .\" |
439 | .It Ic remote_address Ar address ; | | 439 | .It Ic remote_address Ar address ; |
440 | Defines the IP address of the peer. | | 440 | Defines the IP address of the peer. |
441 | .\" | | 441 | .\" |
442 | .It Ic exchange_mode ( main | aggressive | base ) ; | | 442 | .It Ic exchange_mode ( main | aggressive | base ) ; |
443 | Defines the exchange mode for phase 1 when racoon is the initiator. | | 443 | Defines the exchange mode for phase 1 when racoon is the initiator. |
444 | It also means the acceptable exchange mode when racoon is the responder. | | 444 | It also means the acceptable exchange mode when racoon is the responder. |
445 | More than one mode can be specified by separating them with a comma. | | 445 | More than one mode can be specified by separating them with a comma. |
446 | All of the modes are acceptable. | | 446 | All of the modes are acceptable. |
447 | The first exchange mode is what racoon uses when it is the initiator. | | 447 | The first exchange mode is what racoon uses when it is the initiator. |
448 | .\" | | 448 | .\" |
449 | .It Ic doi Ic ipsec_doi ; | | 449 | .It Ic doi Ic ipsec_doi ; |
450 | Means to use IPsec DOI as specified in RFC 2407. | | 450 | Means to use IPsec DOI as specified in RFC 2407. |
451 | You can omit this statement. | | 451 | You can omit this statement. |
452 | .\" | | 452 | .\" |
453 | .It Ic situation Ic identity_only ; | | 453 | .It Ic situation Ic identity_only ; |
454 | Means to use SIT_IDENTITY_ONLY as specified in RFC 2407. | | 454 | Means to use SIT_IDENTITY_ONLY as specified in RFC 2407. |
455 | You can omit this statement. | | 455 | You can omit this statement. |
456 | .\" | | 456 | .\" |
457 | .It Xo | | 457 | .It Xo |
458 | .Ic my_identifier Bq Ar qualifier | | 458 | .Ic my_identifier Bq Ar qualifier |
459 | .Ar idtype ... ; | | 459 | .Ar idtype ... ; |
460 | .Xc | | 460 | .Xc |
461 | Specifies the identifier sent to the remote host | | 461 | Specifies the identifier sent to the remote host |
462 | and the type to use in the phase 1 negotiation. | | 462 | and the type to use in the phase 1 negotiation. |
463 | .Ic address, fqdn , user_fqdn , keyid , | | 463 | .Ic address, fqdn , user_fqdn , keyid , |
464 | and | | 464 | and |
465 | .Ic asn1dn | | 465 | .Ic asn1dn |
466 | can be used as an | | 466 | can be used as an |
467 | .Ar idtype . | | 467 | .Ar idtype . |
468 | The | | 468 | The |
469 | .Ar qualifier | | 469 | .Ar qualifier |
470 | is currently only used for | | 470 | is currently only used for |
471 | .Ic keyid , | | 471 | .Ic keyid , |
472 | and can be either | | 472 | and can be either |
473 | .Ic file | | 473 | .Ic file |
474 | or | | 474 | or |
475 | .Ic tag . | | 475 | .Ic tag . |
476 | The possible values are : | | 476 | The possible values are : |
477 | .Bl -tag -width Ds -compact | | 477 | .Bl -tag -width Ds -compact |
478 | .It Ic my_identifier Ic address Bq Ar address ; | | 478 | .It Ic my_identifier Ic address Bq Ar address ; |
479 | The type is the IP address. | | 479 | The type is the IP address. |
480 | This is the default type if you do not specify an identifier to use. | | 480 | This is the default type if you do not specify an identifier to use. |
481 | .It Ic my_identifier Ic user_fqdn Ar string ; | | 481 | .It Ic my_identifier Ic user_fqdn Ar string ; |
482 | The type is a USER_FQDN (user fully-qualified domain name). | | 482 | The type is a USER_FQDN (user fully-qualified domain name). |
483 | .It Ic my_identifier Ic fqdn Ar string ; | | 483 | .It Ic my_identifier Ic fqdn Ar string ; |
484 | The type is a FQDN (fully-qualified domain name). | | 484 | The type is a FQDN (fully-qualified domain name). |
485 | .It Xo | | 485 | .It Xo |
486 | .Ic my_identifier Ic keyid Bq Ic file | | 486 | .Ic my_identifier Ic keyid Bq Ic file |
487 | .Ar file ; | | 487 | .Ar file ; |
488 | .Xc | | 488 | .Xc |
489 | The type is a KEY_ID, read from the file. | | 489 | The type is a KEY_ID, read from the file. |
490 | .It Ic my_identifier Ic keyid Ic tag Ar string ; | | 490 | .It Ic my_identifier Ic keyid Ic tag Ar string ; |
491 | The type is a KEY_ID, specified in the quoted string. | | 491 | The type is a KEY_ID, specified in the quoted string. |
492 | .It Ic my_identifier Ic asn1dn Bq Ar string ; | | 492 | .It Ic my_identifier Ic asn1dn Bq Ar string ; |
493 | The type is an ASN.1 distinguished name. | | 493 | The type is an ASN.1 distinguished name. |
494 | If | | 494 | If |
495 | .Ar string | | 495 | .Ar string |
496 | is omitted, | | 496 | is omitted, |
497 | .Xr racoon 8 | | 497 | .Xr racoon 8 |
498 | will get the DN from the Subject field in the certificate. | | 498 | will get the DN from the Subject field in the certificate. |
499 | .El | | 499 | .El |
500 | .\" | | 500 | .\" |
501 | .It Ic xauth_login Bq Ar string ; | | 501 | .It Ic xauth_login Bq Ar string ; |
502 | Specifies the login to use in client-side Hybrid authentication. | | 502 | Specifies the login to use in client-side Hybrid authentication. |
503 | It is available only if | | 503 | It is available only if |
504 | .Xr racoon 8 | | 504 | .Xr racoon 8 |
505 | has been built with this option. | | 505 | has been built with this option. |
506 | The associated password is looked up in the pre-shared key files, | | 506 | The associated password is looked up in the pre-shared key files, |
507 | using the login | | 507 | using the login |
508 | .Ic string | | 508 | .Ic string |
509 | as the key id. | | 509 | as the key id. |
510 | .\" | | 510 | .\" |
511 | .It Ic peers_identifier Ar idtype ... ; | | 511 | .It Ic peers_identifier Ar idtype ... ; |
512 | Specifies the peer's identifier to be received. | | 512 | Specifies the peer's identifier to be received. |
513 | If it is not defined then | | 513 | If it is not defined then |
514 | .Xr racoon 8 | | 514 | .Xr racoon 8 |
515 | will not verify the peer's identifier in ID payload transmitted from the peer. | | 515 | will not verify the peer's identifier in ID payload transmitted from the peer. |
516 | If it is defined, the behavior of the verification depends on the flag of | | 516 | If it is defined, the behavior of the verification depends on the flag of |
517 | .Ic verify_identifier . | | 517 | .Ic verify_identifier . |
518 | The usage of | | 518 | The usage of |
519 | .Ar idtype | | 519 | .Ar idtype |
520 | is the same as | | 520 | is the same as |
521 | .Ic my_identifier | | 521 | .Ic my_identifier |
522 | except that the individual component values of an | | 522 | except that the individual component values of an |
523 | .Ic asn1dn | | 523 | .Ic asn1dn |
524 | identifier may specified as | | 524 | identifier may specified as |
525 | .Ic * | | 525 | .Ic * |
526 | to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine"). | | 526 | to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine"). |
527 | The format of the | | 527 | The format of the |
528 | specification should correspond to RFC 2253; in particular, commas and certain | | 528 | specification should correspond to RFC 2253; in particular, commas and certain |
529 | other characters - | | 529 | other characters - |
530 | .Ic ,=+\*[Lt]\*[Gt]#; | | 530 | .Ic ,=+\*[Lt]\*[Gt]#; |
531 | - may be included in a name by preceeding them with a backslash "\e", and | | 531 | - may be included in a name by preceeding them with a backslash "\e", and |
532 | arbitrary characters may be inserted in a name with the "\enn" escape, where | | 532 | arbitrary characters may be inserted in a name with the "\enn" escape, where |
533 | nn is the hex representation of the ascii value of the desired character. | | 533 | nn is the hex representation of the ascii value of the desired character. |
534 | Alternative acceptable peer identifiers may be specified by repeating the | | 534 | Alternative acceptable peer identifiers may be specified by repeating the |
535 | .Ic peers_identifier | | 535 | .Ic peers_identifier |
536 | statement. | | 536 | statement. |
537 | .\" | | 537 | .\" |
538 | .It Ic verify_identifier (on | off) ; | | 538 | .It Ic verify_identifier (on | off) ; |
539 | If you want to verify the peer's identifier, | | 539 | If you want to verify the peer's identifier, |
540 | set this to on. | | 540 | set this to on. |
541 | In this case, if the value defined by | | 541 | In this case, if the value defined by |
542 | .Ic peers_identifier | | 542 | .Ic peers_identifier |
543 | is not the same as the peer's identifier in the ID payload, | | 543 | is not the same as the peer's identifier in the ID payload, |
544 | the negotiation will fail. | | 544 | the negotiation will fail. |
545 | The default is off. | | 545 | The default is off. |
546 | .\" | | 546 | .\" |
547 | .It Ic certificate_type Ar certspec ; | | 547 | .It Ic certificate_type Ar certspec ; |
548 | Specifies a certificate specification. | | 548 | Specifies a certificate specification. |
549 | .Ar certspec | | 549 | .Ar certspec |
550 | is one of followings: | | 550 | is one of followings: |
551 | .Bl -tag -width Ds -compact | | 551 | .Bl -tag -width Ds -compact |
552 | .It Ic x509 Ar certfile Ar privkeyfile ; | | 552 | .It Ic x509 Ar certfile Ar privkeyfile ; |
553 | .Ar certfile | | 553 | .Ar certfile |
554 | means a file name of a certificate. | | 554 | means a file name of a certificate. |
555 | .Ar privkeyfile | | 555 | .Ar privkeyfile |
556 | means a file name of a secret key. | | 556 | means a file name of a secret key. |
557 | .El | | 557 | .El |
558 | .Bl -tag -width Ds -compact | | 558 | .Bl -tag -width Ds -compact |
559 | .It Ic plain_rsa Ar privkeyfile ; | | 559 | .It Ic plain_rsa Ar privkeyfile ; |
560 | .Ar privkeyfile | | 560 | .Ar privkeyfile |
561 | means a file name of a private key generated by | | 561 | means a file name of a private key generated by |
562 | .Xr plainrsa-gen 8 . | | 562 | .Xr plainrsa-gen 8 . |
563 | Required | | 563 | Required |
564 | for RSA authentication. | | 564 | for RSA authentication. |
565 | .El | | 565 | .El |
566 | .It Ic ca_type Ar cacertspec ; | | 566 | .It Ic ca_type Ar cacertspec ; |
567 | Specifies a root certificate authority specification. | | 567 | Specifies a root certificate authority specification. |
568 | .Ar cacertspec | | 568 | .Ar cacertspec |
569 | is one of followings: | | 569 | is one of followings: |
570 | .Bl -tag -width Ds -compact | | 570 | .Bl -tag -width Ds -compact |
571 | .It Ic x509 Ar cacertfile ; | | 571 | .It Ic x509 Ar cacertfile ; |
572 | .Ar cacertfile | | 572 | .Ar cacertfile |
573 | means a file name of the root certificate authority. | | 573 | means a file name of the root certificate authority. |
574 | Default is | | 574 | Default is |
575 | .Pa /etc/openssl/cert.pem | | 575 | .Pa /etc/openssl/cert.pem |
576 | .El | | 576 | .El |
577 | .\" | | 577 | .\" |
578 | .It Ic mode_cfg (on | off) ; | | 578 | .It Ic mode_cfg (on | off) ; |
579 | Gather network information through ISAKMP mode configuration. | | 579 | Gather network information through ISAKMP mode configuration. |
580 | Default is off. | | 580 | Default is off. |
581 | .\" | | 581 | .\" |
582 | .It Ic weak_phase1_check (on | off) ; | | 582 | .It Ic weak_phase1_check (on | off) ; |
583 | Tells racoon to act on unencrypted deletion messages during phase 1. | | 583 | Tells racoon to act on unencrypted deletion messages during phase 1. |
584 | This is a small security risk, so the default is off, meaning that | | 584 | This is a small security risk, so the default is off, meaning that |
585 | racoon will keep on trying to establish a connection even if the | | 585 | racoon will keep on trying to establish a connection even if the |
586 | user credentials are wrong, for instance. | | 586 | user credentials are wrong, for instance. |
587 | .\" | | 587 | .\" |
588 | .It Ic peers_certfile ( dnssec | Ar certfile | Ic plain_rsa Ar pubkeyfile ) ; | | 588 | .It Ic peers_certfile ( dnssec | Ar certfile | Ic plain_rsa Ar pubkeyfile ) ; |
589 | If | | 589 | If |
590 | .Ic dnssec | | 590 | .Ic dnssec |
591 | is defined, | | 591 | is defined, |
592 | .Xr racoon 8 | | 592 | .Xr racoon 8 |
593 | will ignore the CERT payload from the peer, | | 593 | will ignore the CERT payload from the peer, |
594 | and try to get the peer's certificate from DNS instead. | | 594 | and try to get the peer's certificate from DNS instead. |
595 | If | | 595 | If |
596 | .Ar certfile | | 596 | .Ar certfile |
597 | is defined, | | 597 | is defined, |
598 | .Xr racoon 8 | | 598 | .Xr racoon 8 |
599 | will ignore the CERT payload from the peer, | | 599 | will ignore the CERT payload from the peer, |
600 | and will use this certificate as the peer's certificate. | | 600 | and will use this certificate as the peer's certificate. |
601 | If | | 601 | If |
602 | .Ic plain_rsa | | 602 | .Ic plain_rsa |
603 | is defined, | | 603 | is defined, |
604 | .Xr racoon 8 | | 604 | .Xr racoon 8 |
605 | will expect | | 605 | will expect |
606 | .Ar pubkeyfile | | 606 | .Ar pubkeyfile |
607 | to be the peer's public key that was generated by | | 607 | to be the peer's public key that was generated by |
608 | .Xr plainrsa-gen 8 . | | 608 | .Xr plainrsa-gen 8 . |
609 | .\" | | 609 | .\" |
610 | .It Ic script Ar script Ic phase1_up | | 610 | .It Ic script Ar script Ic phase1_up |
611 | .It Ic script Ar script Ic phase1_down | | 611 | .It Ic script Ar script Ic phase1_down |
612 | Shell scripts that get executed when a phase 1 SA goes up or down. | | 612 | Shell scripts that get executed when a phase 1 SA goes up or down. |
613 | Both scripts get either | | 613 | Both scripts get either |
614 | .Ic phase1_up | | 614 | .Ic phase1_up |
615 | or | | 615 | or |
616 | .Ic phase1_down | | 616 | .Ic phase1_down |
617 | as first argument, and the following | | 617 | as first argument, and the following |
618 | variables are set in their environment: | | 618 | variables are set in their environment: |
619 | .Bl -tag -width Ds -compact | | 619 | .Bl -tag -width Ds -compact |
620 | .It Ev LOCAL_ADDR | | 620 | .It Ev LOCAL_ADDR |
621 | The local address of the phase 1 SA. | | 621 | The local address of the phase 1 SA. |
622 | .It Ev LOCAL_PORT | | 622 | .It Ev LOCAL_PORT |
623 | The local port used for IKE for the phase 1 SA. | | 623 | The local port used for IKE for the phase 1 SA. |
624 | .It Ev REMOTE_ADDR | | 624 | .It Ev REMOTE_ADDR |
625 | The remote address of the phase 1 SA. | | 625 | The remote address of the phase 1 SA. |
626 | .It Ev REMOTE_PORT | | 626 | .It Ev REMOTE_PORT |
627 | The remote port used for IKE for the phase 1 SA. | | 627 | The remote port used for IKE for the phase 1 SA. |
628 | .El | | 628 | .El |
629 | The following variables are only set if | | 629 | The following variables are only set if |
630 | .Ic mode_cfg | | 630 | .Ic mode_cfg |
631 | was enabled: | | 631 | was enabled: |
632 | .Bl -tag -width Ds -compact | | 632 | .Bl -tag -width Ds -compact |
633 | .It INTERNAL_ADDR4 | | 633 | .It INTERNAL_ADDR4 |
634 | An IPv4 internal address obtained by ISAKMP mode config. | | 634 | An IPv4 internal address obtained by ISAKMP mode config. |
635 | .It INTERNAL_NETMASK4 | | 635 | .It INTERNAL_NETMASK4 |
636 | An IPv4 internal netmask obtained by ISAKMP mode config. | | 636 | An IPv4 internal netmask obtained by ISAKMP mode config. |
637 | .It INTERNAL_CIDR4 | | 637 | .It INTERNAL_CIDR4 |
638 | An IPv4 internal netmask obtained by ISAKMP mode config, in CIDR notation. | | 638 | An IPv4 internal netmask obtained by ISAKMP mode config, in CIDR notation. |
639 | .It INTERNAL_DNS4 | | 639 | .It INTERNAL_DNS4 |
640 | The first internal DNS server IPv4 address obtained by ISAKMP mode config. | | 640 | The first internal DNS server IPv4 address obtained by ISAKMP mode config. |
641 | .It INTERNAL_DNS4_LIST | | 641 | .It INTERNAL_DNS4_LIST |
642 | A list of internal DNS servers IPv4 address obtained by ISAKMP mode config, | | 642 | A list of internal DNS servers IPv4 address obtained by ISAKMP mode config, |
643 | separated by spaces. | | 643 | separated by spaces. |
644 | .It INTERNAL_WINS4 | | 644 | .It INTERNAL_WINS4 |
645 | The first internal WINS server IPv4 address obtained by ISAKMP mode config. | | 645 | The first internal WINS server IPv4 address obtained by ISAKMP mode config. |
646 | .It INTERNAL_WINS4_LIST | | 646 | .It INTERNAL_WINS4_LIST |
647 | A list of internal WINS servers IPv4 address obtained by ISAKMP mode config, | | 647 | A list of internal WINS servers IPv4 address obtained by ISAKMP mode config, |
648 | separated by spaces. | | 648 | separated by spaces. |
649 | .It SPLIT_INCLUDE | | 649 | .It SPLIT_INCLUDE |
650 | The space separated list of IPv4 addresses and masks (address slash mask) | | 650 | The space separated list of IPv4 addresses and masks (address slash mask) |
651 | that define the networks to be encrypted (as opposed to the default where | | 651 | that define the networks to be encrypted (as opposed to the default where |
652 | all the traffic should be encrypted) ; obtained by ISAKMP mode config ; | | 652 | all the traffic should be encrypted) ; obtained by ISAKMP mode config ; |
653 | SPLIT_INCLUDE and SPLIT_LOCAL are mutually exclusive. | | 653 | SPLIT_INCLUDE and SPLIT_LOCAL are mutually exclusive. |
654 | .It SPLIT_LOCAL | | 654 | .It SPLIT_LOCAL |
655 | The space separated list of IPv4 addresses and masks (address slash mask) | | 655 | The space separated list of IPv4 addresses and masks (address slash mask) |
656 | that define the networks to be considered local, and thus excluded from the | | 656 | that define the networks to be considered local, and thus excluded from the |
657 | tunnels ; obtained by ISAKMP mode config. | | 657 | tunnels ; obtained by ISAKMP mode config. |
658 | .It SPLIT_INCLUDE_CIDR | | 658 | .It SPLIT_INCLUDE_CIDR |
659 | Same as SPLIT_INCLUDE, with netmasks in CIDR notation. | | 659 | Same as SPLIT_INCLUDE, with netmasks in CIDR notation. |
660 | .It SPLIT_LOCAL_CIDR | | 660 | .It SPLIT_LOCAL_CIDR |
661 | Same as SPLIT_LOCAL, with netmasks in CIDR notation. | | 661 | Same as SPLIT_LOCAL, with netmasks in CIDR notation. |
662 | .It DEFAULT_DOMAIN | | 662 | .It DEFAULT_DOMAIN |
663 | The DNS default domain name obtained by ISAKMP mode config. | | 663 | The DNS default domain name obtained by ISAKMP mode config. |
664 | .El | | 664 | .El |
665 | .\" | | 665 | .\" |
666 | .\" | | 666 | .\" |
667 | .It Ic send_cert (on | off) ; | | 667 | .It Ic send_cert (on | off) ; |
668 | If you do not want to send a certificate, set this to off. | | 668 | If you do not want to send a certificate, set this to off. |
669 | The default is on. | | 669 | The default is on. |
670 | .\" | | 670 | .\" |
671 | .It Ic send_cr (on | off) ; | | 671 | .It Ic send_cr (on | off) ; |
672 | If you do not want to send a certificate request, set this to off. | | 672 | If you do not want to send a certificate request, set this to off. |
673 | The default is on. | | 673 | The default is on. |
674 | .\" | | 674 | .\" |
675 | .It Ic match_empty_cr (on | off) ; | | 675 | .It Ic match_empty_cr (on | off) ; |
676 | Specifies whether this remote block is a valid match when a non-specific | | 676 | Specifies whether this remote block is a valid match when a non-specific |
677 | certificate request is received. | | 677 | certificate request is received. |
678 | The default is on. | | 678 | The default is on. |
679 | .\" | | 679 | .\" |
680 | .It Ic verify_cert (on | off) ; | | 680 | .It Ic verify_cert (on | off) ; |
681 | By default, the identifier sent by the remote host (as specified in its | | 681 | By default, the identifier sent by the remote host (as specified in its |
682 | .Ic my_identifier | | 682 | .Ic my_identifier |
683 | statement) is compared with the credentials in the certificate | | 683 | statement) is compared with the credentials in the certificate |
684 | used to authenticate the remote host as follows: | | 684 | used to authenticate the remote host as follows: |
685 | .Bl -tag -width Ds -compact | | 685 | .Bl -tag -width Ds -compact |
686 | .It Type Ic asn1dn : | | 686 | .It Type Ic asn1dn : |
687 | The entire certificate subject name is compared with the identifier, | | 687 | The entire certificate subject name is compared with the identifier, |
688 | e.g. "C=XX, O=YY, ...". | | 688 | e.g. "C=XX, O=YY, ...". |
689 | .It Type Ic address, fqdn, or user_fqdn : | | 689 | .It Type Ic address, fqdn, or user_fqdn : |
690 | The certificate's subjectAltName is compared with the identifier. | | 690 | The certificate's subjectAltName is compared with the identifier. |
691 | .El | | 691 | .El |
692 | If the two do not match the negotiation will fail. | | 692 | If the two do not match the negotiation will fail. |
693 | If you do not want to verify the identifier using the peer's certificate, | | 693 | If you do not want to verify the identifier using the peer's certificate, |
694 | set this to off. | | 694 | set this to off. |
695 | .\" | | 695 | .\" |
696 | .It Ic lifetime time Ar number Ar timeunit ; | | 696 | .It Ic lifetime time Ar number Ar timeunit ; |
697 | Define a lifetime of a certain time | | 697 | Define a lifetime of a certain time |
698 | which will be proposed in the phase 1 negotiations. | | 698 | which will be proposed in the phase 1 negotiations. |
699 | Any proposal will be accepted, and the attribute(s) will not be proposed to | | 699 | Any proposal will be accepted, and the attribute(s) will not be proposed to |
700 | the peer if you do not specify it (them). | | 700 | the peer if you do not specify it (them). |
701 | They can be individually specified in each proposal. | | 701 | They can be individually specified in each proposal. |
702 | .\" | | 702 | .\" |
703 | .It Ic ike_frag (on | off | force) ; | | 703 | .It Ic ike_frag (on | off | force) ; |
704 | Enable receiver-side IKE fragmentation if | | 704 | Enable receiver-side IKE fragmentation if |
705 | .Xr racoon 8 | | 705 | .Xr racoon 8 |
706 | has been built with this feature. | | 706 | has been built with this feature. |
707 | If set to on, racoon will advertise | | 707 | If set to on, racoon will advertise |
708 | itself as being capable of receiving packets split by IKE fragmentation. | | 708 | itself as being capable of receiving packets split by IKE fragmentation. |
709 | This extension is there to work around broken firewalls that do not | | 709 | This extension is there to work around broken firewalls that do not |
710 | work with fragmented UDP packets. | | 710 | work with fragmented UDP packets. |
711 | IKE fragmentation is always enabled on the sender-side, and it is | | 711 | IKE fragmentation is always enabled on the sender-side, and it is |
712 | used if the peer advertises itself as IKE fragmentation capable. | | 712 | used if the peer advertises itself as IKE fragmentation capable. |
713 | By selecting force, IKE Fragmentation will | | 713 | By selecting force, IKE Fragmentation will |
714 | be used when racoon is acting as the initiator even before the remote | | 714 | be used when racoon is acting as the initiator even before the remote |
715 | peer has advertised itself as IKE fragmentation capable. | | 715 | peer has advertised itself as IKE fragmentation capable. |
716 | .\" | | 716 | .\" |
717 | .It Ic esp_frag Ar fraglen ; | | 717 | .It Ic esp_frag Ar fraglen ; |
718 | This option is only relevant if you use NAT traversal in tunnel mode. | | 718 | This option is only relevant if you use NAT traversal in tunnel mode. |
719 | Its purpose is to work around broken DSL routers that reject UDP | | 719 | Its purpose is to work around broken DSL routers that reject UDP |
720 | fragments, by fragmenting the IP packets before ESP encapsulation. | | 720 | fragments, by fragmenting the IP packets before ESP encapsulation. |
721 | The result is ESP over UDP of fragmented packets instead of fragmented | | 721 | The result is ESP over UDP of fragmented packets instead of fragmented |
722 | ESP over UDP packets (i.e., IP:UDP:ESP:frag(IP) instead of | | 722 | ESP over UDP packets (i.e., IP:UDP:ESP:frag(IP) instead of |
723 | frag(IP:UDP:ESP:IP)). | | 723 | frag(IP:UDP:ESP:IP)). |
724 | .Ar fraglen | | 724 | .Ar fraglen |
725 | is the maximum size of the fragments. | | 725 | is the maximum size of the fragments. |
726 | 552 should work anywhere, | | 726 | 552 should work anywhere, |
727 | but the higher | | 727 | but the higher |
728 | .Ar fraglen | | 728 | .Ar fraglen |
729 | is, the better the performance. | | 729 | is, the better the performance. |
730 | .Pp | | 730 | .Pp |
731 | Note that because PMTU discovery is broken on many sites, you will | | 731 | Note that because PMTU discovery is broken on many sites, you will |
732 | have to use MSS clamping if you want TCP to work correctly. | | 732 | have to use MSS clamping if you want TCP to work correctly. |
733 | .\" | | 733 | .\" |
734 | .It Ic initial_contact (on | off) ; | | 734 | .It Ic initial_contact (on | off) ; |
735 | Enable this to send an INITIAL-CONTACT message. | | 735 | Enable this to send an INITIAL-CONTACT message. |
736 | The default value is | | 736 | The default value is |
737 | .Ic on . | | 737 | .Ic on . |
738 | This message is useful only when the responder implementation chooses an | | 738 | This message is useful only when the responder implementation chooses an |
739 | old SA when there are multiple SAs with different established time and the | | 739 | old SA when there are multiple SAs with different established time and the |
740 | initiator reboots. | | 740 | initiator reboots. |
741 | If racoon did not send the message, | | 741 | If racoon did not send the message, |
742 | the responder would use an old SA even when a new SA was established. | | 742 | the responder would use an old SA even when a new SA was established. |
743 | For systems that use a KAME derived IPSEC stack, the | | 743 | For systems that use a KAME derived IPSEC stack, the |
744 | .Xr sysctl 8 | | 744 | .Xr sysctl 8 |
745 | variable net.key.preferred_oldsa can be used to control this preference. | | 745 | variable net.key.preferred_oldsa can be used to control this preference. |
746 | When the value is zero, the stack always uses a new SA. | | 746 | When the value is zero, the stack always uses a new SA. |
747 | .\" | | 747 | .\" |
748 | .It Ic passive (on | off) ; | | 748 | .It Ic passive (on | off) ; |
749 | If you do not want to initiate the negotiation, set this to on. | | 749 | If you do not want to initiate the negotiation, set this to on. |
750 | The default value is | | 750 | The default value is |
751 | .Ic off . | | 751 | .Ic off . |
752 | It is useful for a server. | | 752 | It is useful for a server. |
753 | .\" | | 753 | .\" |
754 | .It Ic proposal_check Ar level ; | | 754 | .It Ic proposal_check Ar level ; |
755 | Specifies the action of lifetime length, key length, and PFS of the phase 2 | | 755 | Specifies the action of lifetime length, key length, and PFS of the phase 2 |
756 | selection on the responder side, and the action of lifetime check in | | 756 | selection on the responder side, and the action of lifetime check in |
757 | phase 1. | | 757 | phase 1. |
758 | The default level is | | 758 | The default level is |
759 | .Ic strict . | | 759 | .Ic strict . |
760 | If the | | 760 | If the |
761 | .Ar level | | 761 | .Ar level |
762 | is: | | 762 | is: |
763 | .Bl -tag -width Ds -compact | | 763 | .Bl -tag -width Ds -compact |
764 | .It Ic obey | | 764 | .It Ic obey |
765 | The responder will obey the initiator anytime. | | 765 | The responder will obey the initiator anytime. |
766 | .It Ic strict | | 766 | .It Ic strict |
767 | If the responder's lifetime length is longer than the initiator's or | | 767 | If the responder's lifetime length is longer than the initiator's or |
768 | the responder's key length is shorter than the initiator's, | | 768 | the responder's key length is shorter than the initiator's, |
769 | the responder will use the initiator's value. | | 769 | the responder will use the initiator's value. |
770 | Otherwise, the proposal will be rejected. | | 770 | Otherwise, the proposal will be rejected. |
771 | If PFS is not required by the responder, the responder will obey the proposal. | | 771 | If PFS is not required by the responder, the responder will obey the proposal. |
772 | If PFS is required by both sides and the responder's group is not equal to | | 772 | If PFS is required by both sides and the responder's group is not equal to |
773 | the initiator's, then the responder will reject the proposal. | | 773 | the initiator's, then the responder will reject the proposal. |
774 | .It Ic claim | | 774 | .It Ic claim |
775 | If the responder's lifetime length is longer than the initiator's or | | 775 | If the responder's lifetime length is longer than the initiator's or |
776 | the responder's key length is shorter than the initiator's, | | 776 | the responder's key length is shorter than the initiator's, |
777 | the responder will use the initiator's value. | | 777 | the responder will use the initiator's value. |
778 | If the responder's lifetime length is shorter than the initiator's, | | 778 | If the responder's lifetime length is shorter than the initiator's, |
779 | the responder uses its own length AND sends a RESPONDER-LIFETIME notify | | 779 | the responder uses its own length AND sends a RESPONDER-LIFETIME notify |
780 | message to an initiator in the case of lifetime (phase 2 only). | | 780 | message to an initiator in the case of lifetime (phase 2 only). |
781 | For PFS, this directive behaves the same as | | 781 | For PFS, this directive behaves the same as |
782 | .Ic strict . | | 782 | .Ic strict . |
783 | .It Ic exact | | 783 | .It Ic exact |
784 | If the initiator's lifetime or key length is not equal to the responder's, | | 784 | If the initiator's lifetime or key length is not equal to the responder's, |
785 | the responder will reject the proposal. | | 785 | the responder will reject the proposal. |
786 | If PFS is required by both sides and the responder's group is not equal to | | 786 | If PFS is required by both sides and the responder's group is not equal to |
787 | the initiator's, then the responder will reject the proposal. | | 787 | the initiator's, then the responder will reject the proposal. |
788 | .El | | 788 | .El |
789 | .\" | | 789 | .\" |
790 | .It Ic support_proxy (on | off) ; | | 790 | .It Ic support_proxy (on | off) ; |
791 | If this value is set to on, then both values of ID payloads in the | | 791 | If this value is set to on, then both values of ID payloads in the |
792 | phase 2 exchange are always used as the addresses of end-point of | | 792 | phase 2 exchange are always used as the addresses of end-point of |
793 | IPsec-SAs. | | 793 | IPsec-SAs. |
794 | The default is off. | | 794 | The default is off. |
795 | .\" | | 795 | .\" |
796 | .It Ic generate_policy (on | off | require | unique) ; | | 796 | .It Ic generate_policy (on | off | require | unique) ; |
797 | This directive is for the responder. | | 797 | This directive is for the responder. |
798 | Therefore you should set | | 798 | Therefore you should set |
799 | .Ic passive | | 799 | .Ic passive |
800 | to on in order that | | 800 | to on in order that |
801 | .Xr racoon 8 | | 801 | .Xr racoon 8 |
802 | only becomes a responder. | | 802 | only becomes a responder. |
803 | If the responder does not have any policy in SPD during phase 2 | | 803 | If the responder does not have any policy in SPD during phase 2 |
804 | negotiation, and the directive is set to on, then | | 804 | negotiation, and the directive is set to on, then |
805 | .Xr racoon 8 | | 805 | .Xr racoon 8 |
806 | will choose the first proposal in the | | 806 | will choose the first proposal in the |
807 | SA payload from the initiator, and generate policy entries from the proposal. | | 807 | SA payload from the initiator, and generate policy entries from the proposal. |
808 | It is useful to negotiate with clients whose IP address is allocated | | 808 | It is useful to negotiate with clients whose IP address is allocated |
809 | dynamically. | | 809 | dynamically. |
810 | Note that an inappropriate policy might be installed into the responder's SPD | | 810 | Note that an inappropriate policy might be installed into the responder's SPD |
811 | by the initiator, | | 811 | by the initiator, |
812 | so other communications might fail if such policies are installed | | 812 | so other communications might fail if such policies are installed |
813 | due to a policy mismatch between the initiator and the responder. | | 813 | due to a policy mismatch between the initiator and the responder. |
814 | .Ic on | | 814 | .Ic on |
815 | and | | 815 | and |
816 | .Ic require | | 816 | .Ic require |
817 | values mean the same thing (generate a require policy). | | 817 | values mean the same thing (generate a require policy). |
818 | .Ic unique | | 818 | .Ic unique |
819 | tells racoon to set up unique policies, with a monotoning increasing | | 819 | tells racoon to set up unique policies, with a monotoning increasing |
820 | reqid number (between 1 and IPSEC_MANUAL_REQID_MAX). | | 820 | reqid number (between 1 and IPSEC_MANUAL_REQID_MAX). |
821 | This directive is ignored in the initiator case. | | 821 | This directive is ignored in the initiator case. |
822 | The default value is | | 822 | The default value is |
823 | .Ic off . | | 823 | .Ic off . |
824 | .\" | | 824 | .\" |
825 | .\" | | 825 | .\" |
826 | .It Ic nat_traversal (on | off | force) ; | | 826 | .It Ic nat_traversal (on | off | force) ; |
827 | This directive enables use of the NAT-Traversal IPsec extension | | 827 | This directive enables use of the NAT-Traversal IPsec extension |
828 | (NAT-T). | | 828 | (NAT-T). |
829 | NAT-T allows one or both peers to reside behind a NAT gateway (i.e., | | 829 | NAT-T allows one or both peers to reside behind a NAT gateway (i.e., |
830 | doing address- or port-translation). | | 830 | doing address- or port-translation). |
831 | If a NAT gateway is detected during the phase 1 handshake, racoon will | | 831 | If a NAT gateway is detected during the phase 1 handshake, racoon will |
832 | attempt to negotiate the use of NAT-T with the remote peer. | | 832 | attempt to negotiate the use of NAT-T with the remote peer. |
833 | If the negotiation succeeds, all ESP and AH packets for the given connection | | 833 | If the negotiation succeeds, all ESP and AH packets for the given connection |
834 | will be encapsulated into UDP datagrams (port 4500, by default). | | 834 | will be encapsulated into UDP datagrams (port 4500, by default). |
835 | Possible values are: | | 835 | Possible values are: |
836 | .Bl -tag -width Ds -compact | | 836 | .Bl -tag -width Ds -compact |
837 | .It Ic on | | 837 | .It Ic on |
838 | NAT-T is used when a NAT gateway is detected between the peers. | | 838 | NAT-T is used when a NAT gateway is detected between the peers. |
839 | .It Ic off | | 839 | .It Ic off |
840 | NAT-T is not proposed/accepted. | | 840 | NAT-T is not proposed/accepted. |
841 | This is the default. | | 841 | This is the default. |
842 | .It Ic force | | 842 | .It Ic force |
843 | NAT-T is used regardless of whether a NAT gateway is detected between the | | 843 | NAT-T is used regardless of whether a NAT gateway is detected between the |
844 | peers or not. | | 844 | peers or not. |
845 | .El | | 845 | .El |
846 | Please note that NAT-T support is a compile-time option. | | 846 | Please note that NAT-T support is a compile-time option. |
847 | Although it is enabled in the source distribution by default, it | | 847 | Although it is enabled in the source distribution by default, it |
848 | may not be available in your particular build. | | 848 | may not be available in your particular build. |
849 | In that case you will get a | | 849 | In that case you will get a |
850 | warning when using any NAT-T related config options. | | 850 | warning when using any NAT-T related config options. |
851 | .\" | | 851 | .\" |
852 | .It Ic dpd_delay Ar delay ; | | 852 | .It Ic dpd_delay Ar delay ; |
853 | This option activates the DPD and sets the time (in seconds) allowed | | 853 | This option activates the DPD and sets the time (in seconds) allowed |
854 | between 2 proof of liveliness requests. | | 854 | between 2 proof of liveliness requests. |
855 | The default value is | | 855 | The default value is |
856 | .Ic 0 , | | 856 | .Ic 0 , |
857 | which disables DPD monitoring, but still negotiates DPD support. | | 857 | which disables DPD monitoring, but still negotiates DPD support. |
858 | .\" | | 858 | .\" |
859 | .It Ic dpd_retry Ar delay ; | | 859 | .It Ic dpd_retry Ar delay ; |
860 | If | | 860 | If |
861 | .Ic dpd_delay | | 861 | .Ic dpd_delay |
862 | is set, this sets the delay (in seconds) to wait for a proof of | | 862 | is set, this sets the delay (in seconds) to wait for a proof of |
863 | liveliness before considering it as failed and send another request. | | 863 | liveliness before considering it as failed and send another request. |
864 | The default value is | | 864 | The default value is |
865 | .Ic 5 . | | 865 | .Ic 5 . |
866 | .\" | | 866 | .\" |
867 | .It Ic dpd_maxfail Ar number ; | | 867 | .It Ic dpd_maxfail Ar number ; |
868 | If | | 868 | If |
869 | .Ic dpd_delay | | 869 | .Ic dpd_delay |
870 | is set, this sets the maximum number of liveliness proofs to request | | 870 | is set, this sets the maximum number of liveliness proofs to request |
871 | (without reply) before considering the peer is dead. | | 871 | (without reply) before considering the peer is dead. |
872 | The default value is | | 872 | The default value is |
873 | .Ic 5 . | | 873 | .Ic 5 . |
874 | .\" | | 874 | .\" |
875 | .It Ic rekey (on | off | force) ; | | 875 | .It Ic rekey (on | off | force) ; |
876 | Enable automatic renegotiation of expired phase1 when there are non-dying | | 876 | Enable automatic renegotiation of expired phase1 when there are non-dying |
877 | phase2 SAs. | | 877 | phase2 SAs. |
878 | Possible values are: | | 878 | Possible values are: |
879 | .Bl -tag -width Ds -compact | | 879 | .Bl -tag -width Ds -compact |
880 | .It Ic force | | 880 | .It Ic force |
881 | Rekeying is done unconditionally. | | 881 | Rekeying is done unconditionally. |
882 | .It Ic on | | 882 | .It Ic on |
883 | Rekeying is done only if DPD monitoring is active. | | 883 | Rekeying is done only if DPD monitoring is active. |
884 | This is the default. | | 884 | This is the default. |
885 | .It Ic off | | 885 | .It Ic off |
886 | No automatic rekeying. | | 886 | No automatic rekeying. |
887 | Do note that turning off automatic rekeying will | | 887 | Do note that turning off automatic rekeying will |
888 | result in inaccurate DPD monitoring. | | 888 | result in inaccurate DPD monitoring. |
889 | .El | | 889 | .El |
890 | .\" | | 890 | .\" |
891 | .It Ic nonce_size Ar number ; | | 891 | .It Ic nonce_size Ar number ; |
892 | define the byte size of nonce value. | | 892 | define the byte size of nonce value. |
893 | Racoon can send any value although | | 893 | Racoon can send any value although |
894 | RFC2409 specifies that the value MUST be between 8 and 256 bytes. | | 894 | RFC2409 specifies that the value MUST be between 8 and 256 bytes. |
895 | The default size is 16 bytes. | | 895 | The default size is 16 bytes. |
896 | .\" | | 896 | .\" |
897 | .It Ic ph1id Ar number ; | | 897 | .It Ic ph1id Ar number ; |
898 | An optional number to identify the remote proposal and to link it | | 898 | An optional number to identify the remote proposal and to link it |
899 | only with sainfos who have the same number. | | 899 | only with sainfos who have the same number. |
900 | Defaults to 0. | | 900 | Defaults to 0. |
901 | .\" | | 901 | .\" |
902 | .It Xo | | 902 | .It Xo |
903 | .Ic proposal { Ar sub-substatements Ic } | | 903 | .Ic proposal { Ar sub-substatements Ic } |
904 | .Xc | | 904 | .Xc |
905 | .Bl -tag -width Ds -compact | | 905 | .Bl -tag -width Ds -compact |
906 | .\" | | 906 | .\" |
907 | .It Ic encryption_algorithm Ar algorithm ; | | 907 | .It Ic encryption_algorithm Ar algorithm ; |
908 | Specifies the encryption algorithm used for the phase 1 negotiation. | | 908 | Specifies the encryption algorithm used for the phase 1 negotiation. |
909 | This directive must be defined. | | 909 | This directive must be defined. |
910 | .Ar algorithm | | 910 | .Ar algorithm |
911 | is one of following: | | 911 | is one of following: |
912 | .Ic des, 3des, blowfish, cast128, aes, camellia | | 912 | .Ic des, 3des, blowfish, cast128, aes, camellia |
913 | .\".Ic rc5 , idea | | 913 | .\".Ic rc5 , idea |
914 | for Oakley. | | 914 | for Oakley. |
915 | For other transforms, this statement should not be used. | | 915 | For other transforms, this statement should not be used. |
916 | .\" | | 916 | .\" |
917 | .It Ic hash_algorithm Ar algorithm ; | | 917 | .It Ic hash_algorithm Ar algorithm ; |
918 | Defines the hash algorithm used for the phase 1 negotiation. | | 918 | Defines the hash algorithm used for the phase 1 negotiation. |
919 | This directive must be defined. | | 919 | This directive must be defined. |
920 | .Ar algorithm | | 920 | .Ar algorithm |
921 | is one of following: | | 921 | is one of following: |
922 | .Ic md5, sha1, sha256, sha384, sha512 | | 922 | .Ic md5, sha1, sha256, sha384, sha512 |
923 | for Oakley. | | 923 | for Oakley. |
924 | .\" | | 924 | .\" |
925 | .It Ic authentication_method Ar type ; | | 925 | .It Ic authentication_method Ar type ; |
926 | Defines the authentication method used for the phase 1 negotiation. | | 926 | Defines the authentication method used for the phase 1 negotiation. |
927 | This directive must be defined. | | 927 | This directive must be defined. |
928 | .Ar type | | 928 | .Ar type |
929 | is one of: | | 929 | is one of: |
930 | .Ic pre_shared_key , rsasig | | 930 | .Ic pre_shared_key , rsasig |
931 | (for plain RSA authentication), | | 931 | (for plain RSA authentication), |
932 | .Ic gssapi_krb , hybrid_rsa_server , | | 932 | .Ic gssapi_krb , hybrid_rsa_server , |
933 | .Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server | | 933 | .Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server |
934 | or | | 934 | or |
935 | .Ic xauth_psk_client . | | 935 | .Ic xauth_psk_client . |
936 | .\" | | 936 | .\" |
937 | .It Ic dh_group Ar group ; | | 937 | .It Ic dh_group Ar group ; |
938 | Defines the group used for the Diffie-Hellman exponentiations. | | 938 | Defines the group used for the Diffie-Hellman exponentiations. |
939 | This directive must be defined. | | 939 | This directive must be defined. |
940 | .Ar group | | 940 | .Ar group |
941 | is one of following: | | 941 | is one of following: |
942 | .Ic modp768 , modp1024 , modp1536 , | | 942 | .Ic modp768 , modp1024 , modp1536 , |
943 | .Ic modp2048 , modp3072 , modp4096 , | | 943 | .Ic modp2048 , modp3072 , modp4096 , |
944 | .Ic modp6144 , modp8192 . | | 944 | .Ic modp6144 , modp8192 . |
945 | Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number. | | 945 | Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number. |
946 | When you want to use aggressive mode, | | 946 | When you want to use aggressive mode, |
947 | you must define the same DH group in each proposal. | | 947 | you must define the same DH group in each proposal. |
948 | .It Ic lifetime time Ar number Ar timeunit ; | | 948 | .It Ic lifetime time Ar number Ar timeunit ; |
949 | Defines the lifetime of the phase 1 SA proposal. | | 949 | Defines the lifetime of the phase 1 SA proposal. |
950 | Refer to the description of the | | 950 | Refer to the description of the |
951 | .Ic lifetime | | 951 | .Ic lifetime |
952 | directive defined in the | | 952 | directive defined in the |
953 | .Ic remote | | 953 | .Ic remote |
954 | directive. | | 954 | directive. |
955 | .It Ic gss_id Ar string ; | | 955 | .It Ic gss_id Ar string ; |
956 | Defines the GSS-API endpoint name, to be included as an attribute in the SA, | | 956 | Defines the GSS-API endpoint name, to be included as an attribute in the SA, |
957 | if the | | 957 | if the |
958 | .Ic gssapi_krb | | 958 | .Ic gssapi_krb |
959 | authentication method is used. | | 959 | authentication method is used. |
960 | If this is not defined, the default value of | | 960 | If this is not defined, the default value of |
961 | .Ql host/hostname | | 961 | .Ql host/hostname |
962 | is used, where hostname is the value returned by the | | 962 | is used, where hostname is the value returned by the |
963 | .Xr hostname 1 | | 963 | .Xr hostname 1 |
964 | command. | | 964 | command. |
965 | .El | | 965 | .El |
966 | .El | | 966 | .El |
967 | .Pp | | 967 | .Pp |
968 | .It Xo | | 968 | .It Xo |
969 | .Ic remote ( Ar address | Ic anonymous ) | | 969 | .Ic remote ( Ar address | Ic anonymous ) |
970 | .Bq Bq Ar port | | 970 | .Bq Bq Ar port |
971 | .Bq Ic inherit Ar parent | | 971 | .Bq Ic inherit Ar parent |
972 | .Ic { Ar statements Ic } | | 972 | .Ic { Ar statements Ic } |
973 | .Xc | | 973 | .Xc |
974 | Deprecated format of specifying a remote block. | | 974 | Deprecated format of specifying a remote block. |
975 | This will be removed in future. | | 975 | This will be removed in future. |
976 | It is a remnant from time when remote block was decided | | 976 | It is a remnant from time when remote block was decided |
977 | solely based on the peers IP address. | | 977 | solely based on the peers IP address. |
978 | .Pp | | 978 | .Pp |
979 | This is equivalent to: | | 979 | This is equivalent to: |
980 | .Bd -literal -offset | | 980 | .Bd -literal -offset |
981 | remote "address" [inherit "parent-address"] { | | 981 | remote "address" [inherit "parent-address"] { |
982 | remote_address address; | | 982 | remote_address address; |
983 | } | | 983 | } |
984 | .Ed | | 984 | .Ed |
985 | .El | | 985 | .El |
986 | .\" | | 986 | .\" |
987 | .Ss Sainfo Specifications | | 987 | .Ss Sainfo Specifications |
988 | .Bl -tag -width Ds -compact | | 988 | .Bl -tag -width Ds -compact |
989 | .It Xo | | 989 | .It Xo |
990 | .Ic sainfo ( Ar local_id | Ic anonymous ) ( Ar remote_id | Ic clientaddr | Ic anonymous ) [ from Ar idtype [ Ar string ] ] [ Ic group Ar string ] | | 990 | .Ic sainfo ( Ar local_id | Ic anonymous ) ( Ar remote_id | Ic clientaddr | Ic anonymous ) [ from Ar idtype [ Ar string ] ] [ Ic group Ar string ] |
991 | .Ic { Ar statements Ic } | | 991 | .Ic { Ar statements Ic } |
992 | .Xc | | 992 | .Xc |
993 | Defines the parameters of the IKE phase 2 (IPsec-SA establishment). | | 993 | Defines the parameters of the IKE phase 2 (IPsec-SA establishment). |
994 | .Pp | | 994 | .Pp |
995 | The | | 995 | The |
996 | .Ar local_id | | 996 | .Ar local_id |
997 | and | | 997 | and |
998 | .Ar remote_id | | 998 | .Ar remote_id |
999 | strings are constructed like: | | 999 | strings are constructed like: |
1000 | .Pp | | 1000 | .Pp |
1001 | .Ic address Ar address | | 1001 | .Ic address Ar address |
1002 | .Bq Ic / Ar prefix | | 1002 | .Bq Ic / Ar prefix |
1003 | .Bq Ic [ Ar port ] | | 1003 | .Bq Ic [ Ar port ] |
1004 | .Ar ul_proto | | 1004 | .Ar ul_proto |
1005 | .Pp | | 1005 | .Pp |
1006 | or | | 1006 | or |
1007 | .Pp | | 1007 | .Pp |
1008 | .Ic subnet Ar address | | 1008 | .Ic subnet Ar address |
1009 | .Bq Ic / Ar prefix | | 1009 | .Bq Ic / Ar prefix |
1010 | .Bq Ic [ Ar port ] | | 1010 | .Bq Ic [ Ar port ] |
1011 | .Ar ul_proto | | 1011 | .Ar ul_proto |
1012 | .Pp | | 1012 | .Pp |
1013 | An id string should be expressed to match the exact value of an ID payload. | | 1013 | An id string should be expressed to match the exact value of an ID payload. |
1014 | This is not like a filter rule. | | 1014 | This is not like a filter rule. |
1015 | For example, if you define 3ffe:501:4819::/48 as | | 1015 | For example, if you define 3ffe:501:4819::/48 as |
1016 | .Ar local_id . | | 1016 | .Ar local_id . |
1017 | 3ffe:501:4819:1000:/64 will not match. | | 1017 | 3ffe:501:4819:1000:/64 will not match. |
1018 | In the case of a longest prefix (selecting a single host), | | 1018 | In the case of a longest prefix (selecting a single host), |
1019 | .Ar address | | 1019 | .Ar address |
1020 | instructs to send ID type of ADDRESS while | | 1020 | instructs to send ID type of ADDRESS while |
1021 | .Ar subnet | | 1021 | .Ar subnet |
1022 | instructs to send ID type of SUBNET. | | 1022 | instructs to send ID type of SUBNET. |
1023 | Otherwise, these instructions are identical. | | 1023 | Otherwise, these instructions are identical. |
1024 | .Pp | | 1024 | .Pp |
1025 | The | | 1025 | The |
1026 | .Ic anonymous | | 1026 | .Ic anonymous |
1027 | keyword can be used to match any id. | | 1027 | keyword can be used to match any id. |
1028 | The | | 1028 | The |
1029 | .Ic clientaddr | | 1029 | .Ic clientaddr |
1030 | keyword can be used to match a remote id that is equal to either the peer | | 1030 | keyword can be used to match a remote id that is equal to either the peer |
1031 | ip address or the mode_cfg ip address ( if assigned ). | | 1031 | ip address or the mode_cfg ip address (if assigned). |
1032 | This can be useful | | 1032 | This can be useful |
1033 | to restrict policy generation when racoon is acting as a client gateway | | 1033 | to restrict policy generation when racoon is acting as a client gateway |
1034 | for peers with dynamic ip addresses. | | 1034 | for peers with dynamic ip addresses. |
1035 | .Pp | | 1035 | .Pp |
1036 | The | | 1036 | The |
1037 | .Ic from | | 1037 | .Ic from |
1038 | keyword allows an sainfo to only match for peers that use a specific phase1 | | 1038 | keyword allows an sainfo to only match for peers that use a specific phase1 |
1039 | id value during authentication. | | 1039 | id value during authentication. |
1040 | The | | 1040 | The |
1041 | .Ic group | | 1041 | .Ic group |
1042 | keyword allows an XAuth group membership check to be performed | | 1042 | keyword allows an XAuth group membership check to be performed |
1043 | for this sainfo section. | | 1043 | for this sainfo section. |
1044 | When the mode_cfg auth source is set to | | 1044 | When the mode_cfg auth source is set to |
1045 | .Ic system | | 1045 | .Ic system |
1046 | or | | 1046 | or |
1047 | .Ic ldap , | | 1047 | .Ic ldap , |
1048 | the XAuth user is verified to be a member of the specified group | | 1048 | the XAuth user is verified to be a member of the specified group |
1049 | before allowing a matching SA to be negotiated. | | 1049 | before allowing a matching SA to be negotiated. |
1050 | .Pp | | 1050 | .Pp |
1051 | .Bl -tag -width Ds -compact | | 1051 | .Bl -tag -width Ds -compact |
1052 | .\" | | 1052 | .\" |
1053 | .It Ic pfs_group Ar group ; | | 1053 | .It Ic pfs_group Ar group ; |
1054 | define the group of Diffie-Hellman exponentiations. | | 1054 | define the group of Diffie-Hellman exponentiations. |
1055 | If you do not require PFS then you can omit this directive. | | 1055 | If you do not require PFS then you can omit this directive. |
1056 | Any proposal will be accepted if you do not specify one. | | 1056 | Any proposal will be accepted if you do not specify one. |
1057 | .Ar group | | 1057 | .Ar group |
1058 | is one of following: | | 1058 | is one of following: |
1059 | .Ic modp768 , modp1024 , modp1536 , | | 1059 | .Ic modp768 , modp1024 , modp1536 , |
1060 | .Ic modp2048 , modp3072 , modp4096 , | | 1060 | .Ic modp2048 , modp3072 , modp4096 , |
1061 | .Ic modp6144 , modp8192 . | | 1061 | .Ic modp6144 , modp8192 . |
1062 | Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number. | | 1062 | Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number. |
1063 | .\" | | 1063 | .\" |
1064 | .It Ic lifetime time Ar number Ar timeunit ; | | 1064 | .It Ic lifetime time Ar number Ar timeunit ; |
1065 | define how long an IPsec-SA will be used, in timeunits. | | 1065 | define how long an IPsec-SA will be used, in timeunits. |
1066 | Any proposal will be accepted, and no attribute(s) will be proposed to | | 1066 | Any proposal will be accepted, and no attribute(s) will be proposed to |
1067 | the peer if you do not specify it(them). | | 1067 | the peer if you do not specify it(them). |
1068 | See the | | 1068 | See the |
1069 | .Ic proposal_check | | 1069 | .Ic proposal_check |
1070 | directive. | | 1070 | directive. |
1071 | .\" | | 1071 | .\" |
1072 | .It Ic remoteid Ar number ; | | 1072 | .It Ic remoteid Ar number ; |
1073 | Sainfos will only be used if their remoteid matches the ph1id of the | | 1073 | Sainfos will only be used if their remoteid matches the ph1id of the |
1074 | remote section used for phase 1. | | 1074 | remote section used for phase 1. |
1075 | Defaults to 0, which is also the default for ph1id. | | 1075 | Defaults to 0, which is also the default for ph1id. |
1076 | .El | | 1076 | .El |
1077 | .\" | | 1077 | .\" |
1078 | .Pp | | 1078 | .Pp |
1079 | .Xr racoon 8 | | 1079 | .Xr racoon 8 |
1080 | does not have a list of security protocols to be negotiated. | | 1080 | does not have a list of security protocols to be negotiated. |
1081 | The list of security protocols are passed by SPD in the kernel. | | 1081 | The list of security protocols are passed by SPD in the kernel. |
1082 | Therefore you have to define all of the potential algorithms | | 1082 | Therefore you have to define all of the potential algorithms |
1083 | in the phase 2 proposals even if there are algorithms which will not be used. | | 1083 | in the phase 2 proposals even if there are algorithms which will not be used. |
1084 | These algorithms are define by using the following three directives, | | 1084 | These algorithms are define by using the following three directives, |
1085 | with a single comma as the separator. | | 1085 | with a single comma as the separator. |
1086 | For algorithms that can take variable-length keys, algorithm names | | 1086 | For algorithms that can take variable-length keys, algorithm names |
1087 | can be followed by a key length, like | | 1087 | can be followed by a key length, like |
1088 | .Dq Li blowfish 448 . | | 1088 | .Dq Li blowfish 448 . |
1089 | .Xr racoon 8 | | 1089 | .Xr racoon 8 |
1090 | will compute the actual phase 2 proposals by computing | | 1090 | will compute the actual phase 2 proposals by computing |
1091 | the permutation of the specified algorithms, | | 1091 | the permutation of the specified algorithms, |
1092 | and then combining them with the security protocol specified by the SPD. | | 1092 | and then combining them with the security protocol specified by the SPD. |
1093 | For example, if | | 1093 | For example, if |
1094 | .Ic des , 3des , hmac_md5 , | | 1094 | .Ic des , 3des , hmac_md5 , |
1095 | and | | 1095 | and |
1096 | .Ic hmac_sha1 | | 1096 | .Ic hmac_sha1 |
1097 | are specified as algorithms, we have four combinations for use with ESP, | | 1097 | are specified as algorithms, we have four combinations for use with ESP, |
1098 | and two for AH. | | 1098 | and two for AH. |
1099 | Then, based on the SPD settings, | | 1099 | Then, based on the SPD settings, |
1100 | .Xr racoon 8 | | 1100 | .Xr racoon 8 |
1101 | will construct the actual proposals. | | 1101 | will construct the actual proposals. |
1102 | If the SPD entry asks for ESP only, there will be 4 proposals. | | 1102 | If the SPD entry asks for ESP only, there will be 4 proposals. |
1103 | If it asks for both AH and ESP, there will be 8 proposals. | | 1103 | If it asks for both AH and ESP, there will be 8 proposals. |
1104 | Note that the kernel may not support the algorithm you have specified. | | 1104 | Note that the kernel may not support the algorithm you have specified. |
1105 | .\" | | 1105 | .\" |
1106 | .Bl -tag -width Ds -compact | | 1106 | .Bl -tag -width Ds -compact |
1107 | .It Ic encryption_algorithm Ar algorithms ; | | 1107 | .It Ic encryption_algorithm Ar algorithms ; |
1108 | .Ic des , 3des , des_iv64 , des_iv32 , | | 1108 | .Ic des , 3des , des_iv64 , des_iv32 , |
1109 | .Ic rc5 , rc4 , idea , 3idea , | | 1109 | .Ic rc5 , rc4 , idea , 3idea , |
1110 | .Ic cast128 , blowfish , null_enc , | | 1110 | .Ic cast128 , blowfish , null_enc , |
1111 | .Ic twofish , rijndael , aes , camellia | | 1111 | .Ic twofish , rijndael , aes , camellia |
1112 | .Pq used with ESP | | 1112 | .Pq used with ESP |
1113 | .\" | | 1113 | .\" |
1114 | .It Ic authentication_algorithm Ar algorithms ; | | 1114 | .It Ic authentication_algorithm Ar algorithms ; |
1115 | .Ic des , 3des , des_iv64 , des_iv32 , | | 1115 | .Ic des , 3des , des_iv64 , des_iv32 , |
1116 | .Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth | | 1116 | .Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth |
1117 | .Pq used with ESP authentication and AH | | 1117 | .Pq used with ESP authentication and AH |
1118 | .\" | | 1118 | .\" |
1119 | .It Ic compression_algorithm Ar algorithms ; | | 1119 | .It Ic compression_algorithm Ar algorithms ; |
1120 | .Ic deflate | | 1120 | .Ic deflate |
1121 | .Pq used with IPComp | | 1121 | .Pq used with IPComp |
1122 | .El | | 1122 | .El |
1123 | .El | | 1123 | .El |
1124 | .\" | | 1124 | .\" |
1125 | .Ss Logging level | | 1125 | .Ss Logging level |
1126 | .Bl -tag -width Ds -compact | | 1126 | .Bl -tag -width Ds -compact |
1127 | .It Ic log Ar level ; | | 1127 | .It Ic log Ar level ; |
1128 | Defines the logging level. | | 1128 | Defines the logging level. |
1129 | .Ar level | | 1129 | .Ar level |
1130 | is one of following: | | 1130 | is one of following: |
1131 | .Ic error , warning , notify , info , debug | | 1131 | .Ic error , warning , notify , info , debug |
1132 | or | | 1132 | or |
1133 | .Ic debug2 . | | 1133 | .Ic debug2 . |
1134 | The default is | | 1134 | The default is |
1135 | .Ic info . | | 1135 | .Ic info . |
1136 | If you set the logging level too high on slower machines, | | 1136 | If you set the logging level too high on slower machines, |
1137 | IKE negotiation can fail due to timing constraint changes. | | 1137 | IKE negotiation can fail due to timing constraint changes. |
1138 | .El | | 1138 | .El |
1139 | .\" | | 1139 | .\" |
1140 | .Ss Specifies the way to pad | | 1140 | .Ss Specifies the way to pad |
1141 | .Bl -tag -width Ds -compact | | 1141 | .Bl -tag -width Ds -compact |
1142 | .It Ic padding { Ar statements Ic } | | 1142 | .It Ic padding { Ar statements Ic } |
1143 | specifies the padding format. | | 1143 | specifies the padding format. |
1144 | The following are valid statements: | | 1144 | The following are valid statements: |
1145 | .Bl -tag -width Ds -compact | | 1145 | .Bl -tag -width Ds -compact |
1146 | .It Ic randomize (on | off) ; | | 1146 | .It Ic randomize (on | off) ; |
1147 | Enables the use of a randomized value for padding. | | 1147 | Enables the use of a randomized value for padding. |
1148 | The default is on. | | 1148 | The default is on. |
1149 | .It Ic randomize_length (on | off) ; | | 1149 | .It Ic randomize_length (on | off) ; |
1150 | The pad length will be random. | | 1150 | The pad length will be random. |
1151 | The default is off. | | 1151 | The default is off. |
1152 | .It Ic maximum_length Ar number ; | | 1152 | .It Ic maximum_length Ar number ; |
1153 | Defines a maximum padding length. | | 1153 | Defines a maximum padding length. |
1154 | If | | 1154 | If |
1155 | .Ic randomize_length | | 1155 | .Ic randomize_length |
1156 | is off, this is ignored. | | 1156 | is off, this is ignored. |
1157 | The default is 20 bytes. | | 1157 | The default is 20 bytes. |
1158 | .It Ic exclusive_tail (on | off) ; | | 1158 | .It Ic exclusive_tail (on | off) ; |
1159 | Means to put the number of pad bytes minus one into the last part | | 1159 | Means to put the number of pad bytes minus one into the last part |
1160 | of the padding. | | 1160 | of the padding. |
1161 | The default is on. | | 1161 | The default is on. |
1162 | .It Ic strict_check (on | off) ; | | 1162 | .It Ic strict_check (on | off) ; |
1163 | Means to constrain the peer to set the number of pad bytes. | | 1163 | Means to constrain the peer to set the number of pad bytes. |
1164 | The default is off. | | 1164 | The default is off. |
1165 | .El | | 1165 | .El |
1166 | .El | | 1166 | .El |
1167 | .Ss ISAKMP mode configuration settings | | 1167 | .Ss ISAKMP mode configuration settings |
1168 | .Bl -tag -width Ds -compact | | 1168 | .Bl -tag -width Ds -compact |
1169 | .It Ic mode_cfg { Ar statements Ic } | | 1169 | .It Ic mode_cfg { Ar statements Ic } |
1170 | Defines the information to return for remote hosts' ISAKMP mode config | | 1170 | Defines the information to return for remote hosts' ISAKMP mode config |
1171 | requests. | | 1171 | requests. |
1172 | Also defines the authentication source for remote peers | | 1172 | Also defines the authentication source for remote peers |
1173 | authenticating through Xauth. | | 1173 | authenticating through Xauth. |
1174 | .Pp | | 1174 | .Pp |
1175 | The following are valid statements: | | 1175 | The following are valid statements: |
1176 | .Bl -tag -width Ds -compact | | 1176 | .Bl -tag -width Ds -compact |
1177 | .It Ic auth_source (system | radius | pam | ldap) ; | | 1177 | .It Ic auth_source (system | radius | pam | ldap) ; |
1178 | Specifies the source for authentication of users through Xauth. | | 1178 | Specifies the source for authentication of users through Xauth. |
1179 | .Ar system | | 1179 | .Ar system |
1180 | means to use the Unix user database. | | 1180 | means to use the Unix user database. |
1181 | This is the default. | | 1181 | This is the default. |
1182 | .Ar radius | | 1182 | .Ar radius |
1183 | means to use a RADIUS server. | | 1183 | means to use a RADIUS server. |
1184 | It works only if | | 1184 | It works only if |
1185 | .Xr racoon 8 | | 1185 | .Xr racoon 8 |
1186 | was built with libradius support. | | 1186 | was built with libradius support. |
1187 | Radius configuration is handled by statements in the | | 1187 | Radius configuration is handled by statements in the |
1188 | .Ic radiuscfg | | 1188 | .Ic radiuscfg |
1189 | section. | | 1189 | section. |
1190 | .Ar pam | | 1190 | .Ar pam |
1191 | means to use PAM. | | 1191 | means to use PAM. |
1192 | It works only if | | 1192 | It works only if |
1193 | .Xr racoon 8 | | 1193 | .Xr racoon 8 |
1194 | was built with libpam support. | | 1194 | was built with libpam support. |
1195 | .Ar ldap | | 1195 | .Ar ldap |
1196 | means to use LDAP. | | 1196 | means to use LDAP. |
1197 | It works only if | | 1197 | It works only if |
1198 | .Xr racoon 8 | | 1198 | .Xr racoon 8 |
1199 | was built with libldap support. | | 1199 | was built with libldap support. |
1200 | LDAP configuration is handled by statements in the | | 1200 | LDAP configuration is handled by statements in the |
1201 | .Ic ldapcfg | | 1201 | .Ic ldapcfg |
1202 | section. | | 1202 | section. |
1203 | .It Ic auth_groups Ar "group1", ... ; | | 1203 | .It Ic auth_groups Ar "group1", ... ; |
1204 | Specifies the group memberships for Xauth in quoted group name strings. | | 1204 | Specifies the group memberships for Xauth in quoted group name strings. |
1205 | When defined, the authenticating user must be a member of at least one | | 1205 | When defined, the authenticating user must be a member of at least one |
1206 | group for Xauth to succeed. | | 1206 | group for Xauth to succeed. |
1207 | .It Ic group_source (system | ldap) ; | | 1207 | .It Ic group_source (system | ldap) ; |
1208 | Specifies the source for group validation of users through Xauth. | | 1208 | Specifies the source for group validation of users through Xauth. |
1209 | .Ar system | | 1209 | .Ar system |
1210 | means to use the Unix user database. | | 1210 | means to use the Unix user database. |
1211 | This is the default. | | 1211 | This is the default. |
1212 | .Ar ldap | | 1212 | .Ar ldap |
1213 | means to use LDAP. | | 1213 | means to use LDAP. |
1214 | It works only if | | 1214 | It works only if |
1215 | .Xr racoon 8 | | 1215 | .Xr racoon 8 |
1216 | was built with libldap support and requires LDAP authentication. | | 1216 | was built with libldap support and requires LDAP authentication. |
1217 | LDAP configuration is handled by statements in the | | 1217 | LDAP configuration is handled by statements in the |
1218 | .Ic ldapcfg | | 1218 | .Ic ldapcfg |
1219 | section. | | 1219 | section. |
1220 | .It Ic conf_source (local | radius | ldap) ; | | 1220 | .It Ic conf_source (local | radius | ldap) ; |
1221 | Specifies the source for IP addresses and netmask allocated through ISAKMP | | 1221 | Specifies the source for IP addresses and netmask allocated through ISAKMP |
1222 | mode config. | | 1222 | mode config. |
1223 | .Ar local | | 1223 | .Ar local |
1224 | means to use the local IP pool defined by the | | 1224 | means to use the local IP pool defined by the |
1225 | .Ic network4 | | 1225 | .Ic network4 |
1226 | and | | 1226 | and |
1227 | .Ic pool_size | | 1227 | .Ic pool_size |
1228 | statements. | | 1228 | statements. |
1229 | This is the default. | | 1229 | This is the default. |
1230 | .Ar radius | | 1230 | .Ar radius |
1231 | means to use a RADIUS server. | | 1231 | means to use a RADIUS server. |
1232 | It works only if | | 1232 | It works only if |
1233 | .Xr racoon 8 | | 1233 | .Xr racoon 8 |
1234 | was built with libradius support and requires RADIUS authentication. | | 1234 | was built with libradius support and requires RADIUS authentication. |
1235 | RADIUS configuration is handled by statements in the | | 1235 | RADIUS configuration is handled by statements in the |
1236 | .Ic radiuscfg | | 1236 | .Ic radiuscfg |
1237 | section. | | 1237 | section. |
1238 | .Ar ldap | | 1238 | .Ar ldap |
1239 | means to use an LDAP server. | | 1239 | means to use an LDAP server. |
1240 | It works only if | | 1240 | It works only if |
1241 | .Xr racoon 8 | | 1241 | .Xr racoon 8 |
1242 | was built with libldap support and requires LDAP authentication. | | 1242 | was built with libldap support and requires LDAP authentication. |
1243 | LDAP configuration is handled by | | 1243 | LDAP configuration is handled by |
1244 | statements in the | | 1244 | statements in the |
1245 | .Ic ldapcfg | | 1245 | .Ic ldapcfg |
1246 | section. | | 1246 | section. |
1247 | .It Ic accounting (none | system | radius | pam) ; | | 1247 | .It Ic accounting (none | system | radius | pam) ; |
1248 | Enables or disables accounting for Xauth logins and logouts. | | 1248 | Enables or disables accounting for Xauth logins and logouts. |
1249 | The default is | | 1249 | The default is |
1250 | .Ar none | | 1250 | .Ar none |
1251 | which disable accounting. | | 1251 | which disable accounting. |
1252 | Specifying | | 1252 | Specifying |
1253 | .Ar system | | 1253 | .Ar system |
1254 | enables system accounting through | | 1254 | enables system accounting through |
1255 | .Xr utmp 5 . | | 1255 | .Xr utmp 5 . |
1256 | Specifying | | 1256 | Specifying |
1257 | .Ar radius | | 1257 | .Ar radius |
1258 | enables RADIUS accounting. | | 1258 | enables RADIUS accounting. |
1259 | It works only if | | 1259 | It works only if |
1260 | .Xr racoon 8 | | 1260 | .Xr racoon 8 |
1261 | was built with libradius support and requires RADIUS authentication. | | 1261 | was built with libradius support and requires RADIUS authentication. |
1262 | RADIUS configuration is handled by statements in the | | 1262 | RADIUS configuration is handled by statements in the |
1263 | .Ic radiuscfg | | 1263 | .Ic radiuscfg |
1264 | section. | | 1264 | section. |
1265 | Specifying | | 1265 | Specifying |
1266 | .Ar pam | | 1266 | .Ar pam |
1267 | enables PAM accounting. | | 1267 | enables PAM accounting. |
1268 | It works only if | | 1268 | It works only if |
1269 | .Xr racoon 8 | | 1269 | .Xr racoon 8 |
1270 | was build with libpam support and requires PAM authentication. | | 1270 | was build with libpam support and requires PAM authentication. |
1271 | .It Ic pool_size Ar size | | 1271 | .It Ic pool_size Ar size |
1272 | Specify the size of the IP address pool, either local or allocated | | 1272 | Specify the size of the IP address pool, either local or allocated |
1273 | through RADIUS. | | 1273 | through RADIUS. |
1274 | .Ic conf_source | | 1274 | .Ic conf_source |
1275 | selects the local pool or the RADIUS configuration, but in both | | 1275 | selects the local pool or the RADIUS configuration, but in both |
1276 | configurations, you cannot have more than | | 1276 | configurations, you cannot have more than |
1277 | .Ar size | | 1277 | .Ar size |
1278 | users connected at the same time. | | 1278 | users connected at the same time. |
1279 | The default is 255. | | 1279 | The default is 255. |
1280 | .It Ic network4 Ar address ; | | 1280 | .It Ic network4 Ar address ; |
1281 | .It Ic netmask4 Ar address ; | | 1281 | .It Ic netmask4 Ar address ; |
1282 | The local IP pool base address and network mask from which dynamically | | 1282 | The local IP pool base address and network mask from which dynamically |
1283 | allocated IPv4 addresses should be taken. | | 1283 | allocated IPv4 addresses should be taken. |
1284 | This is used if | | 1284 | This is used if |
1285 | .Ic conf_source | | 1285 | .Ic conf_source |
1286 | is set to | | 1286 | is set to |
1287 | .Ar local | | 1287 | .Ar local |
1288 | or if the RADIUS server returned | | 1288 | or if the RADIUS server returned |
1289 | .Ar 255.255.255.254 . | | 1289 | .Ar 255.255.255.254 . |
1290 | Default is | | 1290 | Default is |
1291 | .Ar 0.0.0.0/0.0.0.0 . | | 1291 | .Ar 0.0.0.0/0.0.0.0 . |
1292 | .It Ic dns4 Ar addresses ; | | 1292 | .It Ic dns4 Ar addresses ; |
1293 | A list of IPv4 addresses for DNS servers, separated by commas, or on multiple | | 1293 | A list of IPv4 addresses for DNS servers, separated by commas, or on multiple |
1294 | .Ic dns4 | | 1294 | .Ic dns4 |
1295 | lines. | | 1295 | lines. |
1296 | .It Ic wins4 Ar addresses ; | | 1296 | .It Ic wins4 Ar addresses ; |
1297 | A list of IPv4 address for WINS servers. | | 1297 | A list of IPv4 address for WINS servers. |
1298 | The keyword | | 1298 | The keyword |
1299 | .It nbns4 | | 1299 | .It nbns4 |
1300 | can also be used as an alias for | | 1300 | can also be used as an alias for |
1301 | .It wins4 . | | 1301 | .It wins4 . |
1302 | .It Ic split_network (include | local_lan) Ar network/mask, ... | | 1302 | .It Ic split_network (include | local_lan) Ar network/mask, ... |
1303 | The network configuration to send, in CIDR notation (e.g. 192.168.1.0/24). | | 1303 | The network configuration to send, in CIDR notation (e.g. 192.168.1.0/24). |
1304 | If | | 1304 | If |
1305 | .Ic include | | 1305 | .Ic include |
1306 | is specified, the tunnel should be only used to encrypt the indicated | | 1306 | is specified, the tunnel should be only used to encrypt the indicated |
1307 | destinations ; otherwise, if | | 1307 | destinations ; otherwise, if |
1308 | .Ic local_lan | | 1308 | .Ic local_lan |
1309 | is used, everything will pass through the tunnel but those destinations. | | 1309 | is used, everything will pass through the tunnel but those destinations. |
1310 | .It Ic default_domain Ar domain ; | | 1310 | .It Ic default_domain Ar domain ; |
1311 | The default DNS domain to send. | | 1311 | The default DNS domain to send. |
1312 | .It Ic split_dns Ar "domain", ... | | 1312 | .It Ic split_dns Ar "domain", ... |
1313 | The split dns configuration to send, in quoted domain name strings. | | 1313 | The split dns configuration to send, in quoted domain name strings. |
1314 | This list can be used to describe a list of domain names for which | | 1314 | This list can be used to describe a list of domain names for which |
1315 | a peer should query a modecfg assigned dns server. | | 1315 | a peer should query a modecfg assigned dns server. |
1316 | DNS queries for all other domains would be handled locally. | | 1316 | DNS queries for all other domains would be handled locally. |
1317 | (Cisco VPN client only). | | 1317 | (Cisco VPN client only). |
1318 | .It Ic banner Ar path ; | | 1318 | .It Ic banner Ar path ; |
1319 | The path of a file displayed on the client at connection time. | | 1319 | The path of a file displayed on the client at connection time. |
1320 | Default is | | 1320 | Default is |
1321 | .Ar /etc/motd . | | 1321 | .Ar /etc/motd . |
1322 | .It Ic auth_throttle Ar delay ; | | 1322 | .It Ic auth_throttle Ar delay ; |
1323 | On each failed Xauth authentication attempt, refuse new attempts for a set | | 1323 | On each failed Xauth authentication attempt, refuse new attempts for a set |
1324 | .Ar delay | | 1324 | .Ar delay |
1325 | of seconds. | | 1325 | of seconds. |
1326 | This is to avoid dictionary attacks on Xauth passwords. | | 1326 | This is to avoid dictionary attacks on Xauth passwords. |
1327 | Default is one second. | | 1327 | Default is one second. |
1328 | Set to zero to disable authentication delay. | | 1328 | Set to zero to disable authentication delay. |
1329 | .It Ic pfs_group Ar group ; | | 1329 | .It Ic pfs_group Ar group ; |
1330 | Sets the PFS group used in the client proposal (Cisco VPN client only). | | 1330 | Sets the PFS group used in the client proposal (Cisco VPN client only). |
1331 | Default is 0. | | 1331 | Default is 0. |
1332 | .It Ic save_passwd (on | off) ; | | 1332 | .It Ic save_passwd (on | off) ; |
1333 | Allow the client to save the Xauth password (Cisco VPN client only). | | 1333 | Allow the client to save the Xauth password (Cisco VPN client only). |
1334 | Default is off. | | 1334 | Default is off. |
1335 | .El | | 1335 | .El |
1336 | .El | | 1336 | .El |
1337 | .Ss Ldap configuration settings | | 1337 | .Ss Ldap configuration settings |
1338 | .Bl -tag -width Ds -compact | | 1338 | .Bl -tag -width Ds -compact |
1339 | .It Ic ldapcfg { Ar statements Ic } | | 1339 | .It Ic ldapcfg { Ar statements Ic } |
1340 | Defines the parameters that will be used to communicate with an ldap | | 1340 | Defines the parameters that will be used to communicate with an ldap |
1341 | server for | | 1341 | server for |
1342 | .Ic xauth | | 1342 | .Ic xauth |
1343 | authentication. | | 1343 | authentication. |
1344 | .Pp | | 1344 | .Pp |
1345 | The following are valid statements: | | 1345 | The following are valid statements: |
1346 | .Bl -tag -width Ds -compact | | 1346 | .Bl -tag -width Ds -compact |
1347 | .It Ic version (2 | 3) ; | | 1347 | .It Ic version (2 | 3) ; |
1348 | The ldap protocol version used to communicate with the server. | | 1348 | The ldap protocol version used to communicate with the server. |
1349 | The default is | | 1349 | The default is |
1350 | .Ic 3 . | | 1350 | .Ic 3 . |
1351 | .It Ic host Ar (hostname | address) ; | | 1351 | .It Ic host Ar (hostname | address) ; |
1352 | The host name or ip address of the ldap server. | | 1352 | The host name or ip address of the ldap server. |
1353 | The default is | | 1353 | The default is |
1354 | .Ic localhost . | | 1354 | .Ic localhost . |
1355 | .It Ic port Ar number ; | | 1355 | .It Ic port Ar number ; |
1356 | The port that the ldap server is configured to listen on. | | 1356 | The port that the ldap server is configured to listen on. |
1357 | The default is | | 1357 | The default is |
1358 | .Ic 389 . | | 1358 | .Ic 389 . |
1359 | .It Ic base Ar distinguished name ; | | 1359 | .It Ic base Ar distinguished name ; |
1360 | The ldap search base. | | 1360 | The ldap search base. |
1361 | This option has no default value. | | 1361 | This option has no default value. |
1362 | .It Ic subtree (on | off) ; | | 1362 | .It Ic subtree (on | off) ; |
1363 | Use the subtree ldap search scope. | | 1363 | Use the subtree ldap search scope. |
1364 | Otherwise, use the one level search scope. | | 1364 | Otherwise, use the one level search scope. |
1365 | The default is | | 1365 | The default is |
1366 | .Ic off . | | 1366 | .Ic off . |
1367 | .It Ic bind_dn Ar distinguished name ; | | 1367 | .It Ic bind_dn Ar distinguished name ; |
1368 | The user dn used to optionally bind as before performing ldap search operations. | | 1368 | The user dn used to optionally bind as before performing ldap search operations. |
1369 | If this option is not specified, anonymous binds are used. | | 1369 | If this option is not specified, anonymous binds are used. |
1370 | .It Ic bind_pw Ar string ; | | 1370 | .It Ic bind_pw Ar string ; |
1371 | The password used when binding as | | 1371 | The password used when binding as |
1372 | .Ic bind_dn . | | 1372 | .Ic bind_dn . |
1373 | .It Ic attr_user Ar attribute name ; | | 1373 | .It Ic attr_user Ar attribute name ; |
1374 | The attribute used to specify a users name in an ldap directory. | | 1374 | The attribute used to specify a users name in an ldap directory. |
1375 | For example, | | 1375 | For example, |
1376 | if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn". | | 1376 | if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn". |
1377 | The default value is | | 1377 | The default value is |
1378 | .Ic cn . | | 1378 | .Ic cn . |
1379 | .It Ic attr_addr Ar attribute name ; | | 1379 | .It Ic attr_addr Ar attribute name ; |
1380 | .It Ic attr_mask Ar attribute name ; | | 1380 | .It Ic attr_mask Ar attribute name ; |
1381 | The attributes used to specify a users network address and subnet mask in an | | 1381 | The attributes used to specify a users network address and subnet mask in an |
1382 | ldap directory. | | 1382 | ldap directory. |
1383 | These values are forwarded during mode_cfg negotiation when | | 1383 | These values are forwarded during mode_cfg negotiation when |
1384 | the conf_source is set to ldap. | | 1384 | the conf_source is set to ldap. |
1385 | The default values are | | 1385 | The default values are |
1386 | .Ic racoon-address | | 1386 | .Ic racoon-address |
1387 | and | | 1387 | and |
1388 | .Ic racoon-netmask . | | 1388 | .Ic racoon-netmask . |
1389 | .It Ic attr_group Ar attribute name ; | | 1389 | .It Ic attr_group Ar attribute name ; |
1390 | The attribute used to specify a group name in an ldap directory. | | 1390 | The attribute used to specify a group name in an ldap directory. |
1391 | For example, | | 1391 | For example, |
1392 | if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn". | | 1392 | if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn". |
1393 | The default value is | | 1393 | The default value is |
1394 | .Ic cn . | | 1394 | .Ic cn . |
1395 | .It Ic attr_member Ar attribute name ; | | 1395 | .It Ic attr_member Ar attribute name ; |
1396 | The attribute used to specify group membership in an ldap directory. | | 1396 | The attribute used to specify group membership in an ldap directory. |
1397 | The default value is | | 1397 | The default value is |
1398 | .Ic member . | | 1398 | .Ic member . |
1399 | .El | | 1399 | .El |
1400 | .El | | 1400 | .El |
1401 | .Ss Radius configuration settings | | 1401 | .Ss Radius configuration settings |
1402 | .Bl -tag -width Ds -compact | | 1402 | .Bl -tag -width Ds -compact |
1403 | .It Ic radiuscfg { Ar statements Ic } | | 1403 | .It Ic radiuscfg { Ar statements Ic } |
1404 | Defines the parameters that will be used to communicate with radius | | 1404 | Defines the parameters that will be used to communicate with radius |
1405 | servers for | | 1405 | servers for |
1406 | .Ic xauth | | 1406 | .Ic xauth |
1407 | authentication. | | 1407 | authentication. |
1408 | If radius is selected as the xauth authentication or accounting | | 1408 | If radius is selected as the xauth authentication or accounting |
1409 | source and no servers are defined in this section, settings from | | 1409 | source and no servers are defined in this section, settings from |
1410 | the system | | 1410 | the system |
1411 | .Xr radius.conf 5 | | 1411 | .Xr radius.conf 5 |
1412 | configuration file will be used instead. | | 1412 | configuration file will be used instead. |
1413 | .Pp | | 1413 | .Pp |
1414 | The following are valid statements: | | 1414 | The following are valid statements: |
1415 | .Bl -tag -width Ds -compact | | 1415 | .Bl -tag -width Ds -compact |
1416 | .It Ic auth Ar (hostname | address) [port] sharedsecret ; | | 1416 | .It Ic auth Ar (hostname | address) [port] sharedsecret ; |
1417 | The host name or ip address, optional port value and shared secret value | | 1417 | The host name or ip address, optional port value and shared secret value |
1418 | of a radius authentication server. | | 1418 | of a radius authentication server. |
1419 | Up to 5 radius authentication servers | | 1419 | Up to 5 radius authentication servers |
1420 | may be specified using multiple lines. | | 1420 | may be specified using multiple lines. |
1421 | .It Ic acct Ar (hostname | address) [port] sharedsecret ; | | 1421 | .It Ic acct Ar (hostname | address) [port] sharedsecret ; |
1422 | The host name or ip address, optional port value and shared secret value | | 1422 | The host name or ip address, optional port value and shared secret value |
1423 | of a radius accounting server. | | 1423 | of a radius accounting server. |
1424 | Up to 5 radius accounting servers may be | | 1424 | Up to 5 radius accounting servers may be |
1425 | specified using multiple lines. | | 1425 | specified using multiple lines. |
1426 | .It Ic timeout Ar seconds ; | | 1426 | .It Ic timeout Ar seconds ; |
1427 | The timeout for receiving replies from radius servers. | | 1427 | The timeout for receiving replies from radius servers. |
1428 | The default is | | 1428 | The default is |
1429 | .Ic 3 . | | 1429 | .Ic 3 . |
1430 | .It Ic retries Ar count ; | | 1430 | .It Ic retries Ar count ; |
1431 | The maximum number of repeated requests to make before giving up | | 1431 | The maximum number of repeated requests to make before giving up |
1432 | on a radius server. | | 1432 | on a radius server. |
1433 | The default is | | 1433 | The default is |
1434 | .Ic 3 . | | 1434 | .Ic 3 . |
1435 | .El | | 1435 | .El |
1436 | .El | | 1436 | .El |
1437 | .Ss Special directives | | 1437 | .Ss Special directives |
1438 | .Bl -tag -width Ds -compact | | 1438 | .Bl -tag -width Ds -compact |
1439 | .It Ic complex_bundle (on | off) ; | | 1439 | .It Ic complex_bundle (on | off) ; |
1440 | defines the interpretation of proposal in the case of SA bundle. | | 1440 | defines the interpretation of proposal in the case of SA bundle. |
1441 | Normally | | 1441 | Normally |
1442 | .Dq IP AH ESP IP payload | | 1442 | .Dq IP AH ESP IP payload |
1443 | is proposed as | | 1443 | is proposed as |
1444 | .Dq AH tunnel and ESP tunnel . | | 1444 | .Dq AH tunnel and ESP tunnel . |
1445 | The interpretation is more common to other IKE implementations, however, | | 1445 | The interpretation is more common to other IKE implementations, however, |
1446 | it allows very limited set of combinations for proposals. | | 1446 | it allows very limited set of combinations for proposals. |
1447 | With the option enabled, it will be proposed as | | 1447 | With the option enabled, it will be proposed as |
1448 | .Dq AH transport and ESP tunnel . | | 1448 | .Dq AH transport and ESP tunnel . |
1449 | The default value is | | 1449 | The default value is |
1450 | .Ic off . | | 1450 | .Ic off . |
1451 | .El | | 1451 | .El |
1452 | .\" | | 1452 | .\" |
1453 | .Ss Pre-shared key File | | 1453 | .Ss Pre-shared key File |
1454 | The pre-shared key file defines pairs of identifiers and corresponding | | 1454 | The pre-shared key file defines pairs of identifiers and corresponding |
1455 | shared secret keys which are used in the pre-shared key authentication | | 1455 | shared secret keys which are used in the pre-shared key authentication |
1456 | method in phase 1. | | 1456 | method in phase 1. |
1457 | The pair in each line is separated by some number of blanks and/or tab | | 1457 | The pair in each line is separated by some number of blanks and/or tab |
1458 | characters like in the | | 1458 | characters like in the |
1459 | .Xr hosts 5 | | 1459 | .Xr hosts 5 |
1460 | file. | | 1460 | file. |
1461 | Key can include blanks because everything after the first blanks | | 1461 | Key can include blanks because everything after the first blanks |
1462 | is interpreted as the secret key. | | 1462 | is interpreted as the secret key. |
1463 | Lines starting with | | 1463 | Lines starting with |
1464 | .Ql # | | 1464 | .Ql # |
1465 | are ignored. | | 1465 | are ignored. |
1466 | Keys which start with | | 1466 | Keys which start with |
1467 | .Ql 0x | | 1467 | .Ql 0x |
1468 | are interpreted as hexadecimal strings. | | 1468 | are interpreted as hexadecimal strings. |
1469 | Note that the file must be owned by the user ID running | | 1469 | Note that the file must be owned by the user ID running |
1470 | .Xr racoon 8 | | 1470 | .Xr racoon 8 |
1471 | .Pq usually the privileged user , | | 1471 | .Pq usually the privileged user , |
1472 | and must not be accessible by others. | | 1472 | and must not be accessible by others. |
1473 | .\" | | 1473 | .\" |
1474 | .Sh EXAMPLES | | 1474 | .Sh EXAMPLES |
1475 | The following shows how the remote directive should be configured. | | 1475 | The following shows how the remote directive should be configured. |
1476 | .Bd -literal -offset | | 1476 | .Bd -literal -offset |
1477 | path pre_shared_key "/usr/local/v6/etc/psk.txt" ; | | 1477 | path pre_shared_key "/usr/local/v6/etc/psk.txt" ; |
1478 | remote anonymous | | 1478 | remote anonymous |
1479 | { | | 1479 | { |
1480 | exchange_mode aggressive,main,base; | | 1480 | exchange_mode aggressive,main,base; |
1481 | lifetime time 24 hour; | | 1481 | lifetime time 24 hour; |
1482 | proposal { | | 1482 | proposal { |
1483 | encryption_algorithm 3des; | | 1483 | encryption_algorithm 3des; |
1484 | hash_algorithm sha1; | | 1484 | hash_algorithm sha1; |
1485 | authentication_method pre_shared_key; | | 1485 | authentication_method pre_shared_key; |
1486 | dh_group 2; | | 1486 | dh_group 2; |
1487 | } | | 1487 | } |
1488 | } | | 1488 | } |
1489 | | | 1489 | |
1490 | sainfo anonymous | | 1490 | sainfo anonymous |
1491 | { | | 1491 | { |
1492 | pfs_group 2; | | 1492 | pfs_group 2; |
1493 | lifetime time 12 hour ; | | 1493 | lifetime time 12 hour ; |
1494 | encryption_algorithm 3des, blowfish 448, twofish, rijndael ; | | 1494 | encryption_algorithm 3des, blowfish 448, twofish, rijndael ; |
1495 | authentication_algorithm hmac_sha1, hmac_md5 ; | | 1495 | authentication_algorithm hmac_sha1, hmac_md5 ; |
1496 | compression_algorithm deflate ; | | 1496 | compression_algorithm deflate ; |
1497 | } | | 1497 | } |
1498 | .Ed | | 1498 | .Ed |
1499 | .Pp | | 1499 | .Pp |
1500 | If you are configuring plain RSA authentication, the remote directive | | 1500 | If you are configuring plain RSA authentication, the remote directive |
1501 | should look like the following: | | 1501 | should look like the following: |
1502 | .Bd -literal -offset | | 1502 | .Bd -literal -offset |
1503 | path certificate "/usr/local/v6/etc" ; | | 1503 | path certificate "/usr/local/v6/etc" ; |
1504 | remote anonymous | | 1504 | remote anonymous |
1505 | { | | 1505 | { |
1506 | exchange_mode main,base ; | | 1506 | exchange_mode main,base ; |
1507 | lifetime time 12 hour ; | | 1507 | lifetime time 12 hour ; |
1508 | certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv"; | | 1508 | certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv"; |
1509 | peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub"; | | 1509 | peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub"; |
1510 | proposal { | | 1510 | proposal { |
1511 | encryption_algorithm aes ; | | 1511 | encryption_algorithm aes ; |
1512 | hash_algorithm sha1 ; | | 1512 | hash_algorithm sha1 ; |
1513 | authentication_method rsasig ; | | 1513 | authentication_method rsasig ; |
1514 | dh_group 2 ; | | 1514 | dh_group 2 ; |
1515 | } | | 1515 | } |
1516 | } | | 1516 | } |
1517 | .Ed | | 1517 | .Ed |
1518 | .Pp | | 1518 | .Pp |
1519 | The following is a sample for the pre-shared key file. | | 1519 | The following is a sample for the pre-shared key file. |
1520 | .Bd -literal -offset | | 1520 | .Bd -literal -offset |
1521 | 10.160.94.3 mekmitasdigoat | | 1521 | 10.160.94.3 mekmitasdigoat |
1522 | 172.16.1.133 0x12345678 | | 1522 | 172.16.1.133 0x12345678 |
1523 | 194.100.55.1 whatcertificatereally | | 1523 | 194.100.55.1 whatcertificatereally |
1524 | 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat | | 1524 | 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat |
1525 | 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat | | 1525 | 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat |
1526 | foo@kame.net mekmitasdigoat | | 1526 | foo@kame.net mekmitasdigoat |
1527 | foo.kame.net hoge | | 1527 | foo.kame.net hoge |
1528 | .Ed | | 1528 | .Ed |
1529 | .\" | | 1529 | .\" |
1530 | .Sh SEE ALSO | | 1530 | .Sh SEE ALSO |
1531 | .Xr racoon 8 , | | 1531 | .Xr racoon 8 , |
1532 | .Xr racoonctl 8 , | | 1532 | .Xr racoonctl 8 , |
1533 | .Xr setkey 8 | | 1533 | .Xr setkey 8 |
1534 | .\" | | 1534 | .\" |
1535 | .Sh HISTORY | | 1535 | .Sh HISTORY |
1536 | The | | 1536 | The |
1537 | .Nm | | 1537 | .Nm |
1538 | configuration file first appeared in the | | 1538 | configuration file first appeared in the |
1539 | .Dq YIPS | | 1539 | .Dq YIPS |
1540 | Yokogawa IPsec implementation. | | 1540 | Yokogawa IPsec implementation. |
1541 | .\" | | 1541 | .\" |
1542 | .Sh BUGS | | 1542 | .Sh BUGS |
1543 | Some statements may not be handled by | | 1543 | Some statements may not be handled by |
1544 | .Xr racoon 8 | | 1544 | .Xr racoon 8 |
1545 | yet. | | 1545 | yet. |
1546 | .Pp | | 1546 | .Pp |
1547 | Diffie-Hellman computation can take a very long time, and may cause | | 1547 | Diffie-Hellman computation can take a very long time, and may cause |
1548 | unwanted timeouts, specifically when a large D-H group is used. | | 1548 | unwanted timeouts, specifically when a large D-H group is used. |
1549 | .\" | | 1549 | .\" |
1550 | .Sh SECURITY CONSIDERATIONS | | 1550 | .Sh SECURITY CONSIDERATIONS |
1551 | The use of IKE phase 1 aggressive mode is not recommended, | | 1551 | The use of IKE phase 1 aggressive mode is not recommended, |
1552 | as described in | | 1552 | as described in |
1553 | .Li http://www.kb.cert.org/vuls/id/886601 . | | 1553 | .Li http://www.kb.cert.org/vuls/id/886601 . |