Configuring IPsec with racoon: IKE

IPsec keys can be implemented as manual keys, as shared keys, or with certificates. Manual keys are explicitly exchanged and are prone to security problems. Both shared keys and certificates are managed using the IPsec Key Exchange protocol, which will automatically exchange keys, changing them randomly to avoid detection.

One of the advantages of using IKE is that it will automatically generate any needed security associations if none are provided. This means that to configure secure connections with IKE, you would need to specify only a security policy, not the security associations.

The racoon tool is the key exchange daemon for the IPsec IKE protocol. In the case of shared keys, hosts are authenticated dynamically by racoon using preshared secret keys. With the certificate method, hosts are authenticated using certificate files. The racoon configuration file is located at /etc/racoon/racoon.conf. Here you can set general parameters. You can use the default racoon.conf file for most connections.

The racoon configuration consists of stanzas containing parameters for possible connections. A very simple configuration is shown in the following example, which uses a simple shared secret key. The location is specified by the path pre_shared_key option, in this case /etc/racoon/psk.txt. Certificate keys, a more secure method using public and private keys, are discussed later.

path pre_shared_key "/etc/racoon/psk.txt";     remote anonymous {       exchange_mode aggressive,main;       doi ipsec_doi;       situation identity_only;           my_identifier address;           lifetime time 2 min;   # sec,min,hour       initial_contact on;       proposal_check obey; # obey, strict or claim           proposal {             encryption_algorithm 3des;             hash_algorithm sha1;             authentication_method pre_shared_key;             dh_group 2 ;       } } sainfo anonymous {       pfs_group 1;       lifetime time 2 min;       encryption_algorithm 3des, blowfish, des, cast128, rijndael ;       authentication_algorithm hmac_sha1, hmac_md5;             compression_algorithm deflate ; }

This configuration defines stanzas for default (anonymous) connections. The remote anonymous stanza defines parameters for connecting to remote systems, and the sainfo anonymous section provides information for security association instructions, such as the encryption and authentication methods to use.

Certificates

To use certificates instead of shared keys, you first have to create certificates using OpenSSL. Then instruct racoon to use them. Specify the path for the certificates.

path certificate "/usr/local/etc/racoon/certs";

You can now configure racoon to use the public and private keys generated by the certificates. In the appropriate stanza in the /etc/racoon/racoon.conf file, the certificate_ type directive specifies the public and private keys for this system. The peers_certfile directive specifies the location of the remote system's public key. The authentication_ method directive is now set to rsasig, the RSA public/private keys. Make sure each system has its corresponding public and private keys.

certificate_type x509 "192.168.0.2.public" "192.168.0.2.private"; peers_certfile "192.168.0.5.public"; authentication_method rsasig;

Connection Configuration with racoon

With racoon, you will only need to specify the security policy for the connection configuration, as shown here for the sender. The receiver will have corresponding policies:

spdadd 192.168.0.5 192.168.0.2 any -P out ipsec            esp/transport//require            ah/transport//require; spdadd 192.168.0.2 192.168.0.5 any -P in ipsec            esp/transport//require            ah/transport//require;