Linux racoon IPsec daemon can be configured through /etc/config/racoon. This document is in an advanced beta state.
Name | Type | Required | Default | Description |
---|---|---|---|---|
foreground | boolean | no | 0 | Start racoon in foreground if set to 1 |
debug | boolean | no | 0 | Activate racoon debugging if set to 1 |
listen | list | no | (not set) | List which interfaces racoon should listen on. Uses all interfaces if not set. |
zone | string | no | vpn | Firewall zone. Has to match the defined firewall zone |
dns | string | no | (none) | IP address of DNS server published to road warrior clients |
domain | string | no | (none) | Domain name assigned to virtual network interface of road warrior clients |
Contains tunnel definition.
Name | Type | Required | Default | Description |
---|---|---|---|---|
enabled | boolean | yes | (none) | Configuration is enabled or not |
remote | ipaddr | yes | (none) | IP address or FQDN name of the tunnel remote endpoint. Use anonymous for road warrior setup |
remote_device | string | no | (none) | setting used for optimise racoon.conf generation when remote peer is Cisco ASA |
exchange_mode | string | yes | (none) | Phase 1 negotiation (main, aggressive) |
pre_shared_key | string | yes | (none) | The preshared key for the tunnel |
my_identifier_type | string | no | fqdn | identifier type for phase 1 (fqdn, user_fqdn) |
my_identifier | string | no | (none) | identifier for phase 1 |
certificate | string | no | (none) | Certificate name for phase 1 when using certificate authentication |
p1_proposal | list | yes | (none) | Name of phase 1 proposal (see below) |
sainfo | list | yes | (none) | Name of phase 2 section (see below) |
dpd_delay | integer | no | (none) | This option activates the DPD and sets the time (in seconds) allowed between 2 proof of liveliness requests |
Definition of phase 1 proposals
Name | Type | Required | Default | Description |
---|---|---|---|---|
lifetime | integer | no | 28800 | Lifetime of phase 1 in seconds |
encryption_algorithm | string | yes | (none) | Phase 1 encryption method (aes 128, aes 192, aes 256, 3des) |
hash_alogrithm | string | yes | (none) | Phase 1 hash alogrithm (md5,sha1) |
authentication_method | string | yes | (none) | Allowed values pre_shared_key, rsasig, xauth_psk_server or xauth_rsa_server |
dh_group | string | yes | (none) | Diffie-Hellman exponentiation (either number 2,5,… or name modp768,… |
Contains network defintion per tunnel.
Name | Type | Required | Default | Description |
---|---|---|---|---|
local_subnet | subnet | yes | (none) | Local network |
remote_subnet | subnet | yes | (none) | Remote network |
local_nat | subnet | no | (none) | NAT range for tunnels with overlapping IP addresses |
p2_proposal | string | yes | (none) | link to phase 2 proposal |
Definition of phase 2 proposal
Name | Type | Required | Default | Description |
---|---|---|---|---|
pfs_group | string | yes | (none) | Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA) |
lifetime | integer | no | 3600 | Lifetime of phase 2 in seconds |
encryption_algorithm | string | yes | (none) | Comma separaeted list of encryption algorithms (aes 128, aes 192, aes 256, 3des) |
authentication_algorithm | string | yes | (none) | Comma separated list of authentications (hmac_md5, hmac_sha1) |
Stores a certificate
Name | Type | Required | Default | Description |
---|---|---|---|---|
crt | string | yes | (none) | RSA certificate |
key | string | no | (none) | Private key for RSA certificate |
Example 1 taken from the IPSec site to site howto.
config 'racoon' option 'foreground' '0' option 'zone' 'vpn' list 'listen' 'wan' config 'tunnel' 'acme' option 'enabled' '1' option 'remote' '7.7.7.7' option 'pre_shared_key' 'yourpasswordhere' option 'exchange_mode' 'aggressive' option 'my_identifier' 'bratwurst' list 'p1_proposal' 'pre_g2_aes_sha1' list 'sainfo' 'acme_dmz' list 'sainfo' 'acme_lan' config 'p1_proposal' 'pre_g2_aes_sha1' option 'encryption_algorithm' 'aes 128' option 'hash_algorithm' 'sha1' option 'authentication_method' 'pre_shared_key' option 'dh_group' '2' config 'sainfo' 'acme_lan' option 'local_subnet' '192.168.2.64/26' option 'remote_subnet' '10.1.2.0/24' option 'p2_proposal' 'g2_aes_sha1' config 'sainfo' 'acme_dmz' option 'local_subnet' '192.168.2.64/26' option 'remote_subnet' '66.77.88.192/26' option 'p2_proposal' 'g2_aes_sha1' config 'p2_proposal' 'g2_aes_sha1' option 'pfs_group' '2' option 'encryption_algorithm' 'aes 128' option 'authentication_algorithm' 'hmac_sha1'
Example 2 taken from the IPSec with certificates howto.
config 'racoon' option 'foreground' '0' option 'debug' '0' config 'tunnel' 'acme' option 'enabled' '1' option 'remote' '7.7.7.7' option 'exchange_mode' 'aggressive' option 'certificate' 'openwrt' list 'p1_proposal' 'rsa_g2_aes_sha1' list 'sainfo' 'acme_lan' config 'sainfo' 'acme_lan' option 'local_subnet' '192.168.213.64/26' option 'remote_subnet' '192.168.10.0/24' option 'p2_proposal' 'g2_aes_sha1' config 'p1_proposal' 'rsa_g2_aes_sha1' option 'lifetime' '28800' option 'encryption_algorithm' 'aes 128' option 'hash_algorithm' 'sha1' option 'authentication_method' 'rsasig' option 'dh_group' '2' config 'p2_proposal' 'g2_aes_sha1' option 'pfs_group' '2' option 'lifetime' '3600' option 'encryption_algorithm' 'aes 128' option 'authentication_algorithm' 'hmac_sha1' config 'certificate' 'acme_root' option 'crt' '-----BEGIN CERTIFICATE-----MIIGADCCA+igAwIBAgIJAI6xsXSYVD9NMA0GCSqGSI...' config 'certificate' 'openwrt' option 'key' '-----BEGIN RSA PRIVATE KEY-----MIIJKAIBAAKCAgEAqMFzhBNsUyOGYmXGoHSq...' option 'crt' '-----BEGIN CERTIFICATE-----MIIE7DCCAtQCAQEwDQYJKoZIhvcNAQEFBQAwasff...'
The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)
Proposal | Encryption | Hash | DH Group |
---|---|---|---|
#1 | aes 256 | sha1 | 20 |
#2 | aes 128 | sha1 | 19 |
#3 | aes 256 | sha1 | modp2048 |
#4 | 3des | sha1 | modp2048 |
#5 | 3des | sha1 | modp1024 |