Racoon IPsec Configuration

Linux racoon IPsec daemon can be configured through /etc/config/racoon. This document is in an adanced beta state.

Sections

racoon

Name Type Required Default Description
foreground boolean no 0 Start racoon in foreground if set to 1
debug boolean no 0 Activate racoon debugging if set to 1
listen list no (not set) List which interfaces racoon should listen on. Uses all interfaces if not set.
zone string no vpn Firewall zone. Has to match the defined firewall zone
dns string no (none) IP address of DNS server published to road warrior clients
domain string no (none) Domain name assigned to virtual network interface of road warrior clients

tunnel

Contains tunnel definition.

Name Type Required Default Description
enabled boolean yes (none) Configuration is enabled or not
remote ipaddr yes (none) IP address or FQDN name of the tunnel remote endpoint. Use anonymous for road warrior setup
remote_device string no (none) setting used for optimise racoon.conf generation when remote peer is Cisco ASA
exchange_mode string yes (none) Phase 1 negotiation (main, aggressive)
pre_shared_key string yes (none) The preshared key for the tunnel
my_identifier_type string no fqdn identifier type for phase 1 (fqdn, user_fqdn)
my_identifier string no (none) identifier for phase 1
certificate string no (none) Certificate name for phase 1 when using certificate authentication
p1_proposal list yes (none) Name of phase 1 proposal (see below)
sainfo list yes (none) Name of phase 2 section (see below)
dpd_delay integer no (none) This option activates the DPD and sets the time (in seconds) allowed between 2 proof of liveliness requests

p1_proposal

Definition of phase 1 proposals

Name Type Required Default Description
lifetime integer no 28800 Lifetime of phase 1 in seconds
encryption_algorithm string yes (none) Phase 1 encryption method (aes 128, aes 192, aes 256, 3des)
hash_alogrithm string yes (none) Phase 1 hash alogrithm (md5,sha1)
authentication_method string yes (none) Allowed values pre_shared_key, rsasig, xauth_psk_server or xauth_rsa_server
dh_group string yes (none) Diffie-Hellman exponentiation (either number 2,5,… or name modp768,…

sainfo

Contains network defintion per tunnel.

Name Type Required Default Description
local_subnet subnet yes (none) Local network
remote_subnet subnet yes (none) Remote network
local_nat subnet no (none) NAT range for tunnels with overlapping IP addresses
p2_proposal string yes (none) link to phase 2 proposal

p2_proposal

Definition of phase 2 proposal

Name Type Required Default Description
pfs_group string yes (none) Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA)
lifetime integer no 3600 Lifetime of phase 2 in seconds
encryption_algorithm string yes (none) Comma separaeted list of encryption algorithms (aes 128, aes 192, aes 256, 3des)
authentication_algorithm string yes (none) Comma separated list of authentications (hmac_md5, hmac_sha1)

certificate

Stores a certificate

Name Type Required Default Description
crt string yes (none) RSA certificate
key string no (none) Private key for RSA certificate

Examples

Example 1 taken from the IPSec site to site howto.

config 'racoon'
  option 'foreground' '0'
  option 'zone' 'vpn'
  list   'listen' 'wan'

config 'tunnel' 'acme'
  option 'enabled' '1'
  option 'remote' '7.7.7.7'
  option 'pre_shared_key' 'yourpasswordhere'
  option 'exchange_mode' 'aggressive'
  option 'my_identifier' 'bratwurst'
  list   'p1_proposal' 'pre_g2_aes_sha1'
  list   'sainfo' 'acme_dmz'
  list   'sainfo' 'acme_lan'

config 'p1_proposal' 'pre_g2_aes_sha1'
  option 'encryption_algorithm' 'aes 128'
  option 'hash_algorithm' 'sha1'
  option 'authentication_method' 'pre_shared_key'
  option 'dh_group' '2'

config 'sainfo' 'acme_lan'
  option 'local_subnet' '192.168.2.64/26'
  option 'remote_subnet' '10.1.2.0/24'
  option 'p2_proposal' 'g2_aes_sha1'

config 'sainfo' 'acme_dmz'
  option 'local_subnet' '192.168.2.64/26'
  option 'remote_subnet' '66.77.88.192/26'
  option 'p2_proposal' 'g2_aes_sha1'

config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' '2'
  option 'encryption_algorithm' 'aes 128'
  option 'authentication_algorithm' 'hmac_sha1'

Example 2 taken from the IPSec with certificates howto.

config 'racoon'
  option 'foreground' '0'
  option 'debug' '0'

config 'tunnel' 'acme'
  option 'enabled' '1'
  option 'remote' '7.7.7.7'
  option 'exchange_mode' 'aggressive'
  option 'certificate' 'openwrt'
  list   'p1_proposal' 'rsa_g2_aes_sha1'
  list   'sainfo' 'acme_lan'

config 'sainfo' 'acme_lan'
  option 'local_subnet' '192.168.213.64/26'
  option 'remote_subnet' '192.168.10.0/24'
  option 'p2_proposal' 'g2_aes_sha1'

config 'p1_proposal' 'rsa_g2_aes_sha1'
  option 'lifetime' '28800'
  option 'encryption_algorithm' 'aes 128'
  option 'hash_algorithm' 'sha1'
  option 'authentication_method' 'rsasig'
  option 'dh_group' '2'

config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' '2'
  option 'lifetime' '3600'
  option 'encryption_algorithm' 'aes 128'
  option 'authentication_algorithm' 'hmac_sha1'

config 'certificate' 'acme_root'
  option 'crt' '-----BEGIN CERTIFICATE-----MIIGADCCA+igAwIBAgIJAI6xsXSYVD9NMA0GCSqGSI...'

config 'certificate' 'openwrt'
  option 'key' '-----BEGIN RSA PRIVATE KEY-----MIIJKAIBAAKCAgEAqMFzhBNsUyOGYmXGoHSq...'
  option 'crt' '-----BEGIN CERTIFICATE-----MIIE7DCCAtQCAQEwDQYJKoZIhvcNAQEFBQAwasff...'

Windows Native VPN Client Proposals

The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)

Proposal Encryption Hash DH Group
#1 aes 256 sha1 20
#2 aes 128 sha1 19
#3 aes 256 sha1 modp2048
#4 3des sha1 modp2048
#5 3des sha1 modp1024

Back to top

doc/uci/racoon.txt · Last modified: 2013/04/10 20:05 by xenophonf