]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/racoon.conf.5
ipsec-258.1.3.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / racoon.conf.5
CommitLineData
d1e348cf
A
1.\" $NetBSD: racoon.conf.5,v 1.34.4.2 2007/07/18 22:53:03 mgrooms Exp $
2.\"
3.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
52b7d2ce
A
4.\"
5.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6.\" All rights reserved.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\" notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\" notice, this list of conditions and the following disclaimer in the
15.\" documentation and/or other materials provided with the distribution.
16.\" 3. Neither the name of the project nor the names of its contributors
17.\" may be used to endorse or promote products derived from this software
18.\" without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
d1e348cf 32.Dd September 19, 2006
52b7d2ce
A
33.Dt RACOON.CONF 5
34.Os
35.\"
36.Sh NAME
37.Nm racoon.conf
38.Nd configuration file for racoon
39.\"
40.\" .Sh SYNOPSIS
41.\"
42.Sh DESCRIPTION
43.Nm
44is the configuration file for the
45.Xr racoon 8
46ISAKMP daemon.
47.Xr racoon 8
48negotiates security associations for itself (ISAKMP SA, or phase 1 SA)
49and for kernel IPsec (IPsec SA, or phase 2 SA).
50The file consists of a sequence of directives and statements.
51Each directive is composed by a tag and statements, enclosed by
52.Ql {
53and
54.Ql } .
55Lines beginning with
56.Ql #
57are comments.
58.\"
59.Ss Meta Syntax
60Keywords and special characters that the parser expects exactly are
61displayed using
62.Ic this
63font.
64Parameters are specified with
65.Ar this
66font.
67Square brackets
68.Po
69.Ql \&[
70and
71.Ql \&]
72.Pc
73are used to show optional keywords and parameters.
74Note that
75you have to pay attention when this manual is describing
76.Ar port
77numbers.
78The
79.Ar port
80number is always enclosed by
81.Ql \&[
82and
83.Ql \&] .
84In this case, the port number is not an optional keyword.
85If it is possible to omit the
86.Ar port
87number,
88the expression becomes
89.Bq Bq Ar port .
90The vertical bar
91.Pq Ql \&|
92is used to indicate
93a choice between optional parameters.
94Parentheses
95.Po
96.Ql \&(
97and
98.Ql \&)
99.Pc
100are used to group keywords and parameters when necessary.
101Major parameters are listed below.
102.Pp
103.Bl -tag -width addressx -compact
104.It Ar number
105means a hexadecimal or a decimal number.
106The former must be prefixed with
107.Ql Li 0x .
108.It Ar string
109.It Ar path
110.It Ar file
111means any string enclosed in
112.Ql \&"
113.Pq double quotes .
114.It Ar address
115means IPv6 and/or IPv4 address.
116.It Ar port
117means a TCP/UDP port number.
118The port number is always enclosed by
119.Ql \&[
120and
121.Ql \&] .
122.It Ar timeunit
123is one of following:
124.Ic sec , secs , second , seconds ,
125.Ic min , mins , minute , minutes ,
126.Ic hour , hours .
127.El
128.\"
52b7d2ce 129.Ss Path Specification
d1e348cf 130This section specifies various paths used by racoon.
52b7d2ce
A
131When running in privilege separation mode,
132.Ic certificate
133and
134.Ic script
d1e348cf
A
135paths are mandatory. A
136.Xr racoon 8
137restart is required if you want path changes to be taken into account.
52b7d2ce
A
138.Bl -tag -width Ds -compact
139.It Ic path include Ar path ;
d1e348cf 140Specifies a path to include a file.
52b7d2ce
A
141See
142.Sx File Inclusion .
143.It Ic path pre_shared_key Ar file ;
d1e348cf 144Specifies a file containing pre-shared key(s) for various ID(s).
52b7d2ce
A
145See
146.Sx Pre-shared key File .
52b7d2ce 147.It Ic path pidfile Ar file ;
d1e348cf 148Specifies file where to store PID of process.
52b7d2ce
A
149If path starts with
150.Pa /
d1e348cf
A
151it is treated as an absolute path. Otherwise, it is treated as a relative
152path to the VARRUN directory specified at compilation time.
52b7d2ce
A
153Default is
154.Pa racoon.pid .
e8d9021d
A
155.It Ic path logfile Ar file ;
156Specifies a file to which logs generated by
157.Xr racoon 8
158are stored.
159When the file's size exceeds 200KB,
160.Xr racoon 8
161will trim the logfile by dropping the oldest events.
162If path starts with
163.Pa /
164it is treated as an absolute path. Otherwise, it is treated as a relative
165path to the VARRUN directory specified at compilation time.
52b7d2ce
A
166.El
167.\"
168.Ss File Inclusion
169.Bl -tag -width Ds -compact
170.It Ic include Ar file
d1e348cf 171Specifies other configuration files to be included.
52b7d2ce
A
172.El
173.\"
174.Ss Identifier Specification
175is obsolete.
176It must be defined at each
177.Ic remote
178directive.
179.\"
180.Ss Timer Specification
181.Bl -tag -width Ds -compact
182.It Ic timer { Ar statements Ic }
d1e348cf 183This section specifies various timer values used by racoon.
52b7d2ce
A
184.Pp
185.Bl -tag -width Ds -compact
186.It Ic counter Ar number ;
d1e348cf 187The maximum number of retries to send.
52b7d2ce
A
188The default is 5.
189.It Ic interval Ar number Ar timeunit ;
d1e348cf 190The interval to resend, in seconds.
52b7d2ce
A
191The default time is 10 seconds.
192.It Ic persend Ar number ;
d1e348cf 193The number of packets per send.
52b7d2ce
A
194The default is 1.
195.It Ic phase1 Ar number Ar timeunit ;
d1e348cf 196The maximum time it should take to complete phase 1.
52b7d2ce
A
197The default time is 15 seconds.
198.It Ic phase2 Ar number Ar timeunit ;
d1e348cf 199The maximum time it should take to complete phase 2.
52b7d2ce
A
200The default time is 10 seconds.
201.It Ic natt_keepalive Ar number Ar timeunit ;
d1e348cf 202The interval between sending NAT-Traversal keep-alive packets.
52b7d2ce
A
203The default time is 20 seconds.
204Set to 0s to disable keep-alive packets.
205.El
206.El
207.\"
208.Ss Listening Port Specification
209.Bl -tag -width Ds -compact
210.It Ic listen { Ar statements Ic }
211If no
212.Ar listen
213directive is specified,
214.Xr racoon 8
215will listen on all available interface addresses.
216The following is the list of valid statements:
217.Pp
218.Bl -tag -width Ds -compact
219.\" How do I express bold brackets; `[' and `]' .
220.\" Answer: For bold brackets, do "Ic \&[ foo \&]".
221.\" Is the "Bq Ic [ Ar port ] ;" buggy ?
222.It Ic isakmp Ar address Bq Bq Ar port ;
223If this is specified,
224.Xr racoon 8
d1e348cf 225will only listen on the defined
52b7d2ce
A
226.Ar address .
227The default port is 500, which is specified by IANA.
228You can provide more than one address definition.
229.It Ic isakmp_natt Ar address Bq Ar port ;
230Same as
231.Ic isakmp
232but also sets the socket options to accept UDP-encapsulated ESP traffic for
233NAT-Traversal.
234If you plan to use NAT-T, you should provide at least one address
235with port 4500, which is specified by IANA.
236There is no default.
237.It Ic strict_address ;
d1e348cf
A
238Requires that all addresses for ISAKMP be bound.
239This statement will be ignored if you do not specify address definitions.
52b7d2ce 240.El
52b7d2ce 241.El
65c25746 242./"
52b7d2ce
A
243.Ss Remote Nodes Specifications
244.Bl -tag -width Ds -compact
245.It Xo
246.Ic remote ( Ar address | Ic anonymous )
247.Bq Bq Ar port
248.Bq Ic inherit Ar parent
249.Ic { Ar statements Ic }
250.Xc
d1e348cf 251Specifies the IKE phase 1 parameters for each remote node.
52b7d2ce
A
252The default port is 500.
253If
254.Ic anonymous
d1e348cf
A
255is specified, the statements will apply to any peer that does not match a
256more specific
52b7d2ce
A
257.Ic remote
258directive.
259.Pp
260Sections with
261.Ic inherit Ar parent
262statements (where
263.Ar parent
264is either
265.Ar address
266or a keyword
267.Ic anonymous )
d1e348cf 268that have all values predefined to those of a given
52b7d2ce
A
269.Ar parent .
270In these sections it is enough to redefine only the changed parameters.
271.Pp
272The following are valid statements.
273.Pp
274.Bl -tag -width Ds -compact
275.\"
276.It Ic exchange_mode ( main | aggressive | base ) ;
d1e348cf
A
277Defines the exchange mode for phase 1 when racoon is the initiator.
278It also means the acceptable exchange mode when racoon is the responder.
52b7d2ce
A
279More than one mode can be specified by separating them with a comma.
280All of the modes are acceptable.
281The first exchange mode is what racoon uses when it is the initiator.
282.\"
283.It Ic doi Ic ipsec_doi ;
d1e348cf 284Means to use IPsec DOI as specified in RFC 2407.
52b7d2ce
A
285You can omit this statement.
286.\"
287.It Ic situation Ic identity_only ;
d1e348cf 288Means to use SIT_IDENTITY_ONLY as specified in RFC 2407.
52b7d2ce
A
289You can omit this statement.
290.\"
291.It Ic identifier Ar idtype ;
d1e348cf 292This statment is obsolete. Instead, use
52b7d2ce
A
293.Ic my_identifier .
294.\"
d1e348cf
A
295.It Xo
296.Ic my_identifier Bq Ar qualifier
297.Ar idtype ... ;
298.Xc
299Specifies the identifier sent to the remote host
52b7d2ce
A
300and the type to use in the phase 1 negotiation.
301.Ic address, fqdn , user_fqdn , keyid ,
302and
303.Ic asn1dn
304can be used as an
305.Ar idtype .
d1e348cf
A
306The
307.Ar qualifier
308is currently only used for
309.Ic keyid ,
310and can be either
311.Ic file
312or
313.Ic tag .
314The possible values are :
52b7d2ce
A
315.Bl -tag -width Ds -compact
316.It Ic my_identifier Ic address Bq Ar address ;
d1e348cf 317The type is the IP address.
52b7d2ce
A
318This is the default type if you do not specify an identifier to use.
319.It Ic my_identifier Ic user_fqdn Ar string ;
d1e348cf 320The type is a USER_FQDN (user fully-qualified domain name).
52b7d2ce 321.It Ic my_identifier Ic fqdn Ar string ;
d1e348cf
A
322The type is a FQDN (fully-qualified domain name).
323.It Xo
324.Ic my_identifier Ic keyid Bq Ic file
325.Ar file ;
326.Xc
327The type is a KEY_ID, read from the file.
328.It Ic my_identifier Ic keyid Ic tag Ar string ;
329The type is a KEY_ID, specified in the quoted string.
52b7d2ce 330.It Ic my_identifier Ic asn1dn Bq Ar string ;
d1e348cf 331The type is an ASN.1 distinguished name.
52b7d2ce
A
332If
333.Ar string
334is omitted,
335.Xr racoon 8
336will get the DN from the Subject field in the certificate.
337.El
338.\"
339.It Ic xauth_login Bq Ar string ;
d1e348cf 340Specifies the login to use in client-side Hybrid authentication.
52b7d2ce
A
341It is available only if
342.Xr racoon 8
343has been built with this option.
344The associated password is looked up in the pre-shared key files,
345using the login
346.Ic string
347as the key id.
348.\"
349.It Ic peers_identifier Ar idtype ... ;
d1e348cf 350Specifies the peer's identifier to be received.
52b7d2ce
A
351If it is not defined then
352.Xr racoon 8
353will not verify the peer's identifier in ID payload transmitted from the peer.
354If it is defined, the behavior of the verification depends on the flag of
355.Ic verify_identifier .
356The usage of
357.Ar idtype
358is the same as
359.Ic my_identifier
360except that the individual component values of an
361.Ic asn1dn
362identifier may specified as
363.Ic *
364to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine").
365Alternative acceptable peer identifiers may be specified by repeating the
366.Ic peers_identifier
367statement.
368.\"
d1e348cf 369.It Ic verify_identifier (on | off) ;
52b7d2ce
A
370If you want to verify the peer's identifier,
371set this to on.
372In this case, if the value defined by
373.Ic peers_identifier
374is not the same as the peer's identifier in the ID payload,
d1e348cf 375the negotiation will fail.
52b7d2ce
A
376The default is off.
377.\"
378.It Ic certificate_type Ar certspec ;
d1e348cf 379Specifies a certificate specification.
52b7d2ce 380.Ar certspec
65c25746 381must be as follows:
52b7d2ce 382.Bl -tag -width Ds -compact
65c25746
A
383.It Ic x509 Ar in_keychain Ar keychain_identifier ;
384.Ar in_keychain
385means the certificate is in the system keychain.
386.Ar keychain_identifier
387is the keychain ID for the certificate in base64 format.
52b7d2ce 388.El
65c25746
A
389.It Ic certificate_verification Ar verification_spec ;
390Specifies how the certificate is verified. This is required.
391.Ar verification_spec
392must be as follows:
d1e348cf 393.Bl -tag -width Ds -compact
65c25746
A
394.It Ic sec_framework Ar use_peers_identifier ;
395.Ar sec_framework
396means the certificate is verified by the security framework.
397.Ar use_peers_identifier
398means the certificate must contain the peers ID.
52b7d2ce 399.El
d1e348cf 400.It Ic mode_cfg (on | off) ;
52b7d2ce
A
401Gather network information through ISAKMP mode configuration.
402Default is off.
403.\"
d1e348cf
A
404.It Ic weak_phase1_check (on | off) ;
405Tells racoon to act on unencrypted deletion messages during phase 1.
406This is a small security risk, so the default is off, meaning that
407racoon will keep on trying to establish a connection even if the
408user credentials are wrong, for instance.
409.\"
d1e348cf
A
410.It Ic send_cert (on | off) ;
411If you do not want to send a certificate, set this to off.
52b7d2ce
A
412The default is on.
413.\"
d1e348cf
A
414.It Ic send_cr (on | off) ;
415If you do not want to send a certificate request, set this to off.
52b7d2ce
A
416The default is on.
417.\"
d1e348cf
A
418.It Ic verify_cert (on | off) ;
419By default, the identifier sent by the remote host (as specified in its
420.Ic my_identifier
421statement) is compared with the credentials in the certificate
422used to authenticate the remote host as follows:
423.Bl -tag -width Ds -compact
424.It Type Ic asn1dn:
425The entire certificate subject name is compared with the identifier,
426e.g. "C=XX, O=YY, ...".
427.It Type Ic address, fqdn, or user_fqdn:
428The certificate's subjectAltName is compared with the identifier.
429.El
430If the two do not match the negotiation will fail.
431If you do not want to verify the identifier using the peer's certificate,
52b7d2ce 432set this to off.
52b7d2ce
A
433.\"
434.It Ic lifetime time Ar number Ar timeunit ;
435Define a lifetime of a certain time
436which will be proposed in the phase 1 negotiations.
d1e348cf 437Any proposal will be accepted, and the attribute(s) will not be proposed to
52b7d2ce
A
438the peer if you do not specify it (them).
439They can be individually specified in each proposal.
440.\"
d1e348cf
A
441.It Ic ike_frag (on | off | force) ;
442Enable receiver-side IKE fragmentation if
52b7d2ce
A
443.Xr racoon 8
444has been built with this feature.
d1e348cf
A
445If set to on, racoon will advertise
446itself as being capable of receiving packets split by IKE fragmentation.
447This extension is there to work around broken firewalls that do not
448work with fragmented UDP packets.
449IKE fragmentation is always enabled on the sender-side, and it is
450used if the peer advertises itself as IKE fragmentation capable.
451By selecting force, IKE Fragmentation will
452be used when racoon is acting as the initiator even before the remote
453peer has advertised itself as IKE fragmentation capable.
52b7d2ce
A
454.\"
455.It Ic esp_frag Ar fraglen ;
456This option is only relevant if you use NAT traversal in tunnel mode.
457Its purpose is to work around broken DSL routers that reject UDP
458fragments, by fragmenting the IP packets before ESP encapsulation.
459The result is ESP over UDP of fragmented packets instead of fragmented
460ESP over UDP packets (i.e., IP:UDP:ESP:frag(IP) instead of
461frag(IP:UDP:ESP:IP)).
462.Ar fraglen
463is the maximum size of the fragments.
464552 should work anywhere,
465but the higher
466.Ar fraglen
d1e348cf 467is, the better the performance.
52b7d2ce
A
468.Pp
469Note that because PMTU discovery is broken on many sites, you will
470have to use MSS clamping if you want TCP to work correctly.
471.\"
d1e348cf
A
472.It Ic initial_contact (on | off) ;
473Enable this to send an INITIAL-CONTACT message.
52b7d2ce
A
474The default value is
475.Ic on .
d1e348cf
A
476This message is useful only when the responder implementation chooses an
477old SA when there are multiple SAs with different established time and the
478initiator reboots.
52b7d2ce
A
479If racoon did not send the message,
480the responder would use an old SA even when a new SA was established.
d1e348cf
A
481For systems that use a KAME derived IPSEC stack, the
482.Xr sysctl 8
483variable net.key.preferred_oldsa can be used to control this preference.
484When the value is zero, the stack always uses a new SA.
52b7d2ce 485.\"
d1e348cf 486.It Ic passive (on | off) ;
52b7d2ce
A
487If you do not want to initiate the negotiation, set this to on.
488The default value is
489.Ic off .
490It is useful for a server.
491.\"
492.It Ic proposal_check Ar level ;
d1e348cf 493Specifies the action of lifetime length, key length and PFS of the phase 2
52b7d2ce
A
494selection on the responder side, and the action of lifetime check in
495phase 1.
496The default level is
497.Ic strict .
498If the
499.Ar level
500is:
501.Bl -tag -width Ds -compact
502.It Ic obey
d1e348cf 503The responder will obey the initiator anytime.
52b7d2ce 504.It Ic strict
d1e348cf
A
505If the responder's lifetime length is longer than the initiator's or
506the responder's key length is shorter than the initiator's,
507the responder will use the initiator's value.
508Otherwise, the proposal will be rejected.
52b7d2ce 509If PFS is not required by the responder, the responder will obey the proposal.
d1e348cf
A
510If PFS is required by both sides and the responder's group is not equal to
511the initiator's, then the responder will reject the proposal.
52b7d2ce 512.It Ic claim
d1e348cf
A
513If the responder's lifetime length is longer than the initiator's or
514the responder's key length is shorter than the initiator's,
515the responder will use the initiator's value.
516If the responder's lifetime length is shorter than the initiator's,
517the responder uses its own length AND sends a RESPONDER-LIFETIME notify
518message to an initiator in the case of lifetime (phase 2 only).
52b7d2ce
A
519For PFS, this directive behaves the same as
520.Ic strict .
521.It Ic exact
d1e348cf
A
522If the initiator's lifetime or key length is not equal to the responder's,
523the responder will reject the proposal.
524If PFS is required by both sides and the responder's group is not equal to
525the initiator's, then the responder will reject the proposal.
52b7d2ce
A
526.El
527.\"
d1e348cf 528.It Ic support_proxy (on | off) ;
52b7d2ce
A
529If this value is set to on, then both values of ID payloads in the
530phase 2 exchange are always used as the addresses of end-point of
531IPsec-SAs.
532The default is off.
533.\"
d1e348cf 534.It Ic generate_policy (on | off | require | unique) ;
52b7d2ce
A
535This directive is for the responder.
536Therefore you should set
537.Ic passive
538to on in order that
539.Xr racoon 8
540only becomes a responder.
541If the responder does not have any policy in SPD during phase 2
542negotiation, and the directive is set to on, then
543.Xr racoon 8
544will choose the first proposal in the
545SA payload from the initiator, and generate policy entries from the proposal.
546It is useful to negotiate with clients whose IP address is allocated
547dynamically.
548Note that an inappropriate policy might be installed into the responder's SPD
549by the initiator,
550so other communications might fail if such policies are installed
551due to a policy mismatch between the initiator and the responder.
d1e348cf
A
552.Ic on
553and
554.Ic require
555values mean the same thing (generate a require policy).
556.Ic unique
557tells racoon to set up unique policies, with a monotoning increasing
558reqid number (between 1 and IPSEC_MANUAL_REQID_MAX).
52b7d2ce
A
559This directive is ignored in the initiator case.
560The default value is
561.Ic off .
562.\"
563.\"
d1e348cf 564.It Ic nat_traversal (on | off | force) ;
52b7d2ce
A
565This directive enables use of the NAT-Traversal IPsec extension
566(NAT-T).
567NAT-T allows one or both peers to reside behind a NAT gateway (i.e.,
568doing address- or port-translation).
d1e348cf
A
569If a NAT gateway is detected during the phase 1 handshake, racoon will
570attempt to negotiate the use of NAT-T with the remote peer.
571If the negotiation succeeds, all ESP and AH packets for the given connection
572will be encapsulated into UDP datagrams (port 4500, by default).
52b7d2ce
A
573Possible values are:
574.Bl -tag -width Ds -compact
575.It Ic on
576NAT-T is used when a NAT gateway is detected between the peers.
577.It Ic off
578NAT-T is not proposed/accepted.
579This is the default.
580.It Ic force
d1e348cf
A
581NAT-T is used regardless of whether a NAT gateway is detected between the
582peers or not.
52b7d2ce
A
583.El
584Please note that NAT-T support is a compile-time option.
585Although it is enabled in the source distribution by default, it
586may not be available in your particular build.
587In that case you will get a
588warning when using any NAT-T related config options.
589.\"
590.It Ic dpd_delay Ar delay ;
591This option activates the DPD and sets the time (in seconds) allowed
d1e348cf 592between 2 proof of liveliness requests.
52b7d2ce
A
593The default value is
594.Ic 0 ,
595which disables DPD monitoring, but still negotiates DPD support.
596.\"
597.It Ic dpd_retry Ar delay ;
598If
599.Ic dpd_delay
600is set, this sets the delay (in seconds) to wait for a proof of
d1e348cf 601liveliness before considering it as failed and send another request.
52b7d2ce
A
602The default value is
603.Ic 5 .
604.\"
605.It Ic dpd_maxfail Ar number ;
606If
607.Ic dpd_delay
d1e348cf 608is set, this sets the maximum number of liveliness proofs to request
52b7d2ce
A
609(without reply) before considering the peer is dead.
610The default value is
611.Ic 5 .
612.\"
613.It Ic nonce_size Ar number ;
614define the byte size of nonce value.
615Racoon can send any value although
616RFC2409 specifies that the value MUST be between 8 and 256 bytes.
617The default size is 16 bytes.
618.\"
d1e348cf
A
619.It Ic ph1id Ar number ;
620An optionnal number to identify the remote proposal and to link it
621only with sainfos who have the same number.
622Defaults to 0.
623.\"
52b7d2ce
A
624.It Xo
625.Ic proposal { Ar sub-substatements Ic }
626.Xc
627.Bl -tag -width Ds -compact
628.\"
629.It Ic encryption_algorithm Ar algorithm ;
d1e348cf 630Specifies the encryption algorithm used for the phase 1 negotiation.
52b7d2ce
A
631This directive must be defined.
632.Ar algorithm
633is one of following:
85f41bec 634.Ic des, 3des, aes
52b7d2ce
A
635for Oakley.
636For other transforms, this statement should not be used.
637.\"
638.It Ic hash_algorithm Ar algorithm ;
d1e348cf 639Defines the hash algorithm used for the phase 1 negotiation.
52b7d2ce
A
640This directive must be defined.
641.Ar algorithm
642is one of following:
643.Ic md5, sha1, sha256, sha384, sha512
644for Oakley.
645.\"
646.It Ic authentication_method Ar type ;
d1e348cf 647Defines the authentication method used for the phase 1 negotiation.
52b7d2ce
A
648This directive must be defined.
649.Ar type
650is one of:
85f41bec
A
651.Ic pre_shared_key,
652.Ic hybrid_rsa_server ,
d1e348cf 653.Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server
52b7d2ce 654or
65c25746 655.Ic xauth_psk_client , eap_psk_client , eap_rsa_client .
52b7d2ce
A
656.\"
657.It Ic dh_group Ar group ;
d1e348cf 658Defines the group used for the Diffie-Hellman exponentiations.
52b7d2ce
A
659This directive must be defined.
660.Ar group
661is one of following:
65c25746
A
662.Ic modp1024 , modp1536 , modp2048 , modp3072 , modp4096 , modp6144 or modp8192 .
663Or you can define 2 , 5 , 14 , 15 , 16 , 17 or 18 as the DH group number.
52b7d2ce
A
664When you want to use aggressive mode,
665you must define the same DH group in each proposal.
666.It Ic lifetime time Ar number Ar timeunit ;
d1e348cf 667Defines the lifetime of the phase 1 SA proposal.
52b7d2ce
A
668Refer to the description of the
669.Ic lifetime
670directive defined in the
671.Ic remote
672directive.
52b7d2ce
A
673.El
674.El
65c25746 675.El
52b7d2ce
A
676.\"
677.Ss Policy Specifications
678The policy directive is obsolete, policies are now in the SPD.
679.Xr racoon 8
680will obey the policy configured into the kernel by
681.Xr setkey 8 ,
682and will construct phase 2 proposals by combining
683.Ic sainfo
684specifications in
685.Nm ,
686and policies in the kernel.
687.\"
688.Ss Sainfo Specifications
689.Bl -tag -width Ds -compact
690.It Xo
d1e348cf 691.Ic sainfo ( Ar source_id destination_id | Ar source_id Ic anonymous | Ic anonymous Ar destination_id | Ic anonymous ) [ from Ar idtype [ Ar string ] ] [ Ic group Ar string ]
52b7d2ce
A
692.Ic { Ar statements Ic }
693.Xc
694defines the parameters of the IKE phase 2 (IPsec-SA establishment).
695.Ar source_id
696and
697.Ar destination_id
698are constructed like:
699.Pp
700.Ic address Ar address
701.Bq Ic / Ar prefix
702.Bq Ic [ Ar port ]
703.Ar ul_proto
704.Pp
705or
706.Pp
707.Ic subnet Ar address
708.Bq Ic / Ar prefix
709.Bq Ic [ Ar port ]
710.Ar ul_proto
711.Pp
712or
713.Pp
714.Ar idtype Ar string
715.Pp
d1e348cf
A
716An id string should be expressed to match the exact value of an ID payload
717(source is the local end, destination is the remote end).
52b7d2ce
A
718This is not like a filter rule.
719For example, if you define 3ffe:501:4819::/48 as
720.Ar source_id .
7213ffe:501:4819:1000:/64 will not match.
722.Pp
d1e348cf 723In the case of a longest prefix (selecting a single host),
52b7d2ce 724.Ar address
d1e348cf 725instructs to send ID type of ADDRESS while
52b7d2ce
A
726.Ar subnet
727instructs to send ID type of SUBNET.
d1e348cf
A
728Otherwise, these instructions are identical.
729.Pp
730The group keyword allows an XAuth group membership check to be performed
731for this sainfo section.
732When the mode_cfg auth source is set to
733.Ic system
734or
735.Ic ldap ,
736the XAuth user is verified to be a member of the specified group
737before allowing a matching SA to be negotiated.
52b7d2ce
A
738.Pp
739.Bl -tag -width Ds -compact
740.\"
741.It Ic pfs_group Ar group ;
742define the group of Diffie-Hellman exponentiations.
743If you do not require PFS then you can omit this directive.
744Any proposal will be accepted if you do not specify one.
745.Ar group
746is one of following:
65c25746
A
747.Ic modp1024 , modp1536 , modp2048 , modp3072 , modp4096 , modp6144 or modp8192 .
748Or you can define 2 , 5 , 14 , 15 , 16 , 17 or 18 as the DH group number.
52b7d2ce
A
749.\"
750.It Ic lifetime time Ar number Ar timeunit ;
751define how long an IPsec-SA will be used, in timeunits.
752Any proposal will be accepted, and no attribute(s) will be proposed to
753the peer if you do not specify it(them).
754See the
755.Ic proposal_check
756directive.
757.\"
d1e348cf
A
758.It Ic remoteid Ar number ;
759Sainfos will only be used if their remoteid matches the ph1id of the
760remote section used for phase 1.
761Defaults to 0, which is also the default for ph1id.
762.\"
52b7d2ce
A
763.It Ic my_identifier Ar idtype ... ;
764is obsolete.
765It does not make sense to specify an identifier in the phase 2.
766.El
767.\"
768.Pp
769.Xr racoon 8
770does not have a list of security protocols to be negotiated.
771The list of security protocols are passed by SPD in the kernel.
772Therefore you have to define all of the potential algorithms
773in the phase 2 proposals even if there are algorithms which will not be used.
774These algorithms are define by using the following three directives,
775with a single comma as the separator.
776For algorithms that can take variable-length keys, algorithm names
777can be followed by a key length, like
778.Dq Li blowfish 448 .
779.Xr racoon 8
780will compute the actual phase 2 proposals by computing
781the permutation of the specified algorithms,
782and then combining them with the security protocol specified by the SPD.
783For example, if
784.Ic des , 3des , hmac_md5 ,
785and
786.Ic hmac_sha1
787are specified as algorithms, we have four combinations for use with ESP,
788and two for AH.
789Then, based on the SPD settings,
790.Xr racoon 8
791will construct the actual proposals.
792If the SPD entry asks for ESP only, there will be 4 proposals.
793If it asks for both AH and ESP, there will be 8 proposals.
794Note that the kernel may not support the algorithm you have specified.
795.\"
796.Bl -tag -width Ds -compact
797.It Ic encryption_algorithm Ar algorithms ;
798.Ic des , 3des , des_iv64 , des_iv32 ,
85f41bec 799.Ic null_enc ,rijndael , aes
52b7d2ce
A
800.Pq used with ESP
801.\"
802.It Ic authentication_algorithm Ar algorithms ;
803.Ic des , 3des , des_iv64 , des_iv32 ,
804.Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth
805.Pq used with ESP authentication and AH
806.\"
807.It Ic compression_algorithm Ar algorithms ;
808.Ic deflate
809.Pq used with IPComp
810.El
811.El
812.\"
813.Ss Logging level
814.Bl -tag -width Ds -compact
815.It Ic log Ar level ;
d1e348cf 816Defines the logging level.
52b7d2ce
A
817.Ar level
818is one of following:
d1e348cf 819.Ic error , warning , notify , info , debug
52b7d2ce
A
820and
821.Ic debug2 .
822The default is
d1e348cf 823.Ic info .
52b7d2ce
A
824If you set the logging level too high on slower machines,
825IKE negotiation can fail due to timing constraint changes.
826.El
827.\"
d1e348cf 828.Ss Specifies the way to pad
52b7d2ce
A
829.Bl -tag -width Ds -compact
830.It Ic padding { Ar statements Ic }
d1e348cf 831specifies the padding format.
52b7d2ce
A
832The following are valid statements:
833.Bl -tag -width Ds -compact
d1e348cf
A
834.It Ic randomize (on | off) ;
835Enables the use of a randomized value for padding.
52b7d2ce 836The default is on.
d1e348cf
A
837.It Ic randomize_length (on | off) ;
838The pad length will be random.
52b7d2ce
A
839The default is off.
840.It Ic maximum_length Ar number ;
d1e348cf 841Defines a maximum padding length.
52b7d2ce
A
842If
843.Ic randomize_length
844is off, this is ignored.
845The default is 20 bytes.
d1e348cf
A
846.It Ic exclusive_tail (on | off) ;
847Means to put the number of pad bytes minus one into the last part
52b7d2ce
A
848of the padding.
849The default is on.
d1e348cf
A
850.It Ic strict_check (on | off) ;
851Means to constrain the peer to set the number of pad bytes.
52b7d2ce
A
852The default is off.
853.El
854.El
52b7d2ce
A
855.Ss Special directives
856.Bl -tag -width Ds -compact
d1e348cf 857.It Ic complex_bundle (on | off) ;
52b7d2ce
A
858defines the interpretation of proposal in the case of SA bundle.
859Normally
860.Dq IP AH ESP IP payload
861is proposed as
862.Dq AH tunnel and ESP tunnel .
863The interpretation is more common to other IKE implementations, however,
864it allows very limited set of combinations for proposals.
865With the option enabled, it will be proposed as
866.Dq AH transport and ESP tunnel .
867The default value is
868.Ic off .
869.El
870.\"
871.Ss Pre-shared key File
872The pre-shared key file defines pairs of identifiers and corresponding
873shared secret keys which are used in the pre-shared key authentication
874method in phase 1.
875The pair in each line is separated by some number of blanks and/or tab
876characters like in the
877.Xr hosts 5
878file.
879Key can include blanks because everything after the first blanks
880is interpreted as the secret key.
881Lines starting with
882.Ql #
883are ignored.
884Keys which start with
885.Ql 0x
886are interpreted as hexadecimal strings.
887Note that the file must be owned by the user ID running
888.Xr racoon 8
889.Pq usually the privileged user ,
890and must not be accessible by others.
891.\"
892.Sh EXAMPLES
893The following shows how the remote directive should be configured.
894.Bd -literal -offset
895path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
896remote anonymous
897{
898 exchange_mode aggressive,main,base;
899 lifetime time 24 hour;
900 proposal {
901 encryption_algorithm 3des;
902 hash_algorithm sha1;
903 authentication_method pre_shared_key;
904 dh_group 2;
905 }
906}
907
908sainfo anonymous
909{
910 pfs_group 2;
911 lifetime time 12 hour ;
65c25746 912 encryption_algorithm 3des, aes ;
52b7d2ce
A
913 authentication_algorithm hmac_sha1, hmac_md5 ;
914 compression_algorithm deflate ;
915}
916.Ed
917.Pp
918The following is a sample for the pre-shared key file.
919.Bd -literal -offset
92010.160.94.3 mekmitasdigoat
921172.16.1.133 0x12345678
922194.100.55.1 whatcertificatereally
9233ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
9243ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
925foo@kame.net mekmitasdigoat
926foo.kame.net hoge
927.Ed
928.\"
929.Sh SEE ALSO
930.Xr racoon 8 ,
931.Xr racoonctl 8 ,
932.Xr setkey 8
933.\"
934.Sh HISTORY
935The
936.Nm
937configuration file first appeared in the
938.Dq YIPS
939Yokogawa IPsec implementation.
940.\"
941.Sh BUGS
942Some statements may not be handled by
943.Xr racoon 8
944yet.
945.Pp
946Diffie-Hellman computation can take a very long time, and may cause
947unwanted timeouts, specifically when a large D-H group is used.
948.\"
949.Sh SECURITY CONSIDERATIONS
950The use of IKE phase 1 aggressive mode is not recommended,
951as described in
952.Li http://www.kb.cert.org/vuls/id/886601 .