.Ic hour , hours .
.El
.\"
-.Ss Privilege separation
-.Bl -tag -width Ds -compact
-.It Ic privsep { Ar statements Ic }
-Specifies privilege separation parameters.
-When enabled, these enable
-.Xr racoon 8
-to operate with an unprivileged instance doing most of the work, while
-a privileged instance takes care of performing the following operations
-as root: reading PSK and private keys, launching hook scripts, and
-validating passwords against system databases or against PAM.
-Please note that using privilege separation makes changes to the
-.Ar listen
-and
-.Ar paths
-sections ignored upon configuration reloads.
-A
-.Xr racoon 8
-restart is required if you want such changes to be taken into account.
-.Pp
-.Bl -tag -width Ds -compact
-.It Ic user Ar user ;
-The user to which the unprivileged instance of
-.Xr racoon 8 ,
-should switch.
-This can be a quoted user name or a numeric UID.
-.It Ic group Ar group ;
-The group the unprivilegied instance of
-.Xr racoon 8 ,
-should switch.
-This can be a quoted group name or a numeric GID.
-.It Ic chroot Ar path ;
-A directory to which the unprivileged instance of
-.Xr racoon 8
-should
-.Xr chroot 2 .
-This directory should hold a tree where the following files must be
-reachable:
-.Bl -tag -width Ds -compact
-.It Pa /dev/random
-.It Pa /dev/urandom
-.It The certificates
-.It The file containing the Xauth banner
-.El
-.Pp
-The PSK file, the private keys, and the hook scripts are accessed through the
-privileged instance of
-.Xr racoon 8
-and do not need to be reachable in the
-.Xr chroot 2 Ap ed
-tree.
-.El
-.El
.Ss Path Specification
This section specifies various paths used by racoon.
When running in privilege separation mode,
Specifies a file containing pre-shared key(s) for various ID(s).
See
.Sx Pre-shared key File .
-.It Ic path certificate Ar path ;
-.Xr racoon 8
-will search this directory if a certificate or certificate request is received.
-If you run with privilege separation,
-.Xr racoon 8
-will refuse to use a certificate stored outside of this directory.
-.It Ic path backupsa Ar file ;
-Specifies a file to which SA information negotiated by
-racoon should be stored.
-.Xr racoon 8
-will install SA(s) from the file when started with the
-.Fl B
-flag.
-The file is growing because
-.Xr racoon 8
-simply adds SAs to it.
-You should maintain the file manually.
-.It Ic path script Ar path ;
-.Xr racoon 8
-will search this directory for scripts hooks.
-If you run with privilege separation,
-.Xr racoon 8
-will refuse to execute a script stored outside of this directory.
.It Ic path pidfile Ar file ;
Specifies file where to store PID of process.
If path starts with
Requires that all addresses for ISAKMP be bound.
This statement will be ignored if you do not specify address definitions.
.El
-When running in privilege separation mode, you need to restart
-.Xr racoon 8
-to have changes to the
-.Ar listen
-section taken into account.
-.Pp
-The
-.Ar listen
-section can also be used to specify the admin socket mode and ownership
-if racoon was built with support for admin port.
-.Bl -tag -width Ds -compact
-.It Ic adminsock Ar path Op Ar owner\ group\ mode ;
-The
-.Ar path ,
-.Ar owner ,
-and
-.Ar group
-values specify the socket path, owner, and group. They must be quoted.
-The defaults are
-.Pa /var/racoon/racoon.sock ,
-UID 0, and GID 0.
-.Ar mode
-is the access mode in octal. The default is 0600.
-.It Ic adminsock disabled ;
-This directive tells racoon to not listen on the admin socket.
-.El
.El
-.\"
+./"
.Ss Remote Nodes Specifications
.Bl -tag -width Ds -compact
.It Xo
.It Ic certificate_type Ar certspec ;
Specifies a certificate specification.
.Ar certspec
-is one of followings:
+must be as follows:
.Bl -tag -width Ds -compact
-.It Ic x509 Ar certfile Ar privkeyfile ;
-.Ar certfile
-means a file name of a certificate.
-.Ar privkeyfile
-means a file name of a secret key.
+.It Ic x509 Ar in_keychain Ar keychain_identifier ;
+.Ar in_keychain
+means the certificate is in the system keychain.
+.Ar keychain_identifier
+is the keychain ID for the certificate in base64 format.
.El
+.It Ic certificate_verification Ar verification_spec ;
+Specifies how the certificate is verified. This is required.
+.Ar verification_spec
+must be as follows:
.Bl -tag -width Ds -compact
-.It Ic plain_rsa Ar privkeyfile ;
-.Ar privkeyfile
-means a file name of a private key generated by plainrsa-gen(8). Required
-for RSA authentication.
-.El
-.It Ic ca_type Ar cacertspec ;
-Specifies a root certificate authority specification.
-.Ar cacertspec
-is one of followings:
-.Bl -tag -width Ds -compact
-.It Ic x509 Ar cacertfile ;
-.Ar cacertfile
-means a file name of the root certificate authority.
-Default is
-.Pa /etc/openssl/cert.pem
+.It Ic sec_framework Ar use_peers_identifier ;
+.Ar sec_framework
+means the certificate is verified by the security framework.
+.Ar use_peers_identifier
+means the certificate must contain the peers ID.
.El
-.\"
.It Ic mode_cfg (on | off) ;
Gather network information through ISAKMP mode configuration.
Default is off.
racoon will keep on trying to establish a connection even if the
user credentials are wrong, for instance.
.\"
-.It Ic peers_certfile ( dnssec | Ar certfile | Ic plain_rsa Ar pubkeyfile ) ;
-If
-.Ic dnssec
-is defined,
-.Xr racoon 8
-will ignore the CERT payload from the peer,
-and try to get the peer's certificate from DNS instead.
-If
-.Ar certfile
-is defined,
-.Xr racoon 8
-will ignore the CERT payload from the peer,
-and will use this certificate as the peer's certificate.
-If
-.Ic plain_rsa
-is defined,
-.Xr racoon 8
-will expect
-.Ar pubkeyfile
-to be the peer's public key that was generated
-by plainrsa-gen(8).
-.\"
-.It Ic script Ar script Ic phase1_up
-.It Ic script Ar script Ic phase1_down
-Shell scripts that get executed when a phase 1 SA goes up or down.
-Both scripts get either
-.Ic phase1_up
-or
-.Ic phase1_down
-as first argument, and the following
-variables are set in their environment:
-.Bl -tag -width Ds -compact
-.It Ev LOCAL_ADDR
-The local address of the phase 1 SA.
-.It Ev LOCAL_PORT
-The local port used for IKE for the phase 1 SA.
-.It Ev REMOTE_ADDR
-The remote address of the phase 1 SA.
-.It Ev REMOTE_PORT
-The remote port used for IKE for the phase 1 SA.
-.El
-The following variables are only set if
-.Ic mode_cfg
-was enabled:
-.Bl -tag -width Ds -compact
-.It INTERNAL_ADDR4
-An IPv4 internal address obtained by ISAKMP mode config.
-.It INTERNAL_NETMASK4
-An IPv4 internal netmask obtained by ISAKMP mode config.
-.It INTERNAL_CIDR4
-An IPv4 internal netmask obtained by ISAKMP mode config, in CIDR notation.
-.It INTERNAL_DNS4
-The first internal DNS server IPv4 address obtained by ISAKMP mode config.
-.It INTERNAL_DNS4_LIST
-A list of internal DNS servers IPv4 address obtained by ISAKMP mode config,
-separated by spaces.
-.It INTERNAL_WINS4
-The first internal WINS server IPv4 address obtained by ISAKMP mode config.
-.It INTERNAL_WINS4_LIST
-A list of internal WINS servers IPv4 address obtained by ISAKMP mode config,
-separated by spaces.
-.It SPLIT_INCLUDE
-The space separated list of IPv4 addresses and masks (address slash mask)
-that define the networks to be encrypted (as opposed to the default where
-all the traffic should be encrypted) ; obtained by ISAKMP mode config ;
-SPLIT_INCLUDE and SPLIT_LOCAL are mutually exclusive.
-.It SPLIT_LOCAL
-The space separated list of IPv4 addresses and masks (address slash mask)
-that define the networks to be considered local, and thus excluded from the
-tunnels ; obtained by ISAKMP mode config.
-.It DEFAULT_DOMAIN
-The DNS default domain name obtained by ISAKMP mode config.
-.El
-.\"
-.\"
.It Ic send_cert (on | off) ;
If you do not want to send a certificate, set this to off.
The default is on.
.Ic hybrid_rsa_server ,
.Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server
or
-.Ic xauth_psk_client .
+.Ic xauth_psk_client , eap_psk_client , eap_rsa_client .
.\"
.It Ic dh_group Ar group ;
Defines the group used for the Diffie-Hellman exponentiations.
This directive must be defined.
.Ar group
is one of following:
-.Ic modp1024 , modp1536 .
-Or you can define 2 or 5 as the DH group number.
+.Ic modp1024 , modp1536 , modp2048 , modp3072 , modp4096 , modp6144 or modp8192 .
+Or you can define 2 , 5 , 14 , 15 , 16 , 17 or 18 as the DH group number.
When you want to use aggressive mode,
you must define the same DH group in each proposal.
.It Ic lifetime time Ar number Ar timeunit ;
directive.
.El
.El
+.El
.\"
.Ss Policy Specifications
The policy directive is obsolete, policies are now in the SPD.
Any proposal will be accepted if you do not specify one.
.Ar group
is one of following:
-.Ic modp1024 , modp1536 .
-Or you can define 2 or 5 as the DH group number.
+.Ic modp1024 , modp1536 , modp2048 , modp3072 , modp4096 , modp6144 or modp8192 .
+Or you can define 2 , 5 , 14 , 15 , 16 , 17 or 18 as the DH group number.
.\"
.It Ic lifetime time Ar number Ar timeunit ;
define how long an IPsec-SA will be used, in timeunits.
The default is off.
.El
.El
-.Ss ISAKMP mode configuration settings
-.Bl -tag -width Ds -compact
-.It Ic mode_cfg { Ar statements Ic }
-Defines the information to return for remote hosts' ISAKMP mode config
-requests.
-Also defines the authentication source for remote peers
-authenticating through Xauth.
-.Pp
-The following are valid statements:
-.Bl -tag -width Ds -compact
-.It Ic auth_source (system | radius | pam | ldap) ;
-Specifies the source for authentication of users through Xauth.
-.Ar system
-means to use the Unix user database.
-This is the default.
-.Ar radius
-means to use a RADIUS server.
-It works only if
-.Xr racoon 8
-was built with libradius support. Radius configuration is hanlded by
-.Xr radius.conf 5 .
-.Ar pam
-means to use PAM.
-It works only if
-.Xr racoon 8
-was built with libpam support.
-.Ar ldap
-means to use LDAP.
-It works only if
-.Xr racoon 8
-was built with libldap support. LDAP configuration is handled by
-statements in the
-.Ic ldapcfg
-section.
-.It Ic auth_groups Ar "group1", ... ;
-Specifies the group memberships for Xauth in quoted group name strings.
-When defined, the authenticating user must be a member of at least one
-group for Xauth to succeed.
-.It Ic group_source (system | ldap) ;
-Specifies the source for group validataion of users through Xauth.
-.Ar system
-means to use the Unix user database.
-This is the default.
-.Ar ldap
-means to use LDAP.
-It works only if
-.Xr racoon 8
-was built with libldap support and requires LDAP authentication.
-LDAP configuration is handled by statements in the
-.Ic ldapcfg
-section.
-.It Ic conf_source (local | radius | ldap) ;
-Specifies the source for IP addresses and netmask allocated through ISAKMP
-mode config.
-.Ar local
-means to use the local IP pool defined by the
-.Ic network4
-and
-.Ic pool_size
-statements.
-This is the default.
-.Ar radius
-means to use a RADIUS server.
-It works only if
-.Xr racoon 8
-was built with libradius support and requires RADIUS authentiation.
-RADIUS configuration is handled by
-.Xr radius.conf 5 .
-.Ar ldap
-means to use an LDAP server.
-It works only if
-.Xr racoon 8
-was built with libldap support and requires LDAP authentication.
-LDAP configuration is handled by
-statements in the
-.Ic ldapcfg
-section.
-.It Ic accounting (none | system | radius | pam) ;
-Enables or disables accounting for Xauth logins and logouts.
-The default is
-.Ar none
-which disable accounting.
-Specifying
-.Ar system
-enables system accounting through
-.Xr utmp 5 .
-Specifying
-.Ar radius
-enables RADIUS accounting.
-It works only if
-.Xr racoon 8
-was built with libradius support and requires RADIUS authentication.
-RADIUS configuration is handled by
-.Xr radius.conf 5 .
-Specifying
-.Ar pam
-enables PAM accounting.
-It works only if
-.Xr racoon 8
-was build with libpam support and requires PAM authentication.
-.It Ic pool_size Ar size
-Specify the size of the IP address pool, either local or allocated
-through RADIUS.
-.Ic conf_source
-selects the local pool or the RADIUS configuration, but in both
-configurations, you cannot have more than
-.Ar size
-users connected at the same time.
-The default is 255.
-.It Ic network4 Ar address ;
-.It Ic netmask4 Ar address ;
-The local IP pool base address and network mask from which dynamically
-allocated IPv4 addresses should be taken.
-This is used if
-.Ic conf_source
-is set to
-.Ar local
-or if the RADIUS server returned
-.Ar 255.255.255.254 .
-Default is
-.Ar 0.0.0.0/0.0.0.0 .
-.It Ic dns4 Ar addresses ;
-A list of IPv4 addresses for DNS servers, separated by commas, or on multiple
-.Ic dns4
-lines.
-.It Ic nbns4 Ar addresses ;
-A list of IPv4 address for WINS servers.
-.It Ic split_network (include | local_lan) Ar network/mask, ...
-The network configuration to send, in cidr notation (e.g. 192.168.1.0/24).
-If
-.Ic include
-is specified, the tunnel should be only used to encrypt the indicated
-destinations ; otherwise, if
-.Ic local_lan
-is used, everything will pass through the tunnel but those destinations.
-.It Ic default_domain Ar domain ;
-The default DNS domain to send.
-.It Ic split_dns Ar "domain", ...
-The split dns configuration to send, in quoted domain name strings.
-This list can be used to describe a list of domain names for which
-a peer should query a modecfg assigned dns server.
-DNS queries for all other domains would be handled locally.
-(Cisco VPN client only).
-.It Ic banner Ar path ;
-The path of a file displayed on the client at connection time.
-Default is
-.Ar /etc/motd .
-.It Ic auth_throttle Ar delay ;
-On each failed Xauth authentication attempt, refuse new attempts for a set
-.Ar delay
-of seconds.
-This is to avoid dictionary attacks on Xauth passwords.
-Default is one second.
-Set to zero to disable authentication delay.
-.It Ic pfs_group Ar group ;
-Sets the PFS group used in the client proposal (Cisco VPN client only).
-Default is 0.
-.It Ic save_passwd (on | off) ;
-Allow the client to save the Xauth password (Cisco VPN client only).
-Default is off.
-.El
-.El
-.Ss Ldap configuration settings
-.Bl -tag -width Ds -compact
-.It Ic ldapcfg { Ar statements Ic }
-Defines the parameters that will be used to communicate with an ldap
-server for
-.Ic xauth
-authentication.
-.Pp
-The following are valid statements:
-.Bl -tag -width Ds -compact
-.It Ic version (2 | 3) ;
-The ldap protocol version used to communicate with the server.
-The default is
-.Ic 3 .
-.It Ic host Ar (hostname | address) ;
-The host name or ip address of the ldap server.
-The default is
-.Ic localhost .
-.It Ic port Ar number;
-The port that the ldap server is configured to listen on.
-The default is
-.Ic 389 .
-.It Ic base Ar distinguished name;
-The ldap search base.
-This option has no default value.
-.It Ic subtree (on | off) ;
-Use the subtree ldap search scope.
-Otherwise, use the one level search scope.
-The default is
-.Ic off .
-.It Ic bind_dn Ar distinguised name;
-The user dn used to optionaly bind as before performing ldap search operations.
-If this option is not specified, anonymous binds are used.
-.It Ic bind_pw Ar string;
-The password used when binding as
-.Ic bind_dn .
-.It Ic attr_user Ar attribute name;
-The attribute used to specify a users name in an ldap directory.
-For example,
-if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
-The default value is
-.Ic cn .
-.It Ic attr_addr Ar attribute name;
-.It Ic attr_mask Ar attribute name;
-The attributes used to specify a users network address and subnet mask in an
-ldap directory.
-These values are forwarded during mode_cfg negotiation when
-the conf_source is set to ldap.
-The default values are
-.Ic racoon-address
-and
-.Ic racoon-netmask .
-.It Ic attr_group Ar attribute name;
-The attribute used to specify a group name in an ldap directory.
-For example,
-if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn".
-The default value is
-.Ic cn .
-.It Ic attr_member Ar attribute name;
-The attribute used to specify group membership in an ldap directory.
-The default value is
-.Ic member .
-.El
-.El
.Ss Special directives
.Bl -tag -width Ds -compact
.It Ic complex_bundle (on | off) ;
{
pfs_group 2;
lifetime time 12 hour ;
- encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
+ encryption_algorithm 3des, aes ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
.Ed
.Pp
-If you are configuring plain RSA authentication, the remote directive
-should look like the following:
-.Bd -literal -offset
-path certificate "/usr/local/v6/etc" ;
-remote anonymous
-{
- exchange_mode main,base ;
- lifetime time 12 hour ;
- certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv";
- peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub";
- proposal {
- encryption_algorithm aes ;
- hash_algorithm sha1 ;
- authentication_method rsasig ;
- dh_group 2 ;
- }
-}
-.Ed
-.Pp
The following is a sample for the pre-shared key file.
.Bd -literal -offset
10.160.94.3 mekmitasdigoat
projects / apple / ipsec.git / blobdiff