1.\"	$NetBSD: racoon.conf.5,v 1.34.4.3 2007/09/03 18:07:29 mgrooms Exp $
2.\"
3.\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
4.\"
5.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6.\" All rights reserved.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\"    notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\"    notice, this list of conditions and the following disclaimer in the
15.\"    documentation and/or other materials provided with the distribution.
16.\" 3. Neither the name of the project nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.Dd September 19, 2006
33.Dt RACOON.CONF 5
34.Os
35.\"
36.Sh NAME
37.Nm racoon.conf
38.Nd configuration file for racoon
39.\"
40.\" .Sh SYNOPSIS
41.\"
42.Sh DESCRIPTION
43.Nm
44is the configuration file for the
45.Xr racoon 8
46ISAKMP daemon.
47.Xr racoon 8
48negotiates security associations for itself (ISAKMP SA, or phase 1 SA)
49and for kernel IPsec (IPsec SA, or phase 2 SA).
50The file consists of a sequence of directives and statements.
51Each directive is composed by a tag and statements, enclosed by
52.Ql {
53and
54.Ql } .
55Lines beginning with
56.Ql #
57are comments.
58.\"
59.Ss Meta Syntax
60Keywords and special characters that the parser expects exactly are
61displayed using
62.Ic this
63font.
64Parameters are specified with
65.Ar this
66font.
67Square brackets
68.Po
69.Ql \&[
70and
71.Ql \&]
72.Pc
73are used to show optional keywords and parameters.
74Note that
75you have to pay attention when this manual is describing
76.Ar port
77numbers.
78The
79.Ar port
80number is always enclosed by
81.Ql \&[
82and
83.Ql \&] .
84In this case, the port number is not an optional keyword.
85If it is possible to omit the
86.Ar port
87number,
88the expression becomes
89.Bq Bq Ar port .
90The vertical bar
91.Pq Ql \&|
92is used to indicate
93a choice between optional parameters.
94Parentheses
95.Po
96.Ql \&(
97and
98.Ql \&)
99.Pc
100are used to group keywords and parameters when necessary.
101Major parameters are listed below.
102.Pp
103.Bl -tag -width addressx -compact
104.It Ar number
105means a hexadecimal or a decimal number.
106The former must be prefixed with
107.Ql Li 0x .
108.It Ar string
109.It Ar path
110.It Ar file
111means any string enclosed in
112.Ql \&"
113.Pq double quotes .
114.It Ar address
115means IPv6 and/or IPv4 address.
116.It Ar port
117means a TCP/UDP port number.
118The port number is always enclosed by
119.Ql \&[
120and
121.Ql \&] .
122.It Ar timeunit
123is one of following:
124.Ic sec , secs , second , seconds ,
125.Ic min , mins , minute , minutes ,
126.Ic hour , hours .
127.El
128.\"
129.Ss Privilege separation
130.Bl -tag -width Ds -compact
131.It Ic privsep { Ar statements Ic }
132Specifies privilege separation parameters.
133When enabled, these enable
134.Xr racoon 8
135to operate with an unprivileged instance doing most of the work, while
136a privileged instance takes care of performing the following operations
137as root: reading PSK and private keys, launching hook scripts, and
138validating passwords against system databases or against PAM.
139Please note that using privilege separation makes changes to the
140.Ar listen
141and
142.Ar paths
143sections ignored upon configuration reloads.
144A
145.Xr racoon 8
146restart is required if you want such changes to be taken into account.
147.Pp
148.Bl -tag -width Ds -compact
149.It Ic user Ar user ;
150The user to which the unprivileged instance of
151.Xr racoon 8 ,
152should switch.
153This can be a quoted user name or a numeric UID.
154.It Ic group Ar group ;
155The group the unprivilegied instance of
156.Xr racoon 8 ,
157should switch.
158This can be a quoted group name or a numeric GID.
159.It Ic chroot Ar path ;
160A directory to which the unprivileged instance of
161.Xr racoon 8
162should
163.Xr chroot 2 .
164This directory should hold a tree where the following files must be
165reachable:
166.Bl -tag -width Ds -compact
167.It Pa /dev/random
168.It Pa /dev/urandom
169.It The certificates
170.It The file containing the Xauth banner
171.El
172.Pp
173The PSK file, the private keys, and the hook scripts are accessed through the
174privileged instance of
175.Xr racoon 8
176and do not need to be reachable in the
177.Xr chroot 2 Ap ed
178tree.
179.El
180.El
181.Ss Path Specification
182This section specifies various paths used by racoon.
183When running in privilege separation mode,
184.Ic certificate
185and
186.Ic script
187paths are mandatory. A
188.Xr racoon 8
189restart is required if you want path changes to be taken into account.
190.Bl -tag -width Ds -compact
191.It Ic path include Ar path ;
192Specifies a path to include a file.
193See
194.Sx File Inclusion .
195.It Ic path pre_shared_key Ar file ;
196Specifies a file containing pre-shared key(s) for various ID(s).
197See
198.Sx Pre-shared key File .
199.It Ic path certificate Ar path ;
200.Xr racoon 8
201will search this directory if a certificate or certificate request is received.
202If you run with privilege separation,
203.Xr racoon 8
204will refuse to use a certificate stored outside of this directory.
205.It Ic path backupsa Ar file ;
206Specifies a file to which SA information negotiated by
207racoon should be stored.
208.Xr racoon 8
209will install SA(s) from the file when started with the
210.Fl B
211flag.
212The file is growing because
213.Xr racoon 8
214simply adds SAs to it.
215You should maintain the file manually.
216.It Ic path script Ar path ;
217.Xr racoon 8
218will search this directory for scripts hooks.
219If you run with privilege separation,
220.Xr racoon 8
221will refuse to execute a script stored outside of this directory.
222.It Ic path pidfile Ar file ;
223Specifies file where to store PID of process.
224If path starts with
225.Pa /
226it is treated as an absolute path. Otherwise, it is treated as a relative
227path to the VARRUN directory specified at compilation time.
228Default is
229.Pa racoon.pid .
230.El
231.\"
232.Ss File Inclusion
233.Bl -tag -width Ds -compact
234.It Ic include Ar file
235Specifies other configuration files to be included.
236.El
237.\"
238.Ss Identifier Specification
239is obsolete.
240It must be defined at each
241.Ic remote
242directive.
243.\"
244.Ss Timer Specification
245.Bl -tag -width Ds -compact
246.It Ic timer { Ar statements Ic }
247This section specifies various timer values used by racoon.
248.Pp
249.Bl -tag -width Ds -compact
250.It Ic counter Ar number ;
251The maximum number of retries to send.
252The default is 5.
253.It Ic interval Ar number Ar timeunit ;
254The interval to resend, in seconds.
255The default time is 10 seconds.
256.It Ic persend Ar number ;
257The number of packets per send.
258The default is 1.
259.It Ic phase1 Ar number Ar timeunit ;
260The maximum time it should take to complete phase 1.
261The default time is 15 seconds.
262.It Ic phase2 Ar number Ar timeunit ;
263The maximum time it should take to complete phase 2.
264The default time is 10 seconds.
265.It Ic natt_keepalive Ar number Ar timeunit ;
266The interval between sending NAT-Traversal keep-alive packets.
267The default time is 20 seconds.
268Set to 0s to disable keep-alive packets.
269.El
270.El
271.\"
272.Ss Listening Port Specification
273.Bl -tag -width Ds -compact
274.It Ic listen { Ar statements Ic }
275If no
276.Ar listen
277directive is specified,
278.Xr racoon 8
279will listen on all available interface addresses.
280The following is the list of valid statements:
281.Pp
282.Bl -tag -width Ds -compact
283.\" How do I express bold brackets; `[' and `]' .
284.\" Answer: For bold brackets, do "Ic \&[ foo \&]".
285.\" Is the "Bq Ic [ Ar port ] ;" buggy ?
286.It Ic isakmp Ar address Bq Bq Ar port ;
287If this is specified,
288.Xr racoon 8
289will only listen on the defined
290.Ar address .
291The default port is 500, which is specified by IANA.
292You can provide more than one address definition.
293.It Ic isakmp_natt Ar address Bq Ar port ;
294Same as
295.Ic isakmp
296but also sets the socket options to accept UDP-encapsulated ESP traffic for
297NAT-Traversal.
298If you plan to use NAT-T, you should provide at least one address
299with port 4500, which is specified by IANA.
300There is no default.
301.It Ic strict_address ;
302Requires that all addresses for ISAKMP be bound.
303This statement will be ignored if you do not specify address definitions.
304.El
305When running in privilege separation mode, you need to restart
306.Xr racoon 8
307to have changes to the
308.Ar listen
309section taken into account.
310.Pp
311The
312.Ar listen
313section can also be used to specify the admin socket mode and ownership
314if racoon was built with support for admin port.
315.Bl -tag -width Ds -compact
316.It Ic adminsock Ar path Op Ar owner\ group\ mode ;
317The
318.Ar path ,
319.Ar owner ,
320and
321.Ar group
322values specify the socket path, owner, and group. They must be quoted.
323The defaults are
324.Pa /var/racoon/racoon.sock ,
325UID 0, and GID 0.
326.Ar mode
327is the access mode in octal. The default is 0600.
328.It Ic adminsock disabled ;
329This directive tells racoon to not listen on the admin socket.
330.El
331.El
332.\"
333.Ss Miscellaneous Global Parameters
334.Bl -tag -width Ds -compact
335.It Ic gss_id_enc Ar enctype ;
336Older versions of
337.Xr racoon 8
338used ISO-Latin-1 as the encoding of the GSS-API identifier attribute.
339For interoperability with Microsoft Windows' GSS-API authentication
340scheme, the default encoding has been changed to UTF-16LE.
341The
342.Ic gss_id_enc
343parameter allows
344.Xr racoon 8
345to be configured to use the old encoding for compatibility with existing
346.Xr racoon 8
347installations.
348The following are valid values for
349.Ar enctype :
350.Pp
351.Bl -tag -width Ds -compact
352.It Ic utf-16le
353Use UTF-16LE to encode the GSS-API identifier attribute.
354This is the default encoding.
355This encoding is compatible with Microsoft Windows.
356.It Ic latin1
357Use ISO-Latin-1 to encode the GSS-API identifier attribute.
358This is the encoding used by older versions of
359.Xr racoon 8 .
360.El
361.El
362.\"
363.Ss Remote Nodes Specifications
364.Bl -tag -width Ds -compact
365.It Xo
366.Ic remote ( Ar address | Ic anonymous )
367.Bq Bq Ar port
368.Bq Ic inherit Ar parent
369.Ic { Ar statements Ic }
370.Xc
371Specifies the IKE phase 1 parameters for each remote node.
372The default port is 500.
373If
374.Ic anonymous
375is specified, the statements will apply to any peer that does not match a
376more specific
377.Ic remote
378directive.
379.Pp
380Sections with
381.Ic inherit Ar parent
382statements (where
383.Ar parent
384is either
385.Ar address
386or a keyword
387.Ic anonymous )
388that have all values predefined to those of a given
389.Ar parent .
390In these sections it is enough to redefine only the changed parameters.
391.Pp
392The following are valid statements.
393.Pp
394.Bl -tag -width Ds -compact
395.\"
396.It Ic exchange_mode ( main | aggressive | base ) ;
397Defines the exchange mode for phase 1 when racoon is the initiator.
398It also means the acceptable exchange mode when racoon is the responder.
399More than one mode can be specified by separating them with a comma.
400All of the modes are acceptable.
401The first exchange mode is what racoon uses when it is the initiator.
402.\"
403.It Ic doi Ic ipsec_doi ;
404Means to use IPsec DOI as specified in RFC 2407.
405You can omit this statement.
406.\"
407.It Ic situation Ic identity_only ;
408Means to use SIT_IDENTITY_ONLY as specified in RFC 2407.
409You can omit this statement.
410.\"
411.It Ic identifier Ar idtype ;
412This statment is obsolete. Instead, use
413.Ic my_identifier .
414.\"
415.It Xo
416.Ic my_identifier Bq Ar qualifier
417.Ar idtype ... ;
418.Xc
419Specifies the identifier sent to the remote host
420and the type to use in the phase 1 negotiation.
421.Ic address, fqdn , user_fqdn , keyid ,
422and
423.Ic asn1dn
424can be used as an
425.Ar idtype .
426The
427.Ar qualifier
428is currently only used for
429.Ic keyid ,
430and can be either
431.Ic file
432or
433.Ic tag .
434The possible values are :
435.Bl -tag -width Ds -compact
436.It Ic my_identifier Ic address Bq Ar address ;
437The type is the IP address.
438This is the default type if you do not specify an identifier to use.
439.It Ic my_identifier Ic user_fqdn Ar string ;
440The type is a USER_FQDN (user fully-qualified domain name).
441.It Ic my_identifier Ic fqdn Ar string ;
442The type is a FQDN (fully-qualified domain name).
443.It Xo
444.Ic my_identifier Ic keyid Bq Ic file
445.Ar file ;
446.Xc
447The type is a KEY_ID, read from the file.
448.It Ic my_identifier Ic keyid Ic tag Ar string ;
449The type is a KEY_ID, specified in the quoted string.
450.It Ic my_identifier Ic asn1dn Bq Ar string ;
451The type is an ASN.1 distinguished name.
452If
453.Ar string
454is omitted,
455.Xr racoon 8
456will get the DN from the Subject field in the certificate.
457.El
458.\"
459.It Ic xauth_login Bq Ar string ;
460Specifies the login to use in client-side Hybrid authentication.
461It is available only if
462.Xr racoon 8
463has been built with this option.
464The associated password is looked up in the pre-shared key files,
465using the login
466.Ic string
467as the key id.
468.\"
469.It Ic peers_identifier Ar idtype ... ;
470Specifies the peer's identifier to be received.
471If it is not defined then
472.Xr racoon 8
473will not verify the peer's identifier in ID payload transmitted from the peer.
474If it is defined, the behavior of the verification depends on the flag of
475.Ic verify_identifier .
476The usage of
477.Ar idtype
478is the same as
479.Ic my_identifier
480except that the individual component values of an
481.Ic asn1dn
482identifier may specified as
483.Ic *
484to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine").
485Alternative acceptable peer identifiers may be specified by repeating the
486.Ic peers_identifier
487statement.
488.\"
489.It Ic verify_identifier (on | off) ;
490If you want to verify the peer's identifier,
491set this to on.
492In this case, if the value defined by
493.Ic peers_identifier
494is not the same as the peer's identifier in the ID payload,
495the negotiation will fail.
496The default is off.
497.\"
498.It Ic certificate_type Ar certspec ;
499Specifies a certificate specification.
500.Ar certspec
501is one of followings:
502.Bl -tag -width Ds -compact
503.It Ic x509 Ar certfile Ar privkeyfile ;
504.Ar certfile
505means a file name of a certificate.
506.Ar privkeyfile
507means a file name of a secret key.
508.El
509.Bl -tag -width Ds -compact
510.It Ic plain_rsa Ar privkeyfile ;
511.Ar privkeyfile
512means a file name of a private key generated by plainrsa-gen(8).  Required
513for RSA authentication.
514.El
515.It Ic ca_type Ar cacertspec ;
516Specifies a root certificate authority specification.
517.Ar cacertspec
518is one of followings:
519.Bl -tag -width Ds -compact
520.It Ic x509 Ar cacertfile ;
521.Ar cacertfile
522means a file name of the root certificate authority.
523Default is
524.Pa /etc/openssl/cert.pem
525.El
526.\"
527.It Ic mode_cfg (on | off) ;
528Gather network information through ISAKMP mode configuration.
529Default is off.
530.\"
531.It Ic weak_phase1_check (on | off) ;
532Tells racoon to act on unencrypted deletion messages during phase 1.
533This is a small security risk, so the default is off, meaning that
534racoon will keep on trying to establish a connection even if the
535user credentials are wrong, for instance.
536.\"
537.It Ic peers_certfile ( dnssec | Ar certfile | Ic plain_rsa Ar pubkeyfile ) ;
538If
539.Ic dnssec
540is defined,
541.Xr racoon 8
542will ignore the CERT payload from the peer,
543and try to get the peer's certificate from DNS instead.
544If
545.Ar certfile
546is defined,
547.Xr racoon 8
548will ignore the CERT payload from the peer,
549and will use this certificate as the peer's certificate.
550If
551.Ic plain_rsa
552is defined,
553.Xr racoon 8
554will expect
555.Ar pubkeyfile
556to be the peer's public key that was generated
557by plainrsa-gen(8).
558.\"
559.It Ic script Ar script Ic phase1_up
560.It Ic script Ar script Ic phase1_down
561Shell scripts that get executed when a phase 1 SA goes up or down.
562Both scripts get either
563.Ic phase1_up
564or
565.Ic phase1_down
566as first argument, and the following
567variables are set in their environment:
568.Bl -tag -width Ds -compact
569.It Ev LOCAL_ADDR
570The local address of the phase 1 SA.
571.It Ev LOCAL_PORT
572The local port used for IKE for the phase 1 SA.
573.It Ev REMOTE_ADDR
574The remote address of the phase 1 SA.
575.It Ev REMOTE_PORT
576The remote port used for IKE for the phase 1 SA.
577.El
578The following variables are only set if
579.Ic mode_cfg
580was enabled:
581.Bl -tag -width Ds -compact
582.It INTERNAL_ADDR4
583An IPv4 internal address obtained by ISAKMP mode config.
584.It INTERNAL_NETMASK4
585An IPv4 internal netmask obtained by ISAKMP mode config.
586.It INTERNAL_CIDR4
587An IPv4 internal netmask obtained by ISAKMP mode config, in CIDR notation.
588.It INTERNAL_DNS4
589The first internal DNS server IPv4 address obtained by ISAKMP mode config.
590.It INTERNAL_DNS4_LIST
591A list of internal DNS servers IPv4 address obtained by ISAKMP mode config,
592separated by spaces.
593.It INTERNAL_WINS4
594The first internal WINS server IPv4 address obtained by ISAKMP mode config.
595.It INTERNAL_WINS4_LIST
596A list of internal WINS servers IPv4 address obtained by ISAKMP mode config,
597separated by spaces.
598.It SPLIT_INCLUDE
599The space separated list of IPv4 addresses and masks (address slash mask)
600that define the networks to be encrypted (as opposed to the default where
601all the traffic should be encrypted) ; obtained by ISAKMP mode config ;
602SPLIT_INCLUDE and SPLIT_LOCAL are mutually exclusive.
603.It SPLIT_LOCAL
604The space separated list of IPv4 addresses and masks (address slash mask)
605that define the networks to be considered local, and thus excluded from the
606tunnels ; obtained by ISAKMP mode config.
607.It DEFAULT_DOMAIN
608The DNS default domain name obtained by ISAKMP mode config.
609.El
610.\"
611.\"
612.It Ic send_cert (on | off) ;
613If you do not want to send a certificate, set this to off.
614The default is on.
615.\"
616.It Ic send_cr (on | off) ;
617If you do not want to send a certificate request, set this to off.
618The default is on.
619.\"
620.It Ic verify_cert (on | off) ;
621By default, the identifier sent by the remote host (as specified in its
622.Ic my_identifier
623statement) is compared with the credentials in the certificate
624used to authenticate the remote host as follows:
625.Bl -tag -width Ds -compact
626.It Type Ic asn1dn:
627The entire certificate subject name is compared with the identifier,
628e.g. "C=XX, O=YY, ...".
629.It Type Ic address, fqdn, or user_fqdn:
630The certificate's subjectAltName is compared with the identifier.
631.El
632If the two do not match the negotiation will fail.
633If you do not want to verify the identifier using the peer's certificate,
634set this to off.
635.\"
636.It Ic lifetime time Ar number Ar timeunit ;
637Define a lifetime of a certain time
638which will be proposed in the phase 1 negotiations.
639Any proposal will be accepted, and the attribute(s) will not be proposed to
640the peer if you do not specify it (them).
641They can be individually specified in each proposal.
642.\"
643.It Ic ike_frag (on | off | force) ;
644Enable receiver-side IKE fragmentation if
645.Xr racoon 8
646has been built with this feature.
647If set to on, racoon will advertise
648itself as being capable of receiving packets split by IKE fragmentation.
649This extension is there to work around broken firewalls that do not
650work with fragmented UDP packets.
651IKE fragmentation is always enabled on the sender-side, and it is
652used if the peer advertises itself as IKE fragmentation capable.
653By selecting force, IKE Fragmentation will
654be used when racoon is acting as the initiator even before the remote
655peer has advertised itself as IKE fragmentation capable.
656.\"
657.It Ic esp_frag Ar fraglen ;
658This option is only relevant if you use NAT traversal in tunnel mode.
659Its purpose is to work around broken DSL routers that reject UDP
660fragments, by fragmenting the IP packets before ESP encapsulation.
661The result is ESP over UDP of fragmented packets instead of fragmented
662ESP over UDP packets (i.e., IP:UDP:ESP:frag(IP) instead of
663frag(IP:UDP:ESP:IP)).
664.Ar fraglen
665is the maximum size of the fragments.
666552 should work anywhere,
667but the higher
668.Ar fraglen
669is, the better the performance.
670.Pp
671Note that because PMTU discovery is broken on many sites, you will
672have to use MSS clamping if you want TCP to work correctly.
673.\"
674.It Ic initial_contact (on | off) ;
675Enable this to send an INITIAL-CONTACT message.
676The default value is
677.Ic on .
678This message is useful only when the responder implementation chooses an
679old SA when there are multiple SAs with different established time and the
680initiator reboots.
681If racoon did not send the message,
682the responder would use an old SA even when a new SA was established.
683For systems that use a KAME derived IPSEC stack, the
684.Xr sysctl 8
685variable net.key.preferred_oldsa can be used to control this preference.
686When the value is zero, the stack always uses a new SA.
687.\"
688.It Ic passive (on | off) ;
689If you do not want to initiate the negotiation, set this to on.
690The default value is
691.Ic off .
692It is useful for a server.
693.\"
694.It Ic proposal_check Ar level ;
695Specifies the action of lifetime length, key length and PFS of the phase 2
696selection on the responder side, and the action of lifetime check in
697phase 1.
698The default level is
699.Ic strict .
700If the
701.Ar level
702is:
703.Bl -tag -width Ds -compact
704.It Ic obey
705The responder will obey the initiator anytime.
706.It Ic strict
707If the responder's lifetime length is longer than the initiator's or
708the responder's key length is shorter than the initiator's,
709the responder will use the initiator's value.
710Otherwise, the proposal will be rejected.
711If PFS is not required by the responder, the responder will obey the proposal.
712If PFS is required by both sides and the responder's group is not equal to
713the initiator's, then the responder will reject the proposal.
714.It Ic claim
715If the responder's lifetime length is longer than the initiator's or
716the responder's key length is shorter than the initiator's,
717the responder will use the initiator's value.
718If the responder's lifetime length is shorter than the initiator's,
719the responder uses its own length AND sends a RESPONDER-LIFETIME notify
720message to an initiator in the case of lifetime (phase 2 only).
721For PFS, this directive behaves the same as
722.Ic strict .
723.It Ic exact
724If the initiator's lifetime or key length is not equal to the responder's,
725the responder will reject the proposal.
726If PFS is required by both sides and the responder's group is not equal to
727the initiator's, then the responder will reject the proposal.
728.El
729.\"
730.It Ic support_proxy (on | off) ;
731If this value is set to on, then both values of ID payloads in the
732phase 2 exchange are always used as the addresses of end-point of
733IPsec-SAs.
734The default is off.
735.\"
736.It Ic generate_policy (on | off | require | unique) ;
737This directive is for the responder.
738Therefore you should set
739.Ic passive
740to on in order that
741.Xr racoon 8
742only becomes a responder.
743If the responder does not have any policy in SPD during phase 2
744negotiation, and the directive is set to on, then
745.Xr racoon 8
746will choose the first proposal in the
747SA payload from the initiator, and generate policy entries from the proposal.
748It is useful to negotiate with clients whose IP address is allocated
749dynamically.
750Note that an inappropriate policy might be installed into the responder's SPD
751by the initiator,
752so other communications might fail if such policies are installed
753due to a policy mismatch between the initiator and the responder.
754.Ic on
755and
756.Ic require
757values mean the same thing (generate a require policy).
758.Ic unique
759tells racoon to set up unique policies, with a monotoning increasing
760reqid number (between 1 and IPSEC_MANUAL_REQID_MAX).
761This directive is ignored in the initiator case.
762The default value is
763.Ic off .
764.\"
765.\"
766.It Ic nat_traversal (on | off | force) ;
767This directive enables use of the NAT-Traversal IPsec extension
768(NAT-T).
769NAT-T allows one or both peers to reside behind a NAT gateway (i.e.,
770doing address- or port-translation).
771If a NAT gateway is detected during the phase 1 handshake, racoon will
772attempt to negotiate the use of NAT-T with the remote peer.
773If the negotiation succeeds, all ESP and AH packets for the given connection
774will be encapsulated into UDP datagrams (port 4500, by default).
775Possible values are:
776.Bl -tag -width Ds -compact
777.It Ic on
778NAT-T is used when a NAT gateway is detected between the peers.
779.It Ic off
780NAT-T is not proposed/accepted.
781This is the default.
782.It Ic force
783NAT-T is used regardless of whether a NAT gateway is detected between the
784peers or not.
785.El
786Please note that NAT-T support is a compile-time option.
787Although it is enabled in the source distribution by default, it
788may not be available in your particular build.
789In that case you will get a
790warning when using any NAT-T related config options.
791.\"
792.It Ic dpd_delay Ar delay ;
793This option activates the DPD and sets the time (in seconds) allowed
794between 2 proof of liveliness requests.
795The default value is
796.Ic 0 ,
797which disables DPD monitoring, but still negotiates DPD support.
798.\"
799.It Ic dpd_retry Ar delay ;
800If
801.Ic dpd_delay
802is set, this sets the delay (in seconds) to wait for a proof of
803liveliness before considering it as failed and send another request.
804The default value is
805.Ic 5 .
806.\"
807.It Ic dpd_maxfail Ar number ;
808If
809.Ic dpd_delay
810is set, this sets the maximum number of liveliness proofs to request
811(without reply) before considering the peer is dead.
812The default value is
813.Ic 5 .
814.\"
815.It Ic nonce_size Ar number ;
816define the byte size of nonce value.
817Racoon can send any value although
818RFC2409 specifies that the value MUST be between 8 and 256 bytes.
819The default size is 16 bytes.
820.\"
821.It Ic ph1id Ar number ;
822An optionnal number to identify the remote proposal and to link it
823only with sainfos who have the same number.
824Defaults to 0.
825.\"
826.It Xo
827.Ic proposal { Ar sub-substatements Ic }
828.Xc
829.Bl -tag -width Ds -compact
830.\"
831.It Ic encryption_algorithm Ar algorithm ;
832Specifies the encryption algorithm used for the phase 1 negotiation.
833This directive must be defined.
834.Ar algorithm
835is one of following:
836.Ic des, 3des, blowfish, cast128, aes, camellia
837.\".Ic rc5 , idea
838for Oakley.
839For other transforms, this statement should not be used.
840.\"
841.It Ic hash_algorithm Ar algorithm ;
842Defines the hash algorithm used for the phase 1 negotiation.
843This directive must be defined.
844.Ar algorithm
845is one of following:
846.Ic md5, sha1, sha256, sha384, sha512
847for Oakley.
848.\"
849.It Ic authentication_method Ar type ;
850Defines the authentication method used for the phase 1 negotiation.
851This directive must be defined.
852.Ar type
853is one of:
854.Ic pre_shared_key , rsasig
855(for plain RSA authentication),
856.Ic gssapi_krb , hybrid_rsa_server ,
857.Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server
858or
859.Ic xauth_psk_client .
860.\"
861.It Ic dh_group Ar group ;
862Defines the group used for the Diffie-Hellman exponentiations.
863This directive must be defined.
864.Ar group
865is one of following:
866.Ic modp768 , modp1024 , modp1536 ,
867.Ic modp2048 , modp3072 , modp4096 ,
868.Ic modp6144 , modp8192 .
869Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
870When you want to use aggressive mode,
871you must define the same DH group in each proposal.
872.It Ic lifetime time Ar number Ar timeunit ;
873Defines the lifetime of the phase 1 SA proposal.
874Refer to the description of the
875.Ic lifetime
876directive defined in the
877.Ic remote
878directive.
879.It Ic gss_id Ar string ;
880Defines the GSS-API endpoint name, to be included as an attribute in the SA,
881if the
882.Ic gssapi_krb
883authentication method is used.
884If this is not defined, the default value of
885.Ql host/hostname
886is used, where hostname is the value returned by the
887.Xr hostname 1
888command.
889.El
890.El
891.El
892.\"
893.Ss Policy Specifications
894The policy directive is obsolete, policies are now in the SPD.
895.Xr racoon 8
896will obey the policy configured into the kernel by
897.Xr setkey 8 ,
898and will construct phase 2 proposals by combining
899.Ic sainfo
900specifications in
901.Nm ,
902and policies in the kernel.
903.\"
904.Ss Sainfo Specifications
905.Bl -tag -width Ds -compact
906.It Xo
907.Ic sainfo ( Ar source_id destination_id | Ar source_id Ic anonymous | Ic anonymous Ar destination_id | Ic anonymous ) [ from Ar idtype [ Ar string ] ] [ Ic group Ar string ]
908.Ic { Ar statements Ic }
909.Xc
910defines the parameters of the IKE phase 2 (IPsec-SA establishment).
911.Ar source_id
912and
913.Ar destination_id
914are constructed like:
915.Pp
916.Ic address Ar address
917.Bq Ic / Ar prefix
918.Bq Ic [ Ar port ]
919.Ar ul_proto
920.Pp
921or
922.Pp
923.Ic subnet Ar address
924.Bq Ic / Ar prefix
925.Bq Ic [ Ar port ]
926.Ar ul_proto
927.Pp
928or
929.Pp
930.Ar idtype Ar string
931.Pp
932An id string should be expressed to match the exact value of an ID payload
933(source is the local end, destination is the remote end).
934This is not like a filter rule.
935For example, if you define 3ffe:501:4819::/48 as
936.Ar source_id .
9373ffe:501:4819:1000:/64 will not match.
938.Pp
939In the case of a longest prefix (selecting a single host),
940.Ar address
941instructs to send ID type of ADDRESS while
942.Ar subnet
943instructs to send ID type of SUBNET.
944Otherwise, these instructions are identical.
945.Pp
946The group keyword allows an XAuth group membership check to be performed
947for this sainfo section.
948When the mode_cfg auth source is set to
949.Ic system
950or
951.Ic ldap ,
952the XAuth user is verified to be a member of the specified group
953before allowing a matching SA to be negotiated.
954.Pp
955.Bl -tag -width Ds -compact
956.\"
957.It Ic pfs_group Ar group ;
958define the group of Diffie-Hellman exponentiations.
959If you do not require PFS then you can omit this directive.
960Any proposal will be accepted if you do not specify one.
961.Ar group
962is one of following:
963.Ic modp768 , modp1024 , modp1536 ,
964.Ic modp2048 , modp3072 , modp4096 ,
965.Ic modp6144 , modp8192 .
966Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
967.\"
968.It Ic lifetime time Ar number Ar timeunit ;
969define how long an IPsec-SA will be used, in timeunits.
970Any proposal will be accepted, and no attribute(s) will be proposed to
971the peer if you do not specify it(them).
972See the
973.Ic proposal_check
974directive.
975.\"
976.It Ic remoteid Ar number ;
977Sainfos will only be used if their remoteid matches the ph1id of the
978remote section used for phase 1.
979Defaults to 0, which is also the default for ph1id.
980.\"
981.It Ic my_identifier Ar idtype ... ;
982is obsolete.
983It does not make sense to specify an identifier in the phase 2.
984.El
985.\"
986.Pp
987.Xr racoon 8
988does not have a list of security protocols to be negotiated.
989The list of security protocols are passed by SPD in the kernel.
990Therefore you have to define all of the potential algorithms
991in the phase 2 proposals even if there are algorithms which will not be used.
992These algorithms are define by using the following three directives,
993with a single comma as the separator.
994For algorithms that can take variable-length keys, algorithm names
995can be followed by a key length, like
996.Dq Li blowfish 448 .
997.Xr racoon 8
998will compute the actual phase 2 proposals by computing
999the permutation of the specified algorithms,
1000and then combining them with the security protocol specified by the SPD.
1001For example, if
1002.Ic des , 3des , hmac_md5 ,
1003and
1004.Ic hmac_sha1
1005are specified as algorithms, we have four combinations for use with ESP,
1006and two for AH.
1007Then, based on the SPD settings,
1008.Xr racoon 8
1009will construct the actual proposals.
1010If the SPD entry asks for ESP only, there will be 4 proposals.
1011If it asks for both AH and ESP, there will be 8 proposals.
1012Note that the kernel may not support the algorithm you have specified.
1013.\"
1014.Bl -tag -width Ds -compact
1015.It Ic encryption_algorithm Ar algorithms ;
1016.Ic des , 3des , des_iv64 , des_iv32 ,
1017.Ic rc5 , rc4 , idea , 3idea ,
1018.Ic cast128 , blowfish , null_enc ,
1019.Ic twofish , rijndael , aes , camellia
1020.Pq used with ESP
1021.\"
1022.It Ic authentication_algorithm Ar algorithms ;
1023.Ic des , 3des , des_iv64 , des_iv32 ,
1024.Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth
1025.Pq used with ESP authentication and AH
1026.\"
1027.It Ic compression_algorithm Ar algorithms ;
1028.Ic deflate
1029.Pq used with IPComp
1030.El
1031.El
1032.\"
1033.Ss Logging level
1034.Bl -tag -width Ds -compact
1035.It Ic log Ar level ;
1036Defines the logging level.
1037.Ar level
1038is one of following:
1039.Ic error , warning , notify , info , debug
1040and
1041.Ic debug2 .
1042The default is
1043.Ic info .
1044If you set the logging level too high on slower machines,
1045IKE negotiation can fail due to timing constraint changes.
1046.El
1047.\"
1048.Ss Specifies the way to pad
1049.Bl -tag -width Ds -compact
1050.It Ic padding { Ar statements Ic }
1051specifies the padding format.
1052The following are valid statements:
1053.Bl -tag -width Ds -compact
1054.It Ic randomize (on | off) ;
1055Enables the use of a randomized value for padding.
1056The default is on.
1057.It Ic randomize_length (on | off) ;
1058The pad length will be random.
1059The default is off.
1060.It Ic maximum_length Ar number ;
1061Defines a maximum padding length.
1062If
1063.Ic randomize_length
1064is off, this is ignored.
1065The default is 20 bytes.
1066.It Ic exclusive_tail (on | off) ;
1067Means to put the number of pad bytes minus one into the last part
1068of the padding.
1069The default is on.
1070.It Ic strict_check (on | off) ;
1071Means to constrain the peer to set the number of pad bytes.
1072The default is off.
1073.El
1074.El
1075.Ss ISAKMP mode configuration settings
1076.Bl -tag -width Ds -compact
1077.It Ic mode_cfg { Ar statements Ic }
1078Defines the information to return for remote hosts' ISAKMP mode config
1079requests.
1080Also defines the authentication source for remote peers
1081authenticating through Xauth.
1082.Pp
1083The following are valid statements:
1084.Bl -tag -width Ds -compact
1085.It Ic auth_source (system | radius | pam | ldap) ;
1086Specifies the source for authentication of users through Xauth.
1087.Ar system
1088means to use the Unix user database.
1089This is the default.
1090.Ar radius
1091means to use a RADIUS server.
1092It works only if
1093.Xr racoon 8
1094was built with libradius support. Radius configuration is hanlded by
1095.Xr radius.conf 5 .
1096.Ar pam
1097means to use PAM.
1098It works only if
1099.Xr racoon 8
1100was built with libpam support.
1101.Ar ldap
1102means to use LDAP.
1103It works only if
1104.Xr racoon 8
1105was built with libldap support. LDAP configuration is handled by
1106statements in the
1107.Ic ldapcfg
1108section.
1109.It Ic auth_groups Ar "group1", ... ;
1110Specifies the group memberships for Xauth in quoted group name strings.
1111When defined, the authenticating user must be a member of at least one
1112group for Xauth to succeed.
1113.It Ic group_source (system | ldap) ;
1114Specifies the source for group validataion of users through Xauth.
1115.Ar system
1116means to use the Unix user database.
1117This is the default.
1118.Ar ldap
1119means to use LDAP.
1120It works only if
1121.Xr racoon 8
1122was built with libldap support and requires LDAP authentication.
1123LDAP configuration is handled by statements in the
1124.Ic ldapcfg
1125section.
1126.It Ic conf_source (local | radius | ldap) ;
1127Specifies the source for IP addresses and netmask allocated through ISAKMP
1128mode config.
1129.Ar local
1130means to use the local IP pool defined by the
1131.Ic network4
1132and
1133.Ic pool_size
1134statements.
1135This is the default.
1136.Ar radius
1137means to use a RADIUS server.
1138It works only if
1139.Xr racoon 8
1140was built with libradius support and requires RADIUS authentiation.
1141RADIUS configuration is handled by
1142.Xr radius.conf 5 .
1143.Ar ldap
1144means to use an LDAP server.
1145It works only if
1146.Xr racoon 8
1147was built with libldap support and requires LDAP authentication.
1148LDAP configuration is handled by
1149statements in the
1150.Ic ldapcfg
1151section.
1152.It Ic accounting (none | system | radius | pam) ;
1153Enables or disables accounting for Xauth logins and logouts.
1154The default is
1155.Ar none
1156which disable accounting.
1157Specifying
1158.Ar system
1159enables system accounting through
1160.Xr utmp 5 .
1161Specifying
1162.Ar radius
1163enables RADIUS accounting.
1164It works only if
1165.Xr racoon 8
1166was built with libradius support and requires RADIUS authentication.
1167RADIUS configuration is handled by
1168.Xr radius.conf 5 .
1169Specifying
1170.Ar pam
1171enables PAM accounting.
1172It works only if
1173.Xr racoon 8
1174was build with libpam support and requires PAM authentication.
1175.It Ic pool_size Ar size
1176Specify the size of the IP address pool, either local or allocated
1177through RADIUS.
1178.Ic conf_source
1179selects the local pool or the RADIUS configuration, but in both
1180configurations, you cannot have more than
1181.Ar size
1182users connected at the same time.
1183The default is 255.
1184.It Ic network4 Ar address ;
1185.It Ic netmask4 Ar address ;
1186The local IP pool base address and network mask from which dynamically
1187allocated IPv4 addresses should be taken.
1188This is used if
1189.Ic conf_source
1190is set to
1191.Ar local
1192or if the RADIUS server returned
1193.Ar 255.255.255.254 .
1194Default is
1195.Ar 0.0.0.0/0.0.0.0 .
1196.It Ic dns4 Ar addresses ;
1197A list of IPv4 addresses for DNS servers, separated by commas, or on multiple
1198.Ic dns4
1199lines.
1200.It Ic wins4 Ar addresses ;
1201A list of IPv4 address for WINS servers. The keyword
1202.It nbns4
1203can also be used as an alias for
1204.It wins4 .
1205.It Ic split_network (include | local_lan) Ar network/mask, ...
1206The network configuration to send, in cidr notation (e.g. 192.168.1.0/24).
1207If
1208.Ic include
1209is specified, the tunnel should be only used to encrypt the indicated
1210destinations ; otherwise, if
1211.Ic local_lan
1212is used, everything will pass through the tunnel but those destinations.
1213.It Ic default_domain Ar domain ;
1214The default DNS domain to send.
1215.It Ic split_dns Ar "domain", ...
1216The split dns configuration to send, in quoted domain name strings.
1217This list can be used to describe a list of domain names for which
1218a peer should query a modecfg assigned dns server.
1219DNS queries for all other domains would be handled locally.
1220(Cisco VPN client only).
1221.It Ic banner Ar path ;
1222The path of a file displayed on the client at connection time.
1223Default is
1224.Ar /etc/motd .
1225.It Ic auth_throttle Ar delay ;
1226On each failed Xauth authentication attempt, refuse new attempts for a set
1227.Ar delay
1228of seconds.
1229This is to avoid dictionary attacks on Xauth passwords.
1230Default is one second.
1231Set to zero to disable authentication delay.
1232.It Ic pfs_group Ar group ;
1233Sets the PFS group used in the client proposal (Cisco VPN client only).
1234Default is 0.
1235.It Ic save_passwd (on | off) ;
1236Allow the client to save the Xauth password (Cisco VPN client only).
1237Default is off.
1238.El
1239.El
1240.Ss Ldap configuration settings
1241.Bl -tag -width Ds -compact
1242.It Ic ldapcfg { Ar statements Ic }
1243Defines the parameters that will be used to communicate with an ldap
1244server for
1245.Ic xauth
1246authentication.
1247.Pp
1248The following are valid statements:
1249.Bl -tag -width Ds -compact
1250.It Ic version (2 | 3) ;
1251The ldap protocol version used to communicate with the server.
1252The default is
1253.Ic 3 .
1254.It Ic host Ar (hostname | address) ;
1255The host name or ip address of the ldap server.
1256The default is
1257.Ic localhost .
1258.It Ic port Ar number;
1259The port that the ldap server is configured to listen on.
1260The default is
1261.Ic 389 .
1262.It Ic base Ar distinguished name;
1263The ldap search base.
1264This option has no default value.
1265.It Ic subtree (on | off) ;
1266Use the subtree ldap search scope.
1267Otherwise, use the one level search scope.
1268The default is
1269.Ic off .
1270.It Ic bind_dn Ar distinguised name;
1271The user dn used to optionaly bind as before performing ldap search operations.
1272If this option is not specified, anonymous binds are used.
1273.It Ic bind_pw Ar string;
1274The password used when binding as
1275.Ic bind_dn .
1276.It Ic attr_user Ar attribute name;
1277The attribute used to specify a users name in an ldap directory.
1278For example,
1279if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
1280The default value is
1281.Ic cn .
1282.It Ic attr_addr Ar attribute name;
1283.It Ic attr_mask Ar attribute name;
1284The attributes used to specify a users network address and subnet mask in an
1285ldap directory.
1286These values are forwarded during mode_cfg negotiation when
1287the conf_source is set to ldap.
1288The default values are
1289.Ic racoon-address
1290and
1291.Ic racoon-netmask .
1292.It Ic attr_group Ar attribute name;
1293The attribute used to specify a group name in an ldap directory.
1294For example,
1295if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn".
1296The default value is
1297.Ic cn .
1298.It Ic attr_member Ar attribute name;
1299The attribute used to specify group membership in an ldap directory.
1300The default value is
1301.Ic member .
1302.El
1303.El
1304.Ss Special directives
1305.Bl -tag -width Ds -compact
1306.It Ic complex_bundle (on | off) ;
1307defines the interpretation of proposal in the case of SA bundle.
1308Normally
1309.Dq IP AH ESP IP payload
1310is proposed as
1311.Dq AH tunnel and ESP tunnel .
1312The interpretation is more common to other IKE implementations, however,
1313it allows very limited set of combinations for proposals.
1314With the option enabled, it will be proposed as
1315.Dq AH transport and ESP tunnel .
1316The default value is
1317.Ic off .
1318.El
1319.\"
1320.Ss Pre-shared key File
1321The pre-shared key file defines pairs of identifiers and corresponding
1322shared secret keys which are used in the pre-shared key authentication
1323method in phase 1.
1324The pair in each line is separated by some number of blanks and/or tab
1325characters like in the
1326.Xr hosts 5
1327file.
1328Key can include blanks because everything after the first blanks
1329is interpreted as the secret key.
1330Lines starting with
1331.Ql #
1332are ignored.
1333Keys which start with
1334.Ql 0x
1335are interpreted as hexadecimal strings.
1336Note that the file must be owned by the user ID running
1337.Xr racoon 8
1338.Pq usually the privileged user ,
1339and must not be accessible by others.
1340.\"
1341.Sh EXAMPLES
1342The following shows how the remote directive should be configured.
1343.Bd -literal -offset
1344path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
1345remote anonymous
1346{
1347	exchange_mode aggressive,main,base;
1348	lifetime time 24 hour;
1349	proposal {
1350		encryption_algorithm 3des;
1351		hash_algorithm sha1;
1352		authentication_method pre_shared_key;
1353		dh_group 2;
1354	}
1355}
1356
1357sainfo anonymous
1358{
1359	pfs_group 2;
1360	lifetime time 12 hour ;
1361	encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
1362	authentication_algorithm hmac_sha1, hmac_md5 ;
1363	compression_algorithm deflate ;
1364}
1365.Ed
1366.Pp
1367If you are configuring plain RSA authentication, the remote directive
1368should look like the following:
1369.Bd -literal -offset
1370path certificate "/usr/local/v6/etc" ;
1371remote anonymous
1372{
1373        exchange_mode main,base ;
1374        lifetime time 12 hour ;
1375        certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv";
1376        peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub";
1377        proposal {
1378                        encryption_algorithm aes ;
1379                        hash_algorithm sha1 ;
1380                        authentication_method rsasig ;
1381                        dh_group 2 ;
1382        }
1383}
1384.Ed
1385.Pp
1386The following is a sample for the pre-shared key file.
1387.Bd -literal -offset
138810.160.94.3     mekmitasdigoat
1389172.16.1.133    0x12345678
1390194.100.55.1    whatcertificatereally
13913ffe:501:410:ffff:200:86ff:fe05:80fa    mekmitasdigoat
13923ffe:501:410:ffff:210:4bff:fea2:8baa    mekmitasdigoat
1393foo@kame.net    mekmitasdigoat
1394foo.kame.net    hoge
1395.Ed
1396.\"
1397.Sh SEE ALSO
1398.Xr racoon 8 ,
1399.Xr racoonctl 8 ,
1400.Xr setkey 8
1401.\"
1402.Sh HISTORY
1403The
1404.Nm
1405configuration file first appeared in the
1406.Dq YIPS
1407Yokogawa IPsec implementation.
1408.\"
1409.Sh BUGS
1410Some statements may not be handled by
1411.Xr racoon 8
1412yet.
1413.Pp
1414Diffie-Hellman computation can take a very long time, and may cause
1415unwanted timeouts, specifically when a large D-H group is used.
1416.\"
1417.Sh SECURITY CONSIDERATIONS
1418The use of IKE phase 1 aggressive mode is not recommended,
1419as described in
1420.Li http://www.kb.cert.org/vuls/id/886601 .
1421