User Tools

Site Tools


doc:uci:racoon

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:racoon [2012/12/21 16:12]
miceliux
doc:uci:racoon [2014/12/13 13:08] (current)
rpjday [Racoon IPsec Configuration] Fix typo.
Line 1: Line 1:
 +====== Racoon IPsec Configuration ======
 +
 +Linux racoon IPsec daemon can be configured through /​etc/​config/​racoon. This document is in an advanced beta state. ​
 +
 +===== Sections =====
 +
 +==== racoon ====
 +
 +^Name^Type^Required^Default^Description^
 +|foreground|boolean|no|0|Start racoon in foreground if set to 1|
 +|debug|boolean|no|0|Activate racoon debugging if set to 1|
 +|listen|list|no|(not set)|List which interfaces racoon should listen on. Uses all interfaces if not set.|
 +|zone|string|no|vpn|Firewall zone. Has to match the defined [[doc:​howto:​vpn.ipsec.firewall.racoon#​zones|firewall zone]]|
 +|dns|string|no|(none)|IP address of DNS server published to [[[[doc:​howto:​vpn.ipsec.roadwarrior.racoon#​naming.services|road warrior]] clients|
 +|domain|string|no|(none)|Domain name assigned to virtual network interface of [[[[doc:​howto:​vpn.ipsec.roadwarrior.racoon#​naming.services|road warrior]] clients|
 +
 +
 +==== tunnel ====
 +
 +Contains tunnel definition.
 +
 +^Name^Type^Required^Default^Description^
 +|enabled|boolean|yes|(none)|Configuration is enabled or not|
 +|remote|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint. Use **anonymous** for [[doc:​howto:​vpn.ipsec.roadwarrior.racoon|road warrior]] setup|
 +|remote_device|string|no|(none)|setting used for optimise racoon.conf generation when remote peer is Cisco ASA|
 +|exchange_mode|string|yes|(none)|Phase 1 negotiation (main, aggressive)|
 +|pre_shared_key|string|yes|(none)|The preshared key for the tunnel|
 +|my_identifier_type|string|no|fqdn|identifier type for phase 1 (fqdn, user_fqdn)|
 +|my_identifier|string|no|(none)|identifier for phase 1 |
 +|certificate|string|no|(none)|Certificate name for phase 1 when using certificate authentication|
 +|p1_proposal|list|yes|(none)|Name of phase 1 proposal (see below)|
 +|sainfo|list|yes|(none)|Name of phase 2 section (see below)|
 +|dpd_delay|integer|no|(none)|This option activates the DPD and sets the time (in seconds) allowed between 2 proof of liveliness requests|
 +
 +==== p1_proposal ====
 +
 +Definition of phase 1 proposals
 +
 +^Name^Type^Required^Default^Description^
 +|lifetime|integer|no|28800|Lifetime of phase 1 in seconds|
 +|encryption_algorithm|string|yes|(none)|Phase 1 encryption method (aes 128, aes 192, aes 256, 3des)|
 +|hash_alogrithm|string|yes|(none)|Phase 1 hash alogrithm (md5,sha1) |
 +|authentication_method|string|yes|(none)|Allowed values [[doc:​howto:​vpn.ipsec.site2site.racoon|pre_shared_key]],​ [[doc:​howto:​vpn.ipsec.certificates.racoon|rsasig]],​ [[doc:​howto:​vpn.ipsec.roadwarrior.racoon|xauth_psk_server]] or [[doc:​howto:​vpn.ipsec.roadwarriorcertificates.racoon|xauth_rsa_server]] |
 +|dh_group|string|yes|(none)|Diffie-Hellman exponentiation (either number 2,5,... or name modp768,​...|
 +
 +==== sainfo ====
 +
 +Contains network defintion per tunnel.
 +
 +^Name^Type^Required^Default^Description^
 +|local_subnet|subnet|yes|(none)|Local network|
 +|remote_subnet|subnet|yes|(none)|Remote network|
 +|local_nat|subnet|no|(none)|NAT range for tunnels with [[doc:​howto:​vpn.ipsec.overlappingsubnets.racoon|overlapping IP addresses]]|
 +|p2_proposal|string|yes|(none)|link to phase 2 proposal|
 +
 +==== p2_proposal ====
 +
 +Definition of phase 2 proposal
 +
 +^Name^Type^Required^Default^Description^
 +|pfs_group|string|yes|(none)|Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA)|
 +|lifetime|integer|no|3600|Lifetime of phase 2 in seconds|
 +|encryption_algorithm|string|yes|(none)|Comma separaeted list of encryption algorithms (aes 128, aes 192, aes 256, 3des)|
 +|authentication_algorithm|string|yes|(none)|Comma separated list of authentications (hmac_md5, hmac_sha1)|
 +
 +==== certificate ====
 +
 +Stores a certificate
 +
 +^Name^Type^Required^Default^Description^
 +|crt|string|yes|(none)|RSA certificate|
 +|key|string|no|(none)|Private key for RSA certificate|
 +
 +===== Examples =====
 +
 +Example 1 taken from the [[doc:​howto:​vpn.ipsec.site2site.racoon|IPSec site to site howto]].
 +
 +<​code>​
 +config '​racoon'​
 +  option '​foreground'​ '​0'​
 +  option '​zone'​ '​vpn'​
 +  list   '​listen'​ '​wan'​
 +
 +config '​tunnel'​ '​acme'​
 +  option '​enabled'​ '​1'​
 +  option '​remote'​ '​7.7.7.7'​
 +  option '​pre_shared_key'​ '​yourpasswordhere'​
 +  option '​exchange_mode'​ '​aggressive'​
 +  option '​my_identifier'​ '​bratwurst'​
 +  list   '​p1_proposal'​ '​pre_g2_aes_sha1'​
 +  list   '​sainfo'​ '​acme_dmz'​
 +  list   '​sainfo'​ '​acme_lan'​
 +
 +config '​p1_proposal'​ '​pre_g2_aes_sha1'​
 +  option '​encryption_algorithm'​ 'aes 128'
 +  option '​hash_algorithm'​ '​sha1'​
 +  option '​authentication_method'​ '​pre_shared_key'​
 +  option '​dh_group'​ '​2'​
 +
 +config '​sainfo'​ '​acme_lan'​
 +  option '​local_subnet'​ '​192.168.2.64/​26'​
 +  option '​remote_subnet'​ '​10.1.2.0/​24'​
 +  option '​p2_proposal'​ '​g2_aes_sha1'​
 +
 +config '​sainfo'​ '​acme_dmz'​
 +  option '​local_subnet'​ '​192.168.2.64/​26'​
 +  option '​remote_subnet'​ '​66.77.88.192/​26'​
 +  option '​p2_proposal'​ '​g2_aes_sha1'​
 +
 +config '​p2_proposal'​ '​g2_aes_sha1'​
 +  option '​pfs_group'​ '​2'​
 +  option '​encryption_algorithm'​ 'aes 128'
 +  option '​authentication_algorithm'​ '​hmac_sha1'​
 +</​code>​
 +
 +
 +Example 2 taken from the [[doc:​howto:​vpn.ipsec.certificates.racoon|IPSec with certificates howto]].
 +
 +<​code>​
 +config '​racoon'​
 +  option '​foreground'​ '​0'​
 +  option '​debug'​ '​0'​
 +
 +config '​tunnel'​ '​acme'​
 +  option '​enabled'​ '​1'​
 +  option '​remote'​ '​7.7.7.7'​
 +  option '​exchange_mode'​ '​aggressive'​
 +  option '​certificate'​ '​openwrt'​
 +  list   '​p1_proposal'​ '​rsa_g2_aes_sha1'​
 +  list   '​sainfo'​ '​acme_lan'​
 +
 +config '​sainfo'​ '​acme_lan'​
 +  option '​local_subnet'​ '​192.168.213.64/​26'​
 +  option '​remote_subnet'​ '​192.168.10.0/​24'​
 +  option '​p2_proposal'​ '​g2_aes_sha1'​
 +
 +config '​p1_proposal'​ '​rsa_g2_aes_sha1'​
 +  option '​lifetime'​ '​28800'​
 +  option '​encryption_algorithm'​ 'aes 128'
 +  option '​hash_algorithm'​ '​sha1'​
 +  option '​authentication_method'​ '​rsasig'​
 +  option '​dh_group'​ '​2'​
 +
 +config '​p2_proposal'​ '​g2_aes_sha1'​
 +  option '​pfs_group'​ '​2'​
 +  option '​lifetime'​ '​3600'​
 +  option '​encryption_algorithm'​ 'aes 128'
 +  option '​authentication_algorithm'​ '​hmac_sha1'​
 +
 +config '​certificate'​ '​acme_root'​
 +  option '​crt'​ '​-----BEGIN CERTIFICATE-----MIIGADCCA+igAwIBAgIJAI6xsXSYVD9NMA0GCSqGSI...'​
 +
 +config '​certificate'​ '​openwrt'​
 +  option '​key'​ '​-----BEGIN RSA PRIVATE KEY-----MIIJKAIBAAKCAgEAqMFzhBNsUyOGYmXGoHSq...'​
 +  option '​crt'​ '​-----BEGIN CERTIFICATE-----MIIE7DCCAtQCAQEwDQYJKoZIhvcNAQEFBQAwasff...'​
 +</​code>​
 +
 +===== Windows Native VPN Client Proposals =====
 +
 +The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)
 +^Proposal^Encryption^Hash^DH Group^
 +|#1|aes 256|sha1|20|
 +|#2|aes 128|sha1|19|
 +|#3|aes 256|sha1|modp2048|
 +|#​4|3des|sha1|modp2048|
 +|#​5|3des|sha1|modp1024|