User Tools

Site Tools


doc:uci:racoon

Racoon IPsec Configuration

Linux racoon IPsec daemon can be configured through /etc/config/racoon. This document is in an advanced beta state.

Sections

racoon

NameTypeRequiredDefaultDescription
foregroundbooleanno0Start racoon in foreground if set to 1
debugbooleanno0Activate racoon debugging if set to 1
listenlistno(not set)List which interfaces racoon should listen on. Uses all interfaces if not set.
zonestringnovpnFirewall zone. Has to match the defined firewall zone
dnsstringno(none)IP address of DNS server published to road warrior clients
domainstringno(none)Domain name assigned to virtual network interface of road warrior clients

tunnel

Contains tunnel definition.

NameTypeRequiredDefaultDescription
enabledbooleanyes(none)Configuration is enabled or not
remoteipaddryes(none)IP address or FQDN name of the tunnel remote endpoint. Use anonymous for road warrior setup
remote_devicestringno(none)setting used for optimise racoon.conf generation when remote peer is Cisco ASA
exchange_modestringyes(none)Phase 1 negotiation (main, aggressive)
pre_shared_keystringyes(none)The preshared key for the tunnel
my_identifier_typestringnofqdnidentifier type for phase 1 (fqdn, user_fqdn)
my_identifierstringno(none)identifier for phase 1
certificatestringno(none)Certificate name for phase 1 when using certificate authentication
p1_proposallistyes(none)Name of phase 1 proposal (see below)
sainfolistyes(none)Name of phase 2 section (see below)
dpd_delayintegerno(none)This option activates the DPD and sets the time (in seconds) allowed between 2 proof of liveliness requests

p1_proposal

Definition of phase 1 proposals

NameTypeRequiredDefaultDescription
lifetimeintegerno28800Lifetime of phase 1 in seconds
encryption_algorithmstringyes(none)Phase 1 encryption method (aes 128, aes 192, aes 256, 3des)
hash_alogrithmstringyes(none)Phase 1 hash alogrithm (md5,sha1)
authentication_methodstringyes(none)Allowed values pre_shared_key, rsasig, xauth_psk_server or xauth_rsa_server
dh_groupstringyes(none)Diffie-Hellman exponentiation (either number 2,5,… or name modp768,…

sainfo

Contains network defintion per tunnel.

NameTypeRequiredDefaultDescription
local_subnetsubnetyes(none)Local network
remote_subnetsubnetyes(none)Remote network
local_natsubnetno(none)NAT range for tunnels with overlapping IP addresses
p2_proposalstringyes(none)link to phase 2 proposal

p2_proposal

Definition of phase 2 proposal

NameTypeRequiredDefaultDescription
pfs_groupstringyes(none)Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA)
lifetimeintegerno3600Lifetime of phase 2 in seconds
encryption_algorithmstringyes(none)Comma separaeted list of encryption algorithms (aes 128, aes 192, aes 256, 3des)
authentication_algorithmstringyes(none)Comma separated list of authentications (hmac_md5, hmac_sha1)

certificate

Stores a certificate

NameTypeRequiredDefaultDescription
crtstringyes(none)RSA certificate
keystringno(none)Private key for RSA certificate

Examples

Example 1 taken from the IPSec site to site howto.

config 'racoon'
  option 'foreground' '0'
  option 'zone' 'vpn'
  list   'listen' 'wan'

config 'tunnel' 'acme'
  option 'enabled' '1'
  option 'remote' '7.7.7.7'
  option 'pre_shared_key' 'yourpasswordhere'
  option 'exchange_mode' 'aggressive'
  option 'my_identifier' 'bratwurst'
  list   'p1_proposal' 'pre_g2_aes_sha1'
  list   'sainfo' 'acme_dmz'
  list   'sainfo' 'acme_lan'

config 'p1_proposal' 'pre_g2_aes_sha1'
  option 'encryption_algorithm' 'aes 128'
  option 'hash_algorithm' 'sha1'
  option 'authentication_method' 'pre_shared_key'
  option 'dh_group' '2'

config 'sainfo' 'acme_lan'
  option 'local_subnet' '192.168.2.64/26'
  option 'remote_subnet' '10.1.2.0/24'
  option 'p2_proposal' 'g2_aes_sha1'

config 'sainfo' 'acme_dmz'
  option 'local_subnet' '192.168.2.64/26'
  option 'remote_subnet' '66.77.88.192/26'
  option 'p2_proposal' 'g2_aes_sha1'

config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' '2'
  option 'encryption_algorithm' 'aes 128'
  option 'authentication_algorithm' 'hmac_sha1'

Example 2 taken from the IPSec with certificates howto.

config 'racoon'
  option 'foreground' '0'
  option 'debug' '0'

config 'tunnel' 'acme'
  option 'enabled' '1'
  option 'remote' '7.7.7.7'
  option 'exchange_mode' 'aggressive'
  option 'certificate' 'openwrt'
  list   'p1_proposal' 'rsa_g2_aes_sha1'
  list   'sainfo' 'acme_lan'

config 'sainfo' 'acme_lan'
  option 'local_subnet' '192.168.213.64/26'
  option 'remote_subnet' '192.168.10.0/24'
  option 'p2_proposal' 'g2_aes_sha1'

config 'p1_proposal' 'rsa_g2_aes_sha1'
  option 'lifetime' '28800'
  option 'encryption_algorithm' 'aes 128'
  option 'hash_algorithm' 'sha1'
  option 'authentication_method' 'rsasig'
  option 'dh_group' '2'

config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' '2'
  option 'lifetime' '3600'
  option 'encryption_algorithm' 'aes 128'
  option 'authentication_algorithm' 'hmac_sha1'

config 'certificate' 'acme_root'
  option 'crt' '-----BEGIN CERTIFICATE-----MIIGADCCA+igAwIBAgIJAI6xsXSYVD9NMA0GCSqGSI...'

config 'certificate' 'openwrt'
  option 'key' '-----BEGIN RSA PRIVATE KEY-----MIIJKAIBAAKCAgEAqMFzhBNsUyOGYmXGoHSq...'
  option 'crt' '-----BEGIN CERTIFICATE-----MIIE7DCCAtQCAQEwDQYJKoZIhvcNAQEFBQAwasff...'

Windows Native VPN Client Proposals

The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)

ProposalEncryptionHashDH Group
#1aes 256sha120
#2aes 128sha119
#3aes 256sha1modp2048
#43dessha1modp2048
#53dessha1modp1024
doc/uci/racoon.txt · Last modified: 2014/12/13 13:08 by rpjday