Simple Configuration Sample of IPsec/Racoon

Shoichi Sakane, KAME Project
$Id: index.html,v 1.2 2001/09/12 13:39:15 sakane Exp $

Abstract

This document describes how to configure to establish IPsec-SA automatically on KAME stack.
To understand configuration for several environment requires the reader to be familiar with IPsec architecture. Because many items must be specified in order to establish IPsec-SA automatically. This document gives priority to run racoon, by giving simple example of the environment, and by putting configuration items to a minimum.
The reader may required to know about IPsec architecture, but may not familiar with it.

Note that this document refers to racoon included in kame-20001113-*-snap or later. The kits before 20001113 are not suitable to them.

Introduction

If you want IPsec to communicate with somebody, It is required to establish the Security Association(IPsec-SA) between you and the peer before that. There are two way to establish it. One is by using manual configuration. Another way is automated configuration. In our implementation, we have a daemon named "racoon" for latter case.

Several parameters(Key) must be exchanged between you and peer in order to establish the IPsec-SA. Racoon exchange them by using IKE. IKE establish own SA by myself while exchanging Key, don't use IPsec-SA. There are two phase in IKE. One is the phase to establish SA for own communication (IKE-SA). Another is the phase to establish IPsec-SA. I say Phase 1 and Phase 2 respectively. The initiator to begin IKE proposes multiple parameters to the responder, and the responder choices one of them or rejects them in each phases. Also racoon has some parameter for the management of exchanging. So that there are many items to configure racoon.
It is not easy for public users to understand all of them. This document explains how to configure racoon briefly. The complex configuration is not described. Also to use certificate is out of scope in this document.


Basic mechanism

Kernel maintains two database to use IPsec. One is the Security Policy Database(SPD). Kernel refers to SPD in order to decide whether to apply IPsec to a packet or not. Also SPD entries specify which/how IPsec-SA is applied. Another one is the Security Association Database(SAD). SAD entries contain Key of each IPsec-SA.

The following figure specifies a flow until kernel applies IPsec-SA to a packet.

	 setkey                racoon  <-------(IKE)-------> somebody
	   |                    ^  |      (5)
	   |                    |  |(6)
	   |(1)           +-----+  +---+
	   |           (4)|            |
	   v              |            v
	+-----+  (2)      |    (3)  +-----+
	| SPD |<----- kernel ------>| SAD |
	+-----+         |           +-----+
                        |(7)
                        v

(1)The administrator sets a policy to SPD by using setkey.
(2)Kernel refers to SPD in order to make a decision of applying IPsec to a packet.
(3)If IPsec is required, then kernel get the Key for IPsec-SA from SAD.
(4)If it is failed, then kernel send a request to get the Key to racoon.
(5)racoon exchange the Key by using IKE with the other to be established IPsec-SA.
(6)racoon put the Key into SAD.
(7)Kernel can send a packet applied IPsec.

So that the administrator must configure SPD entries by using setkey command, and must configure racoon. Also it must be required to run racoon or else on the other side.


Starting racoon

It is required root privilege to start racoon. Because racoon use a port 500 of UDP, also open /var/log/racoon.log as log file.
Racoon has a few options. This section explains only typical options.
-f configfile
Specify alternate configuration file.
/usr/local/v6/etc/racoon.conf as default.
-l logfile
Specify alternate log file.
/var/log/racoon.log as default.
-d dlevel
Set debugging level of hexadecimal.
As below, racoon outputs many information onto standard output and log file.
	# racoon -d 0xffffffff

Simple Configuration Sample of Racoon

The following description is the one of most simple configuration. This section explains this sample step by step.
	# cat case1.conf
	path pre_shared_key "/usr/local/v6/etc/psk.txt" ;

	remote anonymous
	{
		exchange_mode aggressive ;
		my_identifier user_fqdn "sakane@kame.net" ;
		lifetime time 24 hour ;
		proposal {
			encryption_algorithm 3des;
			hash_algorithm sha1;
			authentication_method pre_shared_key ;
			dh_group 2 ;
		}
	}

	sainfo anonymous
	{
		pfs_group 2;
		lifetime time 12 hour ;
		lifetime byte 50 MB ;
		encryption_algorithm 3des, blowfish, des, rijndael ;
		authentication_algorithm hmac_sha1, hmac_md5 ;
		compression_algorithm deflate ;
	}

remote directive

sainfo directive

NOTE: Racoon does not have the list of security protocols to be negotiated. The list of security protocols are passed by the kernel. Beforehand you have to define all of the potential algorithms into the sainfo even if you do not need any compression algorithms.

The above sample can accept to exchange both Phase 1 and Phase 2, only if you specify appropriate Pre-shared Key before exchange. Racoon can restrict to exchange with the peer each phases. But this document does not describe the way.


Sample Configuration of SPD

Case 1

Security protocol is ESP. Encapsulation mode is Transport.
	   Host-A                        Host-B
	  fec0::1 ---------------------- fec0::2

Configuration at Host-A:
	# setkey -c <<EOF
	spdadd fec0::1 fec0::2 any -P out ipsec
		esp/transport//require ;
	spdadd fec0::2 fec0::1 any -P in ipsec
		esp/transport//require ;
	EOF
Note that IP address and direction. First IP address means source of IP header. Next IP address means destination of IP header. out means a packet goes out. in means a packet comes in.

At Host-B:

	# setkey -c <<EOF
	spdadd fec0::2 fec0::1 any -P out ipsec
		esp/transport//require ;
	spdadd fec0::1 fec0::2 any -P in ipsec
		esp/transport//require ;
	EOF

Case 2

ESP Transport mode applied first and AH Transport mode next.
It means that kernel makes a packet to be [IP|AH|ESP|ULP].
	   Host-A                        Host-B
	  fec0::1 ---------------------- fec0::2
Configuration at Host-A:
	# setkey -c <<EOF
	spdadd fec0::1 fec0::2 any -P out ipsec
		esp/transport//require
		ah/transport//require ;
	spdadd fec0::2 fec0::1 any -P in ipsec
		esp/transport//require
		ah/transport//require ;
	EOF
Note that the ordering of security protocol. In outgoing case defined out, it specifies the sequence of security protocol which kernel apply to the packet. In incoming case defined in, it specifies the sequence of security protocol to be applied to the packet. The above case means that ESP transport mode is first, and the next is AH transport mode.

At Host-B:

	# setkey -c <<EOF
	spdadd fec0::2 fec0::1 any -P out ipsec
		esp/transport//require
		ah/transport//require ;
	spdadd fec0::1 fec0::2 any -P in ipsec
		esp/transport//require
		ah/transport//require ;
	EOF
Note IP addresses as case 1.

Case 3

ESP Tunnel for VPN.
			       ======= ESP =======
			       |                 |
	   Network-A       Gateway-A         Gateway-B        Network-B
	  10.0.1.0/24 ---- 172.16.0.1 ------ 172.16.0.2 ---- 10.0.2.0/24

Configuration at Gateway-A:
	# setkey -c <<EOF
	spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
		esp/tunnel/172.16.0.1-172.16.0.2/require ;
	spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
		esp/tunnel/172.16.0.2-172.16.0.1/require ;
Tunnel end points must be defined.

and at Gateway-B:

	# setkey -c <<EOF
	spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
		esp/tunnel/172.16.0.2-172.16.0.1/require ;
	spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
		esp/tunnel/172.16.0.1-172.16.0.2/require ;

Conclusion

This document explains basic mechanism to establish IPsec-SA automatically, and describes how to configure to establish IPsec-SA automatically in each typical IPsec environment with simple configuration sample of racoon. It is necessary to know many parameters if you want complex configuration of racoon. You may refer racoon.conf(5) for that reason, and the other document will explain about detail configuration.
KAME top page
Copyright (c) 1998, 1999, 2000, 2001, 2002, and 2003 by the author (indicated separately). All rights reserved. Freely redistributable. Absolutely no warranty.