racoon.conf - configuration file for racoon
The PSK file, the private keys, and the hook scripts are accessed through the privileged instance of racoon(8) and do not need to be reachable in the chroot(2)Aped tree.
The listen section can also be used to specify the admin socket mode and ownership, if racoon was built with support for admin port.
Sections with inherit parent statements (where parent is either address or a keyword anonymous have all values predefined to those of a given parent In these sections it is enough to redefine only the changed parameters.
The following are valid statements.
The following variables are only set if mode_cfg was enabled:
Note that because PMTU discovery is broken on many sites, you will have to use MSS clamping if you want TCP to work correctly.
Please note that NAT-T support is a compile-time option. Although it is enabled in the source distribution by default, it may not be available in your particular build. In that case you will get a warning when using any NAT-T related config options.
address address Bq Ic / Ar prefix Bq Ic [ Ar port ] ul_proto
or
subnet address Bq Ic / Ar prefix Bq Ic [ Ar port ] ul_proto
or
idtype string
It means exactly the content of ID payload. This is not like a filter rule. For example, if you define 3ffe:501:4819::/48 as source_id 3ffe:501:4819:1000:/64 will not match.
In case of longest prefix (selecting single host) address instructs to send ID type of ADDRESS, while subnet instructs to send ID type of SUBNET. Otherwise these instructions are identical.
racoon(8) does not have a list of security protocols to be negotiated. The list of security protocols are passed by SPD in the kernel. Therefore you have to define all of the potential algorithms in the phase 2 proposals even if there are algorithms which will not be used. These algorithms are define by using the following three directives, with a single comma as the separator. For algorithms that can take variable-length keys, algorithm names can be followed by a key length, like ``blowfish 448 '' racoon(8) will compute the actual phase 2 proposals by computing the permutation of the specified algorithms, and then combining them with the security protocol specified by the SPD. For example, if des , 3des , hmac_md5 and hmac_sha1 are specified as algorithms, we have four combinations for use with ESP, and two for AH. Then, based on the SPD settings, racoon(8) will construct the actual proposals. If the SPD entry asks for ESP only, there will be 4 proposals. If it asks for both AH and ESP, there will be 8 proposals. Note that the kernel may not support the algorithm you have specified.
The following are valid statements:
path pre_shared_key "/usr/local/v6/etc/psk.txt" ; remote anonymous { exchange_mode aggressive,main,base; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, blowfish 448, twofish, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; }
The following is a sample for the pre-shared key file.
10.160.94.3 mekmitasdigoat 172.16.1.133 0x12345678 194.100.55.1 whatcertificatereally 3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat 3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat foo@kame.net mekmitasdigoat foo.kame.net hoge
Diffie-Hellman computation can take a very long time, and may cause unwanted timeouts, specifically when a large D-H group is used.
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |