1 .\" $NetBSD: racoon.conf.5,v 1.34.4.2 2007/07/18 22:53:03 mgrooms Exp $
3 .\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
5 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 .\" All rights reserved.
8 .\" Redistribution and use in source and binary forms, with or without
9 .\" modification, are permitted provided that the following conditions
11 .\" 1. Redistributions of source code must retain the above copyright
12 .\" notice, this list of conditions and the following disclaimer.
13 .\" 2. Redistributions in binary form must reproduce the above copyright
14 .\" notice, this list of conditions and the following disclaimer in the
15 .\" documentation and/or other materials provided with the distribution.
16 .\" 3. Neither the name of the project nor the names of its contributors
17 .\" may be used to endorse or promote products derived from this software
18 .\" without specific prior written permission.
20 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .Dd September 19, 2006
38 .Nd configuration file for racoon
44 is the configuration file for the
48 negotiates security associations for itself (ISAKMP SA, or phase 1 SA)
49 and for kernel IPsec (IPsec SA, or phase 2 SA).
50 The file consists of a sequence of directives and statements.
51 Each directive is composed by a tag and statements, enclosed by
60 Keywords and special characters that the parser expects exactly are
64 Parameters are specified with
73 are used to show optional keywords and parameters.
75 you have to pay attention when this manual is describing
80 number is always enclosed by
84 In this case, the port number is not an optional keyword.
85 If it is possible to omit the
88 the expression becomes
93 a choice between optional parameters.
100 are used to group keywords and parameters when necessary.
101 Major parameters are listed below.
103 .Bl -tag -width addressx -compact
105 means a hexadecimal or a decimal number.
106 The former must be prefixed with
111 means any string enclosed in
115 means IPv6 and/or IPv4 address.
117 means a TCP/UDP port number.
118 The port number is always enclosed by
124 .Ic sec , secs , second , seconds ,
125 .Ic min , mins , minute , minutes ,
129 .Ss Privilege separation
130 .Bl -tag -width Ds -compact
131 .It Ic privsep { Ar statements Ic }
132 Specifies privilege separation parameters.
133 When enabled, these enable
135 to operate with an unprivileged instance doing most of the work, while
136 a privileged instance takes care of performing the following operations
137 as root: reading PSK and private keys, launching hook scripts, and
138 validating passwords against system databases or against PAM.
139 Please note that using privilege separation makes changes to the
143 sections ignored upon configuration reloads.
146 restart is required if you want such changes to be taken into account.
148 .Bl -tag -width Ds -compact
149 .It Ic user Ar user ;
150 The user to which the unprivileged instance of
153 This can be a quoted user name or a numeric UID.
154 .It Ic group Ar group ;
155 The group the unprivilegied instance of
158 This can be a quoted group name or a numeric GID.
159 .It Ic chroot Ar path ;
160 A directory to which the unprivileged instance of
164 This directory should hold a tree where the following files must be
166 .Bl -tag -width Ds -compact
170 .It The file containing the Xauth banner
173 The PSK file, the private keys, and the hook scripts are accessed through the
174 privileged instance of
176 and do not need to be reachable in the
181 .Ss Path Specification
182 This section specifies various paths used by racoon.
183 When running in privilege separation mode,
187 paths are mandatory. A
189 restart is required if you want path changes to be taken into account.
190 .Bl -tag -width Ds -compact
191 .It Ic path include Ar path ;
192 Specifies a path to include a file.
195 .It Ic path pre_shared_key Ar file ;
196 Specifies a file containing pre-shared key(s) for various ID(s).
198 .Sx Pre-shared key File .
199 .It Ic path certificate Ar path ;
201 will search this directory if a certificate or certificate request is received.
202 If you run with privilege separation,
204 will refuse to use a certificate stored outside of this directory.
205 .It Ic path backupsa Ar file ;
206 Specifies a file to which SA information negotiated by
207 racoon should be stored.
209 will install SA(s) from the file when started with the
212 The file is growing because
214 simply adds SAs to it.
215 You should maintain the file manually.
216 .It Ic path script Ar path ;
218 will search this directory for scripts hooks.
219 If you run with privilege separation,
221 will refuse to execute a script stored outside of this directory.
222 .It Ic path pidfile Ar file ;
223 Specifies file where to store PID of process.
226 it is treated as an absolute path. Otherwise, it is treated as a relative
227 path to the VARRUN directory specified at compilation time.
230 .It Ic path logfile Ar file ;
231 Specifies a file to which logs generated by
234 When the file's size exceeds 200KB,
236 will trim the logfile by dropping the oldest events.
239 it is treated as an absolute path. Otherwise, it is treated as a relative
240 path to the VARRUN directory specified at compilation time.
244 .Bl -tag -width Ds -compact
245 .It Ic include Ar file
246 Specifies other configuration files to be included.
249 .Ss Identifier Specification
251 It must be defined at each
255 .Ss Timer Specification
256 .Bl -tag -width Ds -compact
257 .It Ic timer { Ar statements Ic }
258 This section specifies various timer values used by racoon.
260 .Bl -tag -width Ds -compact
261 .It Ic counter Ar number ;
262 The maximum number of retries to send.
264 .It Ic interval Ar number Ar timeunit ;
265 The interval to resend, in seconds.
266 The default time is 10 seconds.
267 .It Ic persend Ar number ;
268 The number of packets per send.
270 .It Ic phase1 Ar number Ar timeunit ;
271 The maximum time it should take to complete phase 1.
272 The default time is 15 seconds.
273 .It Ic phase2 Ar number Ar timeunit ;
274 The maximum time it should take to complete phase 2.
275 The default time is 10 seconds.
276 .It Ic natt_keepalive Ar number Ar timeunit ;
277 The interval between sending NAT-Traversal keep-alive packets.
278 The default time is 20 seconds.
279 Set to 0s to disable keep-alive packets.
283 .Ss Listening Port Specification
284 .Bl -tag -width Ds -compact
285 .It Ic listen { Ar statements Ic }
288 directive is specified,
290 will listen on all available interface addresses.
291 The following is the list of valid statements:
293 .Bl -tag -width Ds -compact
294 .\" How do I express bold brackets; `[' and `]' .
295 .\" Answer: For bold brackets, do "Ic \&[ foo \&]".
296 .\" Is the "Bq Ic [ Ar port ] ;" buggy ?
297 .It Ic isakmp Ar address Bq Bq Ar port ;
298 If this is specified,
300 will only listen on the defined
302 The default port is 500, which is specified by IANA.
303 You can provide more than one address definition.
304 .It Ic isakmp_natt Ar address Bq Ar port ;
307 but also sets the socket options to accept UDP-encapsulated ESP traffic for
309 If you plan to use NAT-T, you should provide at least one address
310 with port 4500, which is specified by IANA.
312 .It Ic strict_address ;
313 Requires that all addresses for ISAKMP be bound.
314 This statement will be ignored if you do not specify address definitions.
316 When running in privilege separation mode, you need to restart
318 to have changes to the
320 section taken into account.
324 section can also be used to specify the admin socket mode and ownership
325 if racoon was built with support for admin port.
326 .Bl -tag -width Ds -compact
327 .It Ic adminsock Ar path Op Ar owner\ group\ mode ;
333 values specify the socket path, owner, and group. They must be quoted.
335 .Pa /var/racoon/racoon.sock ,
338 is the access mode in octal. The default is 0600.
339 .It Ic adminsock disabled ;
340 This directive tells racoon to not listen on the admin socket.
344 .Ss Miscellaneous Global Parameters
345 .Bl -tag -width Ds -compact
346 .It Ic gss_id_enc Ar enctype ;
349 used ISO-Latin-1 as the encoding of the GSS-API identifier attribute.
350 For interoperability with Microsoft Windows' GSS-API authentication
351 scheme, the default encoding has been changed to UTF-16LE.
356 to be configured to use the old encoding for compatibility with existing
359 The following are valid values for
362 .Bl -tag -width Ds -compact
364 Use UTF-16LE to encode the GSS-API identifier attribute.
365 This is the default encoding.
366 This encoding is compatible with Microsoft Windows.
368 Use ISO-Latin-1 to encode the GSS-API identifier attribute.
369 This is the encoding used by older versions of
374 .Ss Remote Nodes Specifications
375 .Bl -tag -width Ds -compact
377 .Ic remote ( Ar address | Ic anonymous )
379 .Bq Ic inherit Ar parent
380 .Ic { Ar statements Ic }
382 Specifies the IKE phase 1 parameters for each remote node.
383 The default port is 500.
386 is specified, the statements will apply to any peer that does not match a
392 .Ic inherit Ar parent
399 that have all values predefined to those of a given
401 In these sections it is enough to redefine only the changed parameters.
403 The following are valid statements.
405 .Bl -tag -width Ds -compact
407 .It Ic exchange_mode ( main | aggressive | base ) ;
408 Defines the exchange mode for phase 1 when racoon is the initiator.
409 It also means the acceptable exchange mode when racoon is the responder.
410 More than one mode can be specified by separating them with a comma.
411 All of the modes are acceptable.
412 The first exchange mode is what racoon uses when it is the initiator.
414 .It Ic doi Ic ipsec_doi ;
415 Means to use IPsec DOI as specified in RFC 2407.
416 You can omit this statement.
418 .It Ic situation Ic identity_only ;
419 Means to use SIT_IDENTITY_ONLY as specified in RFC 2407.
420 You can omit this statement.
422 .It Ic identifier Ar idtype ;
423 This statment is obsolete. Instead, use
427 .Ic my_identifier Bq Ar qualifier
430 Specifies the identifier sent to the remote host
431 and the type to use in the phase 1 negotiation.
432 .Ic address, fqdn , user_fqdn , keyid ,
439 is currently only used for
445 The possible values are :
446 .Bl -tag -width Ds -compact
447 .It Ic my_identifier Ic address Bq Ar address ;
448 The type is the IP address.
449 This is the default type if you do not specify an identifier to use.
450 .It Ic my_identifier Ic user_fqdn Ar string ;
451 The type is a USER_FQDN (user fully-qualified domain name).
452 .It Ic my_identifier Ic fqdn Ar string ;
453 The type is a FQDN (fully-qualified domain name).
455 .Ic my_identifier Ic keyid Bq Ic file
458 The type is a KEY_ID, read from the file.
459 .It Ic my_identifier Ic keyid Ic tag Ar string ;
460 The type is a KEY_ID, specified in the quoted string.
461 .It Ic my_identifier Ic asn1dn Bq Ar string ;
462 The type is an ASN.1 distinguished name.
467 will get the DN from the Subject field in the certificate.
470 .It Ic xauth_login Bq Ar string ;
471 Specifies the login to use in client-side Hybrid authentication.
472 It is available only if
474 has been built with this option.
475 The associated password is looked up in the pre-shared key files,
480 .It Ic peers_identifier Ar idtype ... ;
481 Specifies the peer's identifier to be received.
482 If it is not defined then
484 will not verify the peer's identifier in ID payload transmitted from the peer.
485 If it is defined, the behavior of the verification depends on the flag of
486 .Ic verify_identifier .
491 except that the individual component values of an
493 identifier may specified as
495 to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine").
496 Alternative acceptable peer identifiers may be specified by repeating the
500 .It Ic verify_identifier (on | off) ;
501 If you want to verify the peer's identifier,
503 In this case, if the value defined by
505 is not the same as the peer's identifier in the ID payload,
506 the negotiation will fail.
509 .It Ic certificate_type Ar certspec ;
510 Specifies a certificate specification.
512 is one of followings:
513 .Bl -tag -width Ds -compact
514 .It Ic x509 Ar certfile Ar privkeyfile ;
516 means a file name of a certificate.
518 means a file name of a secret key.
520 .Bl -tag -width Ds -compact
521 .It Ic plain_rsa Ar privkeyfile ;
523 means a file name of a private key generated by plainrsa-gen(8). Required
524 for RSA authentication.
526 .It Ic ca_type Ar cacertspec ;
527 Specifies a root certificate authority specification.
529 is one of followings:
530 .Bl -tag -width Ds -compact
531 .It Ic x509 Ar cacertfile ;
533 means a file name of the root certificate authority.
535 .Pa /etc/openssl/cert.pem
538 .It Ic mode_cfg (on | off) ;
539 Gather network information through ISAKMP mode configuration.
542 .It Ic weak_phase1_check (on | off) ;
543 Tells racoon to act on unencrypted deletion messages during phase 1.
544 This is a small security risk, so the default is off, meaning that
545 racoon will keep on trying to establish a connection even if the
546 user credentials are wrong, for instance.
548 .It Ic peers_certfile ( dnssec | Ar certfile | Ic plain_rsa Ar pubkeyfile ) ;
553 will ignore the CERT payload from the peer,
554 and try to get the peer's certificate from DNS instead.
559 will ignore the CERT payload from the peer,
560 and will use this certificate as the peer's certificate.
567 to be the peer's public key that was generated
570 .It Ic script Ar script Ic phase1_up
571 .It Ic script Ar script Ic phase1_down
572 Shell scripts that get executed when a phase 1 SA goes up or down.
573 Both scripts get either
577 as first argument, and the following
578 variables are set in their environment:
579 .Bl -tag -width Ds -compact
581 The local address of the phase 1 SA.
583 The local port used for IKE for the phase 1 SA.
585 The remote address of the phase 1 SA.
587 The remote port used for IKE for the phase 1 SA.
589 The following variables are only set if
592 .Bl -tag -width Ds -compact
594 An IPv4 internal address obtained by ISAKMP mode config.
595 .It INTERNAL_NETMASK4
596 An IPv4 internal netmask obtained by ISAKMP mode config.
598 An IPv4 internal netmask obtained by ISAKMP mode config, in CIDR notation.
600 The first internal DNS server IPv4 address obtained by ISAKMP mode config.
601 .It INTERNAL_DNS4_LIST
602 A list of internal DNS servers IPv4 address obtained by ISAKMP mode config,
605 The first internal WINS server IPv4 address obtained by ISAKMP mode config.
606 .It INTERNAL_WINS4_LIST
607 A list of internal WINS servers IPv4 address obtained by ISAKMP mode config,
610 The space separated list of IPv4 addresses and masks (address slash mask)
611 that define the networks to be encrypted (as opposed to the default where
612 all the traffic should be encrypted) ; obtained by ISAKMP mode config ;
613 SPLIT_INCLUDE and SPLIT_LOCAL are mutually exclusive.
615 The space separated list of IPv4 addresses and masks (address slash mask)
616 that define the networks to be considered local, and thus excluded from the
617 tunnels ; obtained by ISAKMP mode config.
619 The DNS default domain name obtained by ISAKMP mode config.
623 .It Ic send_cert (on | off) ;
624 If you do not want to send a certificate, set this to off.
627 .It Ic send_cr (on | off) ;
628 If you do not want to send a certificate request, set this to off.
631 .It Ic verify_cert (on | off) ;
632 By default, the identifier sent by the remote host (as specified in its
634 statement) is compared with the credentials in the certificate
635 used to authenticate the remote host as follows:
636 .Bl -tag -width Ds -compact
638 The entire certificate subject name is compared with the identifier,
639 e.g. "C=XX, O=YY, ...".
640 .It Type Ic address, fqdn, or user_fqdn:
641 The certificate's subjectAltName is compared with the identifier.
643 If the two do not match the negotiation will fail.
644 If you do not want to verify the identifier using the peer's certificate,
647 .It Ic lifetime time Ar number Ar timeunit ;
648 Define a lifetime of a certain time
649 which will be proposed in the phase 1 negotiations.
650 Any proposal will be accepted, and the attribute(s) will not be proposed to
651 the peer if you do not specify it (them).
652 They can be individually specified in each proposal.
654 .It Ic ike_frag (on | off | force) ;
655 Enable receiver-side IKE fragmentation if
657 has been built with this feature.
658 If set to on, racoon will advertise
659 itself as being capable of receiving packets split by IKE fragmentation.
660 This extension is there to work around broken firewalls that do not
661 work with fragmented UDP packets.
662 IKE fragmentation is always enabled on the sender-side, and it is
663 used if the peer advertises itself as IKE fragmentation capable.
664 By selecting force, IKE Fragmentation will
665 be used when racoon is acting as the initiator even before the remote
666 peer has advertised itself as IKE fragmentation capable.
668 .It Ic esp_frag Ar fraglen ;
669 This option is only relevant if you use NAT traversal in tunnel mode.
670 Its purpose is to work around broken DSL routers that reject UDP
671 fragments, by fragmenting the IP packets before ESP encapsulation.
672 The result is ESP over UDP of fragmented packets instead of fragmented
673 ESP over UDP packets (i.e., IP:UDP:ESP:frag(IP) instead of
674 frag(IP:UDP:ESP:IP)).
676 is the maximum size of the fragments.
677 552 should work anywhere,
680 is, the better the performance.
682 Note that because PMTU discovery is broken on many sites, you will
683 have to use MSS clamping if you want TCP to work correctly.
685 .It Ic initial_contact (on | off) ;
686 Enable this to send an INITIAL-CONTACT message.
689 This message is useful only when the responder implementation chooses an
690 old SA when there are multiple SAs with different established time and the
692 If racoon did not send the message,
693 the responder would use an old SA even when a new SA was established.
694 For systems that use a KAME derived IPSEC stack, the
696 variable net.key.preferred_oldsa can be used to control this preference.
697 When the value is zero, the stack always uses a new SA.
699 .It Ic passive (on | off) ;
700 If you do not want to initiate the negotiation, set this to on.
703 It is useful for a server.
705 .It Ic proposal_check Ar level ;
706 Specifies the action of lifetime length, key length and PFS of the phase 2
707 selection on the responder side, and the action of lifetime check in
714 .Bl -tag -width Ds -compact
716 The responder will obey the initiator anytime.
718 If the responder's lifetime length is longer than the initiator's or
719 the responder's key length is shorter than the initiator's,
720 the responder will use the initiator's value.
721 Otherwise, the proposal will be rejected.
722 If PFS is not required by the responder, the responder will obey the proposal.
723 If PFS is required by both sides and the responder's group is not equal to
724 the initiator's, then the responder will reject the proposal.
726 If the responder's lifetime length is longer than the initiator's or
727 the responder's key length is shorter than the initiator's,
728 the responder will use the initiator's value.
729 If the responder's lifetime length is shorter than the initiator's,
730 the responder uses its own length AND sends a RESPONDER-LIFETIME notify
731 message to an initiator in the case of lifetime (phase 2 only).
732 For PFS, this directive behaves the same as
735 If the initiator's lifetime or key length is not equal to the responder's,
736 the responder will reject the proposal.
737 If PFS is required by both sides and the responder's group is not equal to
738 the initiator's, then the responder will reject the proposal.
741 .It Ic support_proxy (on | off) ;
742 If this value is set to on, then both values of ID payloads in the
743 phase 2 exchange are always used as the addresses of end-point of
747 .It Ic generate_policy (on | off | require | unique) ;
748 This directive is for the responder.
749 Therefore you should set
753 only becomes a responder.
754 If the responder does not have any policy in SPD during phase 2
755 negotiation, and the directive is set to on, then
757 will choose the first proposal in the
758 SA payload from the initiator, and generate policy entries from the proposal.
759 It is useful to negotiate with clients whose IP address is allocated
761 Note that an inappropriate policy might be installed into the responder's SPD
763 so other communications might fail if such policies are installed
764 due to a policy mismatch between the initiator and the responder.
768 values mean the same thing (generate a require policy).
770 tells racoon to set up unique policies, with a monotoning increasing
771 reqid number (between 1 and IPSEC_MANUAL_REQID_MAX).
772 This directive is ignored in the initiator case.
777 .It Ic nat_traversal (on | off | force) ;
778 This directive enables use of the NAT-Traversal IPsec extension
780 NAT-T allows one or both peers to reside behind a NAT gateway (i.e.,
781 doing address- or port-translation).
782 If a NAT gateway is detected during the phase 1 handshake, racoon will
783 attempt to negotiate the use of NAT-T with the remote peer.
784 If the negotiation succeeds, all ESP and AH packets for the given connection
785 will be encapsulated into UDP datagrams (port 4500, by default).
787 .Bl -tag -width Ds -compact
789 NAT-T is used when a NAT gateway is detected between the peers.
791 NAT-T is not proposed/accepted.
794 NAT-T is used regardless of whether a NAT gateway is detected between the
797 Please note that NAT-T support is a compile-time option.
798 Although it is enabled in the source distribution by default, it
799 may not be available in your particular build.
800 In that case you will get a
801 warning when using any NAT-T related config options.
803 .It Ic dpd_delay Ar delay ;
804 This option activates the DPD and sets the time (in seconds) allowed
805 between 2 proof of liveliness requests.
808 which disables DPD monitoring, but still negotiates DPD support.
810 .It Ic dpd_retry Ar delay ;
813 is set, this sets the delay (in seconds) to wait for a proof of
814 liveliness before considering it as failed and send another request.
818 .It Ic dpd_maxfail Ar number ;
821 is set, this sets the maximum number of liveliness proofs to request
822 (without reply) before considering the peer is dead.
826 .It Ic nonce_size Ar number ;
827 define the byte size of nonce value.
828 Racoon can send any value although
829 RFC2409 specifies that the value MUST be between 8 and 256 bytes.
830 The default size is 16 bytes.
832 .It Ic ph1id Ar number ;
833 An optionnal number to identify the remote proposal and to link it
834 only with sainfos who have the same number.
838 .Ic proposal { Ar sub-substatements Ic }
840 .Bl -tag -width Ds -compact
842 .It Ic encryption_algorithm Ar algorithm ;
843 Specifies the encryption algorithm used for the phase 1 negotiation.
844 This directive must be defined.
847 .Ic des, 3des, blowfish, cast128, aes, camellia
850 For other transforms, this statement should not be used.
852 .It Ic hash_algorithm Ar algorithm ;
853 Defines the hash algorithm used for the phase 1 negotiation.
854 This directive must be defined.
857 .Ic md5, sha1, sha256, sha384, sha512
860 .It Ic authentication_method Ar type ;
861 Defines the authentication method used for the phase 1 negotiation.
862 This directive must be defined.
865 .Ic pre_shared_key , rsasig
866 (for plain RSA authentication),
867 .Ic gssapi_krb , hybrid_rsa_server ,
868 .Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server
870 .Ic xauth_psk_client .
872 .It Ic dh_group Ar group ;
873 Defines the group used for the Diffie-Hellman exponentiations.
874 This directive must be defined.
877 .Ic modp768 , modp1024 , modp1536 ,
878 .Ic modp2048 , modp3072 , modp4096 ,
879 .Ic modp6144 , modp8192 .
880 Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
881 When you want to use aggressive mode,
882 you must define the same DH group in each proposal.
883 .It Ic lifetime time Ar number Ar timeunit ;
884 Defines the lifetime of the phase 1 SA proposal.
885 Refer to the description of the
887 directive defined in the
890 .It Ic gss_id Ar string ;
891 Defines the GSS-API endpoint name, to be included as an attribute in the SA,
894 authentication method is used.
895 If this is not defined, the default value of
897 is used, where hostname is the value returned by the
904 .Ss Policy Specifications
905 The policy directive is obsolete, policies are now in the SPD.
907 will obey the policy configured into the kernel by
909 and will construct phase 2 proposals by combining
913 and policies in the kernel.
915 .Ss Sainfo Specifications
916 .Bl -tag -width Ds -compact
918 .Ic sainfo ( Ar source_id destination_id | Ar source_id Ic anonymous | Ic anonymous Ar destination_id | Ic anonymous ) [ from Ar idtype [ Ar string ] ] [ Ic group Ar string ]
919 .Ic { Ar statements Ic }
921 defines the parameters of the IKE phase 2 (IPsec-SA establishment).
925 are constructed like:
927 .Ic address Ar address
934 .Ic subnet Ar address
943 An id string should be expressed to match the exact value of an ID payload
944 (source is the local end, destination is the remote end).
945 This is not like a filter rule.
946 For example, if you define 3ffe:501:4819::/48 as
948 3ffe:501:4819:1000:/64 will not match.
950 In the case of a longest prefix (selecting a single host),
952 instructs to send ID type of ADDRESS while
954 instructs to send ID type of SUBNET.
955 Otherwise, these instructions are identical.
957 The group keyword allows an XAuth group membership check to be performed
958 for this sainfo section.
959 When the mode_cfg auth source is set to
963 the XAuth user is verified to be a member of the specified group
964 before allowing a matching SA to be negotiated.
966 .Bl -tag -width Ds -compact
968 .It Ic pfs_group Ar group ;
969 define the group of Diffie-Hellman exponentiations.
970 If you do not require PFS then you can omit this directive.
971 Any proposal will be accepted if you do not specify one.
974 .Ic modp768 , modp1024 , modp1536 ,
975 .Ic modp2048 , modp3072 , modp4096 ,
976 .Ic modp6144 , modp8192 .
977 Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
979 .It Ic lifetime time Ar number Ar timeunit ;
980 define how long an IPsec-SA will be used, in timeunits.
981 Any proposal will be accepted, and no attribute(s) will be proposed to
982 the peer if you do not specify it(them).
987 .It Ic remoteid Ar number ;
988 Sainfos will only be used if their remoteid matches the ph1id of the
989 remote section used for phase 1.
990 Defaults to 0, which is also the default for ph1id.
992 .It Ic my_identifier Ar idtype ... ;
994 It does not make sense to specify an identifier in the phase 2.
999 does not have a list of security protocols to be negotiated.
1000 The list of security protocols are passed by SPD in the kernel.
1001 Therefore you have to define all of the potential algorithms
1002 in the phase 2 proposals even if there are algorithms which will not be used.
1003 These algorithms are define by using the following three directives,
1004 with a single comma as the separator.
1005 For algorithms that can take variable-length keys, algorithm names
1006 can be followed by a key length, like
1007 .Dq Li blowfish 448 .
1009 will compute the actual phase 2 proposals by computing
1010 the permutation of the specified algorithms,
1011 and then combining them with the security protocol specified by the SPD.
1013 .Ic des , 3des , hmac_md5 ,
1016 are specified as algorithms, we have four combinations for use with ESP,
1018 Then, based on the SPD settings,
1020 will construct the actual proposals.
1021 If the SPD entry asks for ESP only, there will be 4 proposals.
1022 If it asks for both AH and ESP, there will be 8 proposals.
1023 Note that the kernel may not support the algorithm you have specified.
1025 .Bl -tag -width Ds -compact
1026 .It Ic encryption_algorithm Ar algorithms ;
1027 .Ic des , 3des , des_iv64 , des_iv32 ,
1028 .Ic rc5 , rc4 , idea , 3idea ,
1029 .Ic cast128 , blowfish , null_enc ,
1030 .Ic twofish , rijndael , aes , camellia
1033 .It Ic authentication_algorithm Ar algorithms ;
1034 .Ic des , 3des , des_iv64 , des_iv32 ,
1035 .Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth
1036 .Pq used with ESP authentication and AH
1038 .It Ic compression_algorithm Ar algorithms ;
1040 .Pq used with IPComp
1045 .Bl -tag -width Ds -compact
1046 .It Ic log Ar level ;
1047 Defines the logging level.
1049 is one of following:
1050 .Ic error , warning , notify , info , debug
1055 If you set the logging level too high on slower machines,
1056 IKE negotiation can fail due to timing constraint changes.
1059 .Ss Specifies the way to pad
1060 .Bl -tag -width Ds -compact
1061 .It Ic padding { Ar statements Ic }
1062 specifies the padding format.
1063 The following are valid statements:
1064 .Bl -tag -width Ds -compact
1065 .It Ic randomize (on | off) ;
1066 Enables the use of a randomized value for padding.
1068 .It Ic randomize_length (on | off) ;
1069 The pad length will be random.
1071 .It Ic maximum_length Ar number ;
1072 Defines a maximum padding length.
1074 .Ic randomize_length
1075 is off, this is ignored.
1076 The default is 20 bytes.
1077 .It Ic exclusive_tail (on | off) ;
1078 Means to put the number of pad bytes minus one into the last part
1081 .It Ic strict_check (on | off) ;
1082 Means to constrain the peer to set the number of pad bytes.
1086 .Ss ISAKMP mode configuration settings
1087 .Bl -tag -width Ds -compact
1088 .It Ic mode_cfg { Ar statements Ic }
1089 Defines the information to return for remote hosts' ISAKMP mode config
1091 Also defines the authentication source for remote peers
1092 authenticating through Xauth.
1094 The following are valid statements:
1095 .Bl -tag -width Ds -compact
1096 .It Ic auth_source (system | radius | pam | ldap) ;
1097 Specifies the source for authentication of users through Xauth.
1099 means to use the Unix user database.
1100 This is the default.
1102 means to use a RADIUS server.
1105 was built with libradius support. Radius configuration is hanlded by
1111 was built with libpam support.
1116 was built with libldap support. LDAP configuration is handled by
1120 .It Ic auth_groups Ar "group1", ... ;
1121 Specifies the group memberships for Xauth in quoted group name strings.
1122 When defined, the authenticating user must be a member of at least one
1123 group for Xauth to succeed.
1124 .It Ic group_source (system | ldap) ;
1125 Specifies the source for group validataion of users through Xauth.
1127 means to use the Unix user database.
1128 This is the default.
1133 was built with libldap support and requires LDAP authentication.
1134 LDAP configuration is handled by statements in the
1137 .It Ic conf_source (local | radius | ldap) ;
1138 Specifies the source for IP addresses and netmask allocated through ISAKMP
1141 means to use the local IP pool defined by the
1146 This is the default.
1148 means to use a RADIUS server.
1151 was built with libradius support and requires RADIUS authentiation.
1152 RADIUS configuration is handled by
1155 means to use an LDAP server.
1158 was built with libldap support and requires LDAP authentication.
1159 LDAP configuration is handled by
1163 .It Ic accounting (none | system | radius | pam) ;
1164 Enables or disables accounting for Xauth logins and logouts.
1167 which disable accounting.
1170 enables system accounting through
1174 enables RADIUS accounting.
1177 was built with libradius support and requires RADIUS authentication.
1178 RADIUS configuration is handled by
1182 enables PAM accounting.
1185 was build with libpam support and requires PAM authentication.
1186 .It Ic pool_size Ar size
1187 Specify the size of the IP address pool, either local or allocated
1190 selects the local pool or the RADIUS configuration, but in both
1191 configurations, you cannot have more than
1193 users connected at the same time.
1195 .It Ic network4 Ar address ;
1196 .It Ic netmask4 Ar address ;
1197 The local IP pool base address and network mask from which dynamically
1198 allocated IPv4 addresses should be taken.
1203 or if the RADIUS server returned
1204 .Ar 255.255.255.254 .
1206 .Ar 0.0.0.0/0.0.0.0 .
1207 .It Ic dns4 Ar addresses ;
1208 A list of IPv4 addresses for DNS servers, separated by commas, or on multiple
1211 .It Ic nbns4 Ar addresses ;
1212 A list of IPv4 address for WINS servers.
1213 .It Ic split_network (include | local_lan) Ar network/mask, ...
1214 The network configuration to send, in cidr notation (e.g. 192.168.1.0/24).
1217 is specified, the tunnel should be only used to encrypt the indicated
1218 destinations ; otherwise, if
1220 is used, everything will pass through the tunnel but those destinations.
1221 .It Ic default_domain Ar domain ;
1222 The default DNS domain to send.
1223 .It Ic split_dns Ar "domain", ...
1224 The split dns configuration to send, in quoted domain name strings.
1225 This list can be used to describe a list of domain names for which
1226 a peer should query a modecfg assigned dns server.
1227 DNS queries for all other domains would be handled locally.
1228 (Cisco VPN client only).
1229 .It Ic banner Ar path ;
1230 The path of a file displayed on the client at connection time.
1233 .It Ic auth_throttle Ar delay ;
1234 On each failed Xauth authentication attempt, refuse new attempts for a set
1237 This is to avoid dictionary attacks on Xauth passwords.
1238 Default is one second.
1239 Set to zero to disable authentication delay.
1240 .It Ic pfs_group Ar group ;
1241 Sets the PFS group used in the client proposal (Cisco VPN client only).
1243 .It Ic save_passwd (on | off) ;
1244 Allow the client to save the Xauth password (Cisco VPN client only).
1248 .Ss Ldap configuration settings
1249 .Bl -tag -width Ds -compact
1250 .It Ic ldapcfg { Ar statements Ic }
1251 Defines the parameters that will be used to communicate with an ldap
1256 The following are valid statements:
1257 .Bl -tag -width Ds -compact
1258 .It Ic version (2 | 3) ;
1259 The ldap protocol version used to communicate with the server.
1262 .It Ic host Ar (hostname | address) ;
1263 The host name or ip address of the ldap server.
1266 .It Ic port Ar number;
1267 The port that the ldap server is configured to listen on.
1270 .It Ic base Ar distinguished name;
1271 The ldap search base.
1272 This option has no default value.
1273 .It Ic subtree (on | off) ;
1274 Use the subtree ldap search scope.
1275 Otherwise, use the one level search scope.
1278 .It Ic bind_dn Ar distinguised name;
1279 The user dn used to optionaly bind as before performing ldap search operations.
1280 If this option is not specified, anonymous binds are used.
1281 .It Ic bind_pw Ar string;
1282 The password used when binding as
1284 .It Ic attr_user Ar attribute name;
1285 The attribute used to specify a users name in an ldap directory.
1287 if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
1288 The default value is
1290 .It Ic attr_addr Ar attribute name;
1291 .It Ic attr_mask Ar attribute name;
1292 The attributes used to specify a users network address and subnet mask in an
1294 These values are forwarded during mode_cfg negotiation when
1295 the conf_source is set to ldap.
1296 The default values are
1299 .Ic racoon-netmask .
1300 .It Ic attr_group Ar attribute name;
1301 The attribute used to specify a group name in an ldap directory.
1303 if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn".
1304 The default value is
1306 .It Ic attr_member Ar attribute name;
1307 The attribute used to specify group membership in an ldap directory.
1308 The default value is
1312 .Ss Special directives
1313 .Bl -tag -width Ds -compact
1314 .It Ic complex_bundle (on | off) ;
1315 defines the interpretation of proposal in the case of SA bundle.
1317 .Dq IP AH ESP IP payload
1319 .Dq AH tunnel and ESP tunnel .
1320 The interpretation is more common to other IKE implementations, however,
1321 it allows very limited set of combinations for proposals.
1322 With the option enabled, it will be proposed as
1323 .Dq AH transport and ESP tunnel .
1324 The default value is
1328 .Ss Pre-shared key File
1329 The pre-shared key file defines pairs of identifiers and corresponding
1330 shared secret keys which are used in the pre-shared key authentication
1332 The pair in each line is separated by some number of blanks and/or tab
1333 characters like in the
1336 Key can include blanks because everything after the first blanks
1337 is interpreted as the secret key.
1341 Keys which start with
1343 are interpreted as hexadecimal strings.
1344 Note that the file must be owned by the user ID running
1346 .Pq usually the privileged user ,
1347 and must not be accessible by others.
1350 The following shows how the remote directive should be configured.
1351 .Bd -literal -offset
1352 path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
1355 exchange_mode aggressive,main,base;
1356 lifetime time 24 hour;
1358 encryption_algorithm 3des;
1359 hash_algorithm sha1;
1360 authentication_method pre_shared_key;
1368 lifetime time 12 hour ;
1369 encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
1370 authentication_algorithm hmac_sha1, hmac_md5 ;
1371 compression_algorithm deflate ;
1375 If you are configuring plain RSA authentication, the remote directive
1376 should look like the following:
1377 .Bd -literal -offset
1378 path certificate "/usr/local/v6/etc" ;
1381 exchange_mode main,base ;
1382 lifetime time 12 hour ;
1383 certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv";
1384 peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub";
1386 encryption_algorithm aes ;
1387 hash_algorithm sha1 ;
1388 authentication_method rsasig ;
1394 The following is a sample for the pre-shared key file.
1395 .Bd -literal -offset
1396 10.160.94.3 mekmitasdigoat
1397 172.16.1.133 0x12345678
1398 194.100.55.1 whatcertificatereally
1399 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
1400 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
1401 foo@kame.net mekmitasdigoat
1413 configuration file first appeared in the
1415 Yokogawa IPsec implementation.
1418 Some statements may not be handled by
1422 Diffie-Hellman computation can take a very long time, and may cause
1423 unwanted timeouts, specifically when a large D-H group is used.
1425 .Sh SECURITY CONSIDERATIONS
1426 The use of IKE phase 1 aggressive mode is not recommended,
1428 .Li http://www.kb.cert.org/vuls/id/886601 .