Please consult the racoon.conf(5) man-page first to better understand what is written about here.
Comments are delimited on the left by ‘#’, and can be on a line by themselves, or at the end of a line.
The possible sections are global, connection, and peer. The possible templates are spdadd, spdinit, sadinit, sadadd, remote, sainfo, and racooninit.
Sections start with section: and then continue with their properties (name terminated by ‘:’ then value), and templates ALWAYS have to have each line started with template: Sections and templates can be named, with the name occurring in parenthesis between the last character of their type and the final colon.
Apart from racoon-command and racoon_pid_file, the setting map across to the similar names in racoon.conf(5) .
The listen directive is a bit different from the man-page and takes multiple {ip-address} [[port]] statements by attaching an index ‘0-9’,‘a-z’ in square brackets immediately before the colon.
Directives and values are basically one for one with the relevant entries in racoon.conf(5) .
The ‘%default’ VPN connection fills in entries in other specified connections, unless they are otherwise defined within the specific connection. The ‘%anonymous’ connection is there for a passive VPN server.
Directives and values are basically one for one with the relevant entries in racoon.conf(5) . Different proposals are signified by adding an index ‘0-9’, or ‘a-z’ to the encryption_algorithm, hash_algorithm, dh_group, and authentication_method entries, within square brackets immediately before the colon.
The ‘%default’ VPN connection fills in entries in other specified connections, unless they are otherwise defined within the specific connection. The ‘%anonymous’ connection is there for a passive VPN server.
# # Configuration file for racoon-tool # # See racoon-tool.conf(5) for details # # # Simple PSK - authentication defaults to pre_shared_key # connection(bacckdoor-doormat): src_range: 192.168.223.1/32 dst_range: 192.168.200.0/24 src_ip: 172.31.1.1 dst_ip: 10.0.0.1 admin_status: enabled compression: no lifetime: time 20 min authentication_algorithm: hmac_sha1 encryption_algorithm: 3des peer(10.0.0.1): verify_cert: on passive: off verify_identifier: off lifetime: time 60 min hash_algorithm[0]: sha1 encryption_algorithm[0]: 3des
Example of a complex configuration with multple networks betweenthe same endpoints, as well as use of ‘%default’ for common settings.
# # Configuration file for racoon-tool # global: log: notify # default settings to save typing peer(%default): certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key my_identifier: fqdn blurke.bar.com lifetime: time 60 min verify_identifier: on verify_cert: on hash_algorithm[0]: sha1 encryption_algorithm[0]: 3des authentication_method[0]: rsasig connection(%default): authentication_algorithm: hmac_sha1 encryption_algorithm: 3des src_ip: 172.31.1.1 lifetime: time 20 min # Connection to work peer(10.0.0.1): peers_identifier: fqdn blue.sky.com connection(blurke-blue-sky-work): src_range: 192.168.203.1/32 dst_range: 172.16.0.0/24 dst_ip: 10.0.0.1 admin_status: enabled # Connection to telehoused servers connection(blurke-mail): src_range: 192.168.203.0/24 dst_range: 172.20.1.1 dst_ip: 10.100.0.1 encryption_algorithm: blowfish compression: on admin_status: yes peer(10.100.0.1): peers_identifier: fqdn mail.bar.com connection(blurke-web1): src_range: 192.168.203.0/24 dst_range: 172.20.1.23 dst_ip: 10.100.0.1 encryption_algorithm: blowfish admin_status: yes connection(blurke-web2): src_range: 192.168.203.0/24 dst_range: 172.20.1.24 dst_ip: 10.100.0.1 encryption_algorithm: blowfish admin_status: yes # Test connection to Free S/WAN connection(blurke-freeswan): src_range: 192.168.203.0/24 dst_range: 172.17.100.0/24 dst_ip: 172.30.1.1 admin_status: yes peer(172.30.1.1): peers_identifier: fqdn banshee