-.Ss ISAKMP mode configuration settings
-.Bl -tag -width Ds -compact
-.It Ic mode_cfg { Ar statements Ic }
-Defines the information to return for remote hosts' ISAKMP mode config
-requests.
-Also defines the authentication source for remote peers
-authenticating through Xauth.
-.Pp
-The following are valid statements:
-.Bl -tag -width Ds -compact
-.It Ic auth_source (system | radius | pam | ldap) ;
-Specifies the source for authentication of users through Xauth.
-.Ar system
-means to use the Unix user database.
-This is the default.
-.Ar radius
-means to use a RADIUS server.
-It works only if
-.Xr racoon 8
-was built with libradius support. Radius configuration is hanlded by
-.Xr radius.conf 5 .
-.Ar pam
-means to use PAM.
-It works only if
-.Xr racoon 8
-was built with libpam support.
-.Ar ldap
-means to use LDAP.
-It works only if
-.Xr racoon 8
-was built with libldap support. LDAP configuration is handled by
-statements in the
-.Ic ldapcfg
-section.
-.It Ic auth_groups Ar "group1", ... ;
-Specifies the group memberships for Xauth in quoted group name strings.
-When defined, the authenticating user must be a member of at least one
-group for Xauth to succeed.
-.It Ic group_source (system | ldap) ;
-Specifies the source for group validataion of users through Xauth.
-.Ar system
-means to use the Unix user database.
-This is the default.
-.Ar ldap
-means to use LDAP.
-It works only if
-.Xr racoon 8
-was built with libldap support and requires LDAP authentication.
-LDAP configuration is handled by statements in the
-.Ic ldapcfg
-section.
-.It Ic conf_source (local | radius | ldap) ;
-Specifies the source for IP addresses and netmask allocated through ISAKMP
-mode config.
-.Ar local
-means to use the local IP pool defined by the
-.Ic network4
-and
-.Ic pool_size
-statements.
-This is the default.
-.Ar radius
-means to use a RADIUS server.
-It works only if
-.Xr racoon 8
-was built with libradius support and requires RADIUS authentiation.
-RADIUS configuration is handled by
-.Xr radius.conf 5 .
-.Ar ldap
-means to use an LDAP server.
-It works only if
-.Xr racoon 8
-was built with libldap support and requires LDAP authentication.
-LDAP configuration is handled by
-statements in the
-.Ic ldapcfg
-section.
-.It Ic accounting (none | system | radius | pam) ;
-Enables or disables accounting for Xauth logins and logouts.
-The default is
-.Ar none
-which disable accounting.
-Specifying
-.Ar system
-enables system accounting through
-.Xr utmp 5 .
-Specifying
-.Ar radius
-enables RADIUS accounting.
-It works only if
-.Xr racoon 8
-was built with libradius support and requires RADIUS authentication.
-RADIUS configuration is handled by
-.Xr radius.conf 5 .
-Specifying
-.Ar pam
-enables PAM accounting.
-It works only if
-.Xr racoon 8
-was build with libpam support and requires PAM authentication.
-.It Ic pool_size Ar size
-Specify the size of the IP address pool, either local or allocated
-through RADIUS.
-.Ic conf_source
-selects the local pool or the RADIUS configuration, but in both
-configurations, you cannot have more than
-.Ar size
-users connected at the same time.
-The default is 255.
-.It Ic network4 Ar address ;
-.It Ic netmask4 Ar address ;
-The local IP pool base address and network mask from which dynamically
-allocated IPv4 addresses should be taken.
-This is used if
-.Ic conf_source
-is set to
-.Ar local
-or if the RADIUS server returned
-.Ar 255.255.255.254 .
-Default is
-.Ar 0.0.0.0/0.0.0.0 .
-.It Ic dns4 Ar addresses ;
-A list of IPv4 addresses for DNS servers, separated by commas, or on multiple
-.Ic dns4
-lines.
-.It Ic nbns4 Ar addresses ;
-A list of IPv4 address for WINS servers.
-.It Ic split_network (include | local_lan) Ar network/mask, ...
-The network configuration to send, in cidr notation (e.g. 192.168.1.0/24).
-If
-.Ic include
-is specified, the tunnel should be only used to encrypt the indicated
-destinations ; otherwise, if
-.Ic local_lan
-is used, everything will pass through the tunnel but those destinations.
-.It Ic default_domain Ar domain ;
-The default DNS domain to send.
-.It Ic split_dns Ar "domain", ...
-The split dns configuration to send, in quoted domain name strings.
-This list can be used to describe a list of domain names for which
-a peer should query a modecfg assigned dns server.
-DNS queries for all other domains would be handled locally.
-(Cisco VPN client only).
-.It Ic banner Ar path ;
-The path of a file displayed on the client at connection time.
-Default is
-.Ar /etc/motd .
-.It Ic auth_throttle Ar delay ;
-On each failed Xauth authentication attempt, refuse new attempts for a set
-.Ar delay
-of seconds.
-This is to avoid dictionary attacks on Xauth passwords.
-Default is one second.
-Set to zero to disable authentication delay.
-.It Ic pfs_group Ar group ;
-Sets the PFS group used in the client proposal (Cisco VPN client only).
-Default is 0.
-.It Ic save_passwd (on | off) ;
-Allow the client to save the Xauth password (Cisco VPN client only).
-Default is off.
-.El
-.El
-.Ss Ldap configuration settings
-.Bl -tag -width Ds -compact
-.It Ic ldapcfg { Ar statements Ic }
-Defines the parameters that will be used to communicate with an ldap
-server for
-.Ic xauth
-authentication.
-.Pp
-The following are valid statements:
-.Bl -tag -width Ds -compact
-.It Ic version (2 | 3) ;
-The ldap protocol version used to communicate with the server.
-The default is
-.Ic 3 .
-.It Ic host Ar (hostname | address) ;
-The host name or ip address of the ldap server.
-The default is
-.Ic localhost .
-.It Ic port Ar number;
-The port that the ldap server is configured to listen on.
-The default is
-.Ic 389 .
-.It Ic base Ar distinguished name;
-The ldap search base.
-This option has no default value.
-.It Ic subtree (on | off) ;
-Use the subtree ldap search scope.
-Otherwise, use the one level search scope.
-The default is
-.Ic off .
-.It Ic bind_dn Ar distinguised name;
-The user dn used to optionaly bind as before performing ldap search operations.
-If this option is not specified, anonymous binds are used.
-.It Ic bind_pw Ar string;
-The password used when binding as
-.Ic bind_dn .
-.It Ic attr_user Ar attribute name;
-The attribute used to specify a users name in an ldap directory.
-For example,
-if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
-The default value is
-.Ic cn .
-.It Ic attr_addr Ar attribute name;
-.It Ic attr_mask Ar attribute name;
-The attributes used to specify a users network address and subnet mask in an
-ldap directory.
-These values are forwarded during mode_cfg negotiation when
-the conf_source is set to ldap.
-The default values are
-.Ic racoon-address
-and
-.Ic racoon-netmask .
-.It Ic attr_group Ar attribute name;
-The attribute used to specify a group name in an ldap directory.
-For example,
-if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn".
-The default value is
-.Ic cn .
-.It Ic attr_member Ar attribute name;
-The attribute used to specify group membership in an ldap directory.
-The default value is
-.Ic member .
-.El
-.El
projects / apple / ipsec.git / blobdiff