| RACOON.CONF(5) | File Formats Manual | RACOON.CONF(5) | 
racoon.conf —
racoon.conf is the configuration file for the
  racoon(8) ISAKMP daemon.
  racoon(8) negotiates security
  associations for itself (ISAKMP SA, or phase 1 SA) and for kernel IPsec (IPsec
  SA, or phase 2 SA). The file consists of a sequence of directives and
  statements. Each directive is composed by a tag and statements, enclosed by
  ‘{’ and
  ‘}’. Lines beginning with
  ‘#’ are comments.
this font. Parameters are specified with
  this font. Square brackets
  (‘[’ and
  ‘]’) are used to show optional keywords
  and parameters. Note that you have to pay attention when this manual is
  describing port numbers. The port
  number is always enclosed by ‘[’ and
  ‘]’. In this case, the port number is
  not an optional keyword. If it is possible to omit the
  port number, the expression becomes
  [[port]]. The vertical bar
  (‘|’) is used to indicate a choice
  between optional parameters. Parentheses
  (‘(’ and
  ‘)’) are used to group keywords and
  parameters when necessary. Major parameters are listed below.
0x"’ (double quotes).[’ and
      ‘]’.sec,
      secs, second,
      seconds, min,
      mins, minute,
      minutes, hour,
      hours.privsep
    { statements }user
        user;group
        group;chroot
        path;The PSK file, the private keys, and the hook scripts are accessed through the privileged instance of racoon(8) and do not need to be reachable in the chroot(2)'ed tree.
certificate and
  script paths are mandatory. A
  racoon(8) restart is required if
  you want path changes to be taken into account.
path
    include path;path
    pre_shared_key file;path
    certificate path;path
    backupsa file;-B flag. The file is growing because
      racoon(8) simply adds SAs to
      it. You should maintain the file manually.path
    script path;path
    pidfile file;include
    filetimer
    { statements }counter
        number;interval
        number timeunit;persend
        number;phase1
        number timeunit;phase2
        number timeunit;natt_keepalive
        number timeunit;listen
    { statements }isakmp
        address [[port]];isakmp_natt
        address [port];isakmp but also sets the socket
          options to accept UDP-encapsulated ESP traffic for NAT-Traversal. If
          you plan to use NAT-T, you should provide at least one address with
          port 4500, which is specified by IANA. There is no default.strict_address;The listen section can also be used to specify the admin socket mode and ownership if racoon was built with support for admin port.
adminsock
        path
        [owner group mode];adminsock
        disabled;gss_id_enc
    enctype;gss_id_enc parameter allows
      racoon(8) to be configured
      to use the old encoding for compatibility with existing
      racoon(8) installations. The
      following are valid values for enctype:
    
    
  pfkey_buffer
    kBytesThe default value of 0 leaves everything at the OS-specific default value. If the default buffer size is greater than what is specified here racoon will not decrease it.
This problem is known to be fixed in Linux 2.6.25 and later.
remote
    name [inherit
    parent_name] {
    statements }remote
    name inherit
    parent_name;If connection is initiated using racoonctl, a unique match using the remote IP must be found or the remote block name has to be given. For received acquires (kernel notices traffic requiring a new SA) the remote IP and remoteid from matching sainfo block are used to decide the remoteblock. If no uniquely matching remoteblock is found using these criteria, no connection attempt is done.
When acting as responder, racoon picks the first proposal that has one or more acceptable remote configurations. When determining if a remote specification is matching the following information is checked:
remote_address.exchange_mode.proposal
          block.peers_identifier if
          verify_identifier is on.certificate_type x509 certificate. If
          certificate request without issuer name was sent, the
          match_empty_cr parameter specifies whether or
          not remote block matches.Similarly, NAT-T is enabled if any of the initial remote configuration candidates allow NAT-T.
Sections with inherit
        parent statements (where
        parent is either address or
        a keyword anonymous) that have all values
        predefined to those of a given parent. In these
        sections it is enough to redefine only the changed parameters.
The following are valid statements.
remote_address
        address;exchange_mode
        (main |
        aggressive
        |
        base);doi
        ipsec_doi;situation
        identity_only;my_identifier
        [qualifier] idtype ...;address, fqdn,
          user_fqdn, keyid, and
          asn1dn can be used as an
          idtype. The qualifier is
          currently only used for keyid, and can be
          either file or tag.
          The possible values are :
        my_identifier
            address
            [address];my_identifier
            user_fqdn string;my_identifier
            fqdn string;my_identifier
            keyid [file]
            file;my_identifier
            keyid tag
            string;my_identifier
            asn1dn [string];xauth_login
        [string];string
          as the key id.peers_identifier
        idtype ...;verify_identifier. The usage of
          idtype is the same as
          my_identifier except that the individual
          component values of an asn1dn identifier may
          specified as * to match any value (e.g.
          "C=XX, O=MyOrg, OU=*, CN=Mine"). The format of the
          specification should correspond to RFC 2253; in particular, commas and
          certain other characters - ,=+<>#; - may
          be included in a name by preceeding them with a backslash
          "\", and arbitrary characters may be inserted in a name with
          the "\nn" escape, where nn is the hex representation of the
          ascii value of the desired character. Alternative acceptable peer
          identifiers may be specified by repeating the
          peers_identifier statement.verify_identifier
        (on |
        off);peers_identifier
          is not the same as the peer's identifier in the ID payload, the
          negotiation will fail. The default is off.certificate_type
        certspec;x509
            certfile
            privkeyfile;plain_rsa
            privkeyfile;ca_type
        cacertspec;x509
            cacertfile;mode_cfg
        (on |
        off);weak_phase1_check
        (on |
        off);peers_certfile
        (dnssec | certfile |
        plain_rsa
        pubkeyfile);dnssec is defined,
          racoon(8) will ignore
          the CERT payload from the peer, and try to get the peer's certificate
          from DNS instead. If certfile is defined,
          racoon(8) will ignore
          the CERT payload from the peer, and will use this certificate as the
          peer's certificate. If plain_rsa is defined,
          racoon(8) will expect
          pubkeyfile to be the peer's public key that was
          generated by
          plainrsa-gen(8).script
        script phase1_upscript
        script phase1_downscript
        script phase1_deadphase1_up ,
          phase1_down or
          phase1_dead as first argument, and the
          following variables are set in their environment:
        LOCAL_ADDRLOCAL_PORTREMOTE_ADDRREMOTE_PORTREMOTE_IDmode_cfg
          was enabled:
        send_cert
        (on |
        off);send_cr
        (on |
        off);match_empty_cr
        (on |
        off);verify_cert
        (on |
        off);my_identifier statement) is compared with
          the credentials in the certificate used to authenticate the remote
          host as follows:
        asn1dn:address, fqdn, or user_fqdn:lifetime
        time number
        timeunit;ike_frag
        (on |
        off
        |
        force);esp_frag
        fraglen;Note that because PMTU discovery is broken on many sites, you will have to use MSS clamping if you want TCP to work correctly.
initial_contact
        (on |
        off);on. This message is useful only when the
          responder implementation chooses an old SA when there are multiple SAs
          with different established time and the initiator reboots. If racoon
          did not send the message, the responder would use an old SA even when
          a new SA was established. For systems that use a KAME derived IPSEC
          stack, the sysctl(8)
          variable net.key.preferred_oldsa can be used to control this
          preference. When the value is zero, the stack always uses a new
        SA.passive
        (on |
        off);off. It is useful for a
          server.proposal_check
        level;strict.
          If the level is:
        obeystrictclaimstrict.exactsupport_proxy
        (on |
        off);generate_policy
        (on |
        off
        |
        require
        |
        unique);passive to on in order that
          racoon(8) only becomes a
          responder. If the responder does not have any policy in SPD during
          phase 2 negotiation, and the directive is set to on, then
          racoon(8) will choose
          the first proposal in the SA payload from the initiator, and generate
          policy entries from the proposal. It is useful to negotiate with
          clients whose IP address is allocated dynamically. Note that an
          inappropriate policy might be installed into the responder's SPD by
          the initiator, so other communications might fail if such policies are
          installed due to a policy mismatch between the initiator and the
          responder. on and
          require values mean the same thing (generate a
          require policy). unique tells racoon to set up
          unique policies, with a monotoning increasing reqid number (between 1
          and IPSEC_MANUAL_REQID_MAX). This directive is ignored in the
          initiator case. The default value is off.nat_traversal
        (on |
        off
        |
        force);dpd_delay
        delay;0, which disables DPD monitoring, but still
          negotiates DPD support.dpd_retry
        delay;dpd_delay is set, this sets the delay (in
          seconds) to wait for a proof of liveliness before considering it as
          failed and send another request. The default value is
          5.dpd_maxfail
        number;dpd_delay is set, this sets the maximum
          number of liveliness proofs to request (without reply) before
          considering the peer is dead. The default value is
          5.rekey
        (on |
        off
        |
        force);nonce_size
        number;ph1id
        number;proposal
        { sub-substatements
        }encryption_algorithm
            algorithm;des, 3des, blowfish, cast128, aes,
              camellia for Oakley. For other transforms, this statement
              should not be used.hash_algorithm
            algorithm;md5, sha1, sha256, sha384,
              sha512 for Oakley.authentication_method
            type;pre_shared_key,
              rsasig (for plain RSA authentication),
              gssapi_krb,
              hybrid_rsa_server,
              hybrid_rsa_client,
              xauth_rsa_server,
              xauth_rsa_client,
              xauth_psk_server or
              xauth_psk_client.dh_group
            group;modp768,
              modp1024,
              modp1536,
              modp2048,
              modp3072,
              modp4096,
              modp6144,
              modp8192. Or you can define 1, 2, 5, 14,
              15, 16, 17, or 18 as the DH group number. When you want to use
              aggressive mode, you must define the same DH group in each
              proposal.lifetime
            time number
            timeunit;lifetime directive
              defined in the remote directive.gss_id
            string;gssapi_krb
              authentication method is used. If this is not defined, the default
              value of ‘host/hostname’ is
              used, where hostname is the value returned by the
              hostname(1)
              command.remote
    (address | anonymous)
    [[port]] [inherit
    parent] {
    statements }This is equivalent to:
remote "address" [inherit "parent-address"] {
	remote_address address;
}
    
    sainfo
    (local_id | anonymous)
    (remote_id | clientaddr |
    anonymous) [from
    idtype [string]]
    [group string]
    { statements
    }The local_id and remote_id strings are constructed like:
address address
        [/ prefix]
        [[port]] ul_proto
or
subnet address
        [/ prefix]
        [[port]] ul_proto
An id string should be expressed to match the exact value of an ID payload. This is not like a filter rule. For example, if you define 3ffe:501:4819::/48 as local_id. 3ffe:501:4819:1000:/64 will not match. In the case of a longest prefix (selecting a single host), address instructs to send ID type of ADDRESS while subnet instructs to send ID type of SUBNET. Otherwise, these instructions are identical.
The anonymous keyword can be used to
        match any id. The clientaddr keyword can be used
        to match a remote id that is equal to either the peer ip address or the
        mode_cfg ip address (if assigned). This can be useful to restrict policy
        generation when racoon is acting as a client gateway for peers with
        dynamic ip addresses.
The from keyword allows an sainfo to
        only match for peers that use a specific phase1 id value during
        authentication. The group keyword allows an
        XAuth group membership check to be performed for this sainfo section.
        When the mode_cfg auth source is set to system
        or ldap, the XAuth user is verified to be a
        member of the specified group before allowing a matching SA to be
        negotiated.
pfs_group
        group;modp768,
          modp1024, modp1536,
          modp2048, modp3072,
          modp4096, modp6144,
          modp8192. Or you can define 1, 2, 5, 14, 15,
          16, 17, or 18 as the DH group number.lifetime
        time number
        timeunit;proposal_check directive.remoteid
        number;racoon(8) does
        not have a list of security protocols to be negotiated. The list of
        security protocols are passed by SPD in the kernel. Therefore you have
        to define all of the potential algorithms in the phase 2 proposals even
        if there are algorithms which will not be used. These algorithms are
        define by using the following three directives, with a single comma as
        the separator. For algorithms that can take variable-length keys,
        algorithm names can be followed by a key length, like
        “blowfish 448”.
        racoon(8) will compute the
        actual phase 2 proposals by computing the permutation of the specified
        algorithms, and then combining them with the security protocol specified
        by the SPD. For example, if des,
        3des, hmac_md5, and
        hmac_sha1 are specified as algorithms, we have
        four combinations for use with ESP, and two for AH. Then, based on the
        SPD settings, racoon(8)
        will construct the actual proposals. If the SPD entry asks for ESP only,
        there will be 4 proposals. If it asks for both AH and ESP, there will be
        8 proposals. Note that the kernel may not support the algorithm you have
        specified.
encryption_algorithm
        algorithms;des,
          3des, des_iv64,
          des_iv32, rc5,
          rc4, idea,
          3idea, cast128,
          blowfish, null_enc,
          twofish, rijndael,
          aes, camellia,
          aes_gcm_16 (used with ESP)authentication_algorithm
        algorithms;hmac_md5,
          hmac_sha1, hmac_sha256,
          hmac_sha384, hmac_sha512, non_auth (used with ESP
          authentication and AH)compression_algorithm
        algorithms;deflate
          (used with IPComp)log
    level;error, warning,
      notify, info,
      debug or debug2. The
      default is info. If you set the logging level too
      high on slower machines, IKE negotiation can fail due to timing constraint
      changes.padding
    { statements }randomize
        (on |
        off);randomize_length
        (on |
        off);maximum_length
        number;randomize_length is off, this is ignored. The
          default is 20 bytes.exclusive_tail
        (on |
        off);strict_check
        (on |
        off);mode_cfg
    { statements }The following are valid statements:
auth_source
        (system |
        radius
        |
        pam
        |
        ldap);radiuscfg section.
          pam means to use PAM. It works only if
          racoon(8) was built with
          libpam support. ldap means to use LDAP. It works
          only if racoon(8) was
          built with libldap support. LDAP configuration is handled by
          statements in the ldapcfg section.auth_groups
        group1, ...;group_source
        (system |
        ldap);ldapcfg section.conf_source
        (local |
        radius
        |
        ldap);network4 and
          pool_size statements. This is the default.
          radius means to use a RADIUS server. It works
          only if racoon(8) was
          built with libradius support and requires RADIUS authentication.
          RADIUS configuration is handled by statements in the
          radiuscfg section. ldap
          means to use an LDAP server. It works only if
          racoon(8) was built with
          libldap support and requires LDAP authentication. LDAP configuration
          is handled by statements in the ldapcfg
          section.accounting
        (none |
        system
        |
        radius
        |
        pam);radiuscfg section. Specifying
          pam enables PAM accounting. It works only if
          racoon(8) was build with
          libpam support and requires PAM authentication.pool_size
        sizeconf_source selects the local
          pool or the RADIUS configuration, but in both configurations, you
          cannot have more than size users connected at
          the same time. The default is 255.network4
        address;netmask4
        address;conf_source is set to
          local or if the RADIUS server returned
          255.255.255.254. Default is
          0.0.0.0/0.0.0.0.dns4
        addresses;dns4 lines.wins4
        addresses;split_network
        (include |
        local_lan)
        network/mask, ...include is specified, the
          tunnel should be only used to encrypt the indicated destinations ;
          otherwise, if local_lan is used, everything
          will pass through the tunnel but those destinations.default_domain
        domain;split_dns
        domain, ...banner
        path;auth_throttle
        delay;pfs_group
        group;save_passwd
        (on |
        off);ldapcfg
    { statements }xauth authentication.
    The following are valid statements:
version
        (2 |
        3);3.host
        (hostname | address);localhost.port
        number;389.tls
        (on |
        off);off.base
        distinguished name;subtree
        (on |
        off);off.bind_dn
        distinguished name;bind_pw
        string;bind_dn.attr_user
        attribute name;cn.attr_addr
        attribute name;attr_mask
        attribute name;racoon-address and
          racoon-netmask.attr_group
        attribute name;cn.attr_member
        attribute name;member.radiuscfg
    { statements }xauth authentication. If radius is
      selected as the xauth authentication or accounting source and no servers
      are defined in this section, settings from the system
      radius.conf(5)
      configuration file will be used instead.
    The following are valid statements:
auth
        (hostname | address) [port]
        sharedsecret;acct
        (hostname | address) [port]
        sharedsecret;timeout
        seconds;3.retries
        count;3.complex_bundle
    (on |
    off);off.#’ are
  ignored. Keys which start with ‘0x’ are
  interpreted as hexadecimal strings. Note that the file must be owned by the
  user ID running racoon(8)
  (usually the privileged user), and must not be accessible by others.
If configured with ENABLE_WILDCARD_MATCH,
    this implementation allows a wildcard key “*”. This is allowed
    for the special case of a single user connecting to a gateway using an
    iPhone. On an iPhone, L2TP over IPSEC only supports main mode with
    pre-shared keys (no certificates). Unfortunately racoon only supports
    pre-shared-key lookup by address when identity protection is used, and since
    the iPhone does not have a specific IP address, we don't know what key to
    put in the pre-shared key file.
Sharing the connection with more than one user is strongly discouraged because any user can pretend to be the server since they know the pre-shared key. This means that any user can steal the traffic of any other user, by spoofing DNS which is not trivial but easy. Even worse, the malicious user will be able to then steal any other authentication data (CHAP/XAUTH etc.) that another user will supply to the compromised server, because it assumes that phase 1 is secured by the pre-shared key.
In summary, never use wildcard keys if your gateway is hosting more than one user.
path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
remote anonymous
{
	exchange_mode aggressive,main,base;
	lifetime time 24 hour;
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}
sainfo anonymous
{
	pfs_group 2;
	lifetime time 12 hour ;
	encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
}
If you are configuring plain RSA authentication, the remote directive should look like the following:
path certificate "/usr/local/v6/etc" ;
remote anonymous
{
        exchange_mode main,base ;
        lifetime time 12 hour ;
        certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv";
        peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub";
        proposal {
                        encryption_algorithm aes ;
                        hash_algorithm sha1 ;
                        authentication_method rsasig ;
                        dh_group 2 ;
        }
}
The following is a sample for the pre-shared key file.
10.160.94.3 mekmitasdigoat 172.16.1.133 0x12345678 194.100.55.1 whatcertificatereally 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat foo@kame.net mekmitasdigoat foo.kame.net hoge
racoon.conf configuration file first appeared in the
  “YIPS” Yokogawa IPsec implementation.
Diffie-Hellman computation can take a very long time, and may cause unwanted timeouts, specifically when a large D-H group is used.
http://www.kb.cert.org/vuls/id/886601.
| October 13, 2018 | NetBSD 9.4 |