racoon [Lnk: KME]

Racoon is the userspace daemon for key exchange, speaks ISAKMP, and communicates from userland with the kernel to configure some parameters of IPsec. Racoon has to be run as a daemon to handle the correct key exchange. It will log to syslog for debugging, and is controlled by a few config files. Racoon will listen on UDP port 500, so the firewall in front of the VPN-box needs to allow traffic to this port.

The need for the user space daemon is quite simple: Racoon searches for certificates, that are provided via config file, it defines and restricts the key exchange modes between IPsec hosts, and sets key policies. Racoon is controlled over a config-file. My sample config-file is provided here:

log debug;

path certificate "/etc/racoon/certs/";

listen {

        isakmp 192.168.0.1 [500];

}

padding

{

        maximum_length 20;      # maximum padding length.

        randomize off;          # enable randomize length.

        strict_check off;       # enable strict check.

        exclusive_tail off;     # extract last one octet.

}

remote anonymous {

        exchange_mode main,aggressive;

        doi ipsec_doi;

        situation identity_only;

        generate_policy on;

        my_identifier asn1dn;

        peers_identifier asn1dn;

        verify_identifier on;

        certificate_type x509 "vpnbox.certificate.pem"  "decrypted.rsa.key";

        verify_cert off;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method rsasig;

                dh_group modp1024;

        }

}

sainfo anonymous {

        lifetime time 28800 sec;

        encryption_algorithm 3des ;

        authentication_algorithm hmac_md5;

        compression_algorithm deflate ;

}

Every detail about this configuration can be found in the racoon man page, yet here some important hints:

• The default racoon.conf deals with pre-shared keys. Don't forget to insert the certificate path in the first line.
• The remote directive specifies the parameters for IKE phase 1 negotiation.
• Verifying the certificate only works, if the root certificate is signed by a trusted authority (e.g. Verisign, Thawte, etc). Therefore I had to turn verify_cert to off.
• Encryption algorithms are limited to the supported client encryption algorithms.
• The certificate file and the (passwordless) key file generation were described on Page (openssl).
• The sainfo directive specifies the parameters for IKE phase 2 negotiation.

A script, that sets the IPsec policy, that will encrypt outgoing packets (for l2tpd) looks like this (I called it /etc/racoon/setup.sh):

#!/bin/bash

/sbin/setkey -FP

/sbin/setkey -F

/sbin/setkey -c << EOF

spdadd 192.168.0.1[1701] 0.0.0.0/0[0] any

   -P out ipsec esp/transport//require;

EOF

Hint: man setkey reveals all possible configuration data.

Start this script at boot-time, to set the IPsec Policy to encrypt for all outgoing data from the l2tpd. This script will actually also be called, when pppd hangs up, to reset the policy database (flush it).