Configuring the Racoon IKE/ISAKMP daemon

As we mentioned in the previous section (Managing the Security Association Database using setkey) managing Security Associations (SAs) manually using setkey soon becomes cumbersome when more than a few machines on a network are to be secured. It also limits the range of possible security options as setkey can only use static keys for the encryption and authentication algorithms.

One of the more elegant solutions to these problems, and others, is to make use of the Internet Key Exchange (IKE) protocol (described in RFC-2409◳). The IKE protocol makes use of the framework for authentication and key exchange described by the Internet Security Association and Key Management Protocol (ISAKMP), as well as the OAKLEY Key Determination Protocol (see RFC-2408◳ and RFC-2412◳ for more details) and the SKEME key exchange techniques, to provide a complete solution offering authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IETF IPsec DOI (described in RFC-2407◳).

In this section we shall describe how the racoon daemon may be used to provide Internet Key Exchange (IKE) services including negotiating security associations for itself (ISAKMP SA, or phase 1 SA) and for kernel IPsec (IPsec SA, or phase 2 SA).

IKE/ISAKMP basics

Before we describe how to configure the racoon daemon we shall briefly describe the basic operation of the Internet Key Exchange (IKE) protocol.

The most important thing to know is that the key exchange takes place in two distinct phases.

Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. This is called the ISAKMP Security Association (SA).
Phase 2 is where Security Associations (SAs) are negotiated on behalf of services such as IPsec or any other service which needs key material and/or parameter negotiation.

There are three key exchange modes which may be used to accomplish a Phase 1 Key Exchange each with particular strengths and weaknesses.

Main Mode may be used to accomplish a Phase 1 Key Exchange while providing identity protection for both peers. A major limitation of Main Mode is that the network addresses of both peers must be static and known in advance.
Aggressive Mode may be used to accomplish a Phase 1 Key Exchange where identity protection is not required. As identity protection is not required fewer round trips are needed to complete the key exchange and thus Aggressive Mode is usually slightly faster than Main Mode. Another advantage of Aggressive Mode is that it may be used when one of the clients has a dynamic network address.
Base Mode is a new Phase 1 Key Exchange mode which allows support for all authentication methods for both static and dynamic network addresses. It also provides some more advanced protection against Denial of Service (DoS) attacks and enhanced negotiation capabilities when compared with Aggressive Mode. For more information see IKE Base Mode◳.

Once the Phase 1 Key Exchange has been completed the two IKE peers have negotiated an authenticated and encrypted communications channel, but only between each other and only for the purposes of further key exchange and parameter negotiation. This channel may now be used to negotiate parameters and keying material which may be used with IPsec Security Associations. This phase of operation is usually referred to as Phase 2 and has a single mode of operation.

Quick Mode accomplishes Phase 2 key exchanges. As Quick Mode requires a secure channel of communication it is not suitable for performing a Phase 1 key exchange however it is considerably faster than any of the three Phase 1 key exchange modes and offers much greater potential for algorithm and parameter negotiation.

Phase 1 parameters

We mentioned in the previous section that before an IKE peer may be used to negotiate parameters, algorithms and keying material for IPsec they must first establish an authenticated and encrypted channel of communication with another appropriate peer. This is usually referred to as Phase 1 Key Exchange.

The racoon configuration file (usually located at /etc/racoon/racoon.conf) uses the following syntax for specifying a remote Phase 1 peer.

remote name [inherit parent_name] { statements }

As you can see, the first parameter to the remote directive allows a name to be specified for the remote peer. Alternatively, the special name anonymous may be used which will match any peer. Optionally, a named configuration may inherit all the values from a previously declared configuration by specifying the name of the parent configuration after the keyword inherit.

The table below describes some of the more basic configuration statements which may be used inside the remote declaration.

Basic statements for the remote declaration
remote_address address;	The remote_address directive allows the network address of the remote peer to be configured. If the network address is unknown (when a client is assigned a dynamic address for example) then this directive should be omitted. If this directive is omitted and the remote address for the peer cannot be determined from the Security Policy then no outgoing connection attempts will be made and a connection will only be possible when initiated by the remote peer.
remote_address address;	remote_address 62.149.40.78;
my_identifier [qualifier] id_type ...;	This directive allows the identifier sent to the remote peer and the type to be used in the Phase 1 Key Exchange to be specified. Valid types are address (optionally followed by an IP address), fqdn (such as vpn.hacking.co.uk), user_fqdn (such as user@vpn.hacking.co.uk), keyid (followed by the name of a key file), and asn1dn (optionally followed by a string containing the ASN.1 distinguished name).
my_identifier [qualifier] id_type ...;	my_identifier fqdn "vpn.hacking.co.uk";
exchange_mode (main \| aggressive \| base);	The exchange_mode directive controls both the phase 1 exchange mode when racoon is the initiator and also lists the acceptable exchange modes when racoon is the responder. Valid modes are main, aggressive and base.
exchange_mode (main \| aggressive \| base);	exchange_mode main, base, aggressive;
passive (on \| off);	By default the racoon daemon will operate as both a responder and an initiator. If the passive directive is set to on the racoon daemon will only operate as a responder.
passive (on \| off);	passive off;
nat_traversal (on \| off \| force);	This directive controls use of the NAT-Traversal (NAT-T) IPsec extension which allows one or both of the peers to be located behind a NAT device. A value of on enables the use of NAT-T when a NAT gateway device is detected between the peers, a value of off disables the use of NAT-T and a value of force enables NAT-T regardless of the presence of a NAT gateway device.
nat_traversal (on \| off \| force);	nat_traversal on;
dpd_delay delay;	This directive controls the use of Dead Peer Detection (DPD) which is a method of detecting peers whose connection has been lost. Any non-zero value will be interpreted as the maximum time in seconds between two proof of liveliness requests. A value of zero will disable Dead Peer Detection.
dpd_delay delay;	dpd_delay 30;

Once the basic parameters for the Phase 1 Key Exchange have been specified one or more proposal sections are required. Each proposal section details the encryption, authentication and compression algorithms which may be used. The proposal syntax is briefly described below.

proposal { sub-statements }

The table below describes some of the more basic configuration statements which may be used inside the proposal declaration.

Basic sub-statements for the proposal declaration
encryption_algorithm algorithm;	This directive specifies the encryption algorithm used for phase 1 negotiation and must therefore be supplied for every proposal. Valid values include des, 3des, blowfish, cast128, aes and camellia.
encryption_algorithm algorithm;	encryption_algorithm aes;
hash_algorithm algorithm;	This directive specifies the encryption algorithm used for phase 1 negotiation and must therefore be supplied for every proposal. Valid values include md5, sha1, sha256, sha384 and sha512.
hash_algorithm algorithm;	hash_algorithm sha1;
authentication_method type;	The authentication_method declaration allows the type of authentication to be specified. Valid values are pre_shared_key (for PSK authentication), rsasig (for RSA signature authentication) or gssapi_krb (for Kerberos authentication). Other supported authentication methods are hybrid_rsa_server and hybrid_rsa_client, which implement hybrid authentication schemes described in A Hybrid Authentication Mode for IKE◳ as well as xauth_rsa_server, xauth_rsa_client, xauth_psk_server or xauth_psk_client, which implement extended authentication schemes described in Extended Authentication within ISAKMP/Oakley (XAUTH)◳.
authentication_method type;	authentication_method pre_shared_key;
dh_group group;	This declaration specifies the group used for the Diffie-Hellman exponentiations for the phase 1 negotiation. Valid values for group are modp768, modp1024, modp1536, modp2048, modp3072, modp4096, modp6144 and modp8192. Larger values increase security at the expense of greater processing overhead during phase 1 negotiation.
dh_group group;	dh_group modp2048;
lifetime time number time_unit;	This directive specifies the proposed lifetime of the Security Association (SA) being negotiated.
lifetime time number time_unit;	lifetime time 24 hour;

Phase 2 parameters

Once the Phase 1 Key Exchange has been completed IPsec Security Associations (SAs) may be established. The parameters for the Phase 2 Key Exchange are configured using the sainfo directive.

sainfo (local_id | anonymous) (remote_id | clientaddr | anonymous) [from id_type [string]] [group string] { statements }

As you can see, the syntax of the sainfo directive is fairly complex. In its most simple form the single keyword anonymous will cause the subsequent declaration to be valid for any source and destination address.

Basic statements for the sainfo declaration
encryption_algorithm algorithms;	This directive allows the list of acceptable encryption algorithms to be specified. The first entry in this list which is acceptable to both the initiator and the responder will be selected. Acceptable values are any of des, 3des, des_iv64, des_iv32, rc5, rc4, idea, 3idea, cast128, blowfish, twofish, rijndael, aes, camellia or null_enc.
encryption_algorithm algorithms;	encryption_algorithm aes, 3des;
authentication_algorithm algorithms;	This directive allows the list of acceptable authentication algorithms to be specified. The first entry in this list which is acceptable to both the initiator and the responder will be selected. Acceptable values are any of des, 3des, des_iv64, des_iv32, hmac_md5, hmac_sha1, hmac_sha256, hmac_sha384, hmac_sha512 or non_auth.
authentication_algorithm algorithms;	authentication_algorithm hmac_sha512, hmac_sha384, hmac_sha256, hmac_sha1;
compression_algorithm algorithms;	This directive allows the list of acceptable compression algorithms to be specified. As the only compression algorithm currently defined for use with IPcomp is the deflate algorithm this is the only practical option.
compression_algorithm algorithms;	compression_algorithm deflate;
pfs_group group;	When Perfect Forward Security (PFS) is required this directive should be used to select the Diffie-Hellman exponentiations for the phase 2 negotiation. Valid values for group are modp768, modp1024, modp1536, modp2048, modp3072, modp4096, modp6144 and modp8192. Larger values increase security at the expense of greater processing overhead during phase 2 negotiation. When Perfect Forward Security (PFS) is not required this directive may be omitted.
pfs_group group;	pfs_group modp1024;
lifetime time number time_unit;	This directive specifies the proposed lifetime of the Security Association (SA) being negotiated.
lifetime time number time_unit;	lifetime time 12 hour;

Additional configuration options

In addition to the options discussed above there are three more configuration directives which deserve a mention at this stage.

log level;

The first of these controls the level of messages which will be sent to the system log. During configuration and testing a level of info or debug may be required to produce output which may be useful when debugging connection issues. During production use a value of notice or warning is more appropriate to avoid excessively large log files.

path pre_shared_key file;

The next significant configuration directive must be used to configure a path to the Pre Shared Key file which will be used when PSK authentication is selected.

complex_bundle (on | off);

Finally the complex_bundle directive controls how the racoon daemon will interpret proposals when using an SA bundle. When this directive is set to off an ESP tunnel within an outer AH transport will be proposed as AH tunnel and ESP tunnel instead of the more accurate AH transport and ESP tunnel which would be proposed with this directive set to on. For interoperability with older IKE implementations this directive may need to be set to off, which is the default.

Example racoon configuration

Below is a basic example configuration for the racoon daemon.

The first three configuration directives set the log level, the path to the PSK file and the presentation of an SA bundle. As you can see, we have set the log level to info so that more detailed output will be produced as well as specifying that an SA bundle should be expressed accurately.

The next configuration block declares an anonymous remote block which will match any incoming connections. Inside that block we offer a single proposal.

Finally we declare an anonymoussainfo block which will be used to negotiate IPsec Security Associations (IPsec SAs).

/etc/racoon/racoon.conf

log info;

path pre_shared_key "/etc/racoon/psk.txt";

complex_bundle on;

remote anonymous
{
    exchange_mode main;
    my_identifier fqdn "vpn.hacking.co.uk";
    passive off;
    nat_traversal on;
    dpd_delay 30;

    proposal
    {
        encryption_algorithm aes;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group modp2048;
        lifetime time 24 hour;
    }
}

sainfo anonymous
{
    encryption_algorithm aes, 3des;
    authentication_algorithm hmac_sha512, hmac_sha384, hmac_sha256, hmac_sha1;
    compression_algorithm deflate;
    pfs_group modp1024;
    lifetime time 12 hour;
}

The above configuration also requires a Pre Shared Key file, an example of which is provided below.

/etc/racoon/psk.txt

vpn.hacking.co.uk   0x5e0d1ba56cb3249e8a9d1ca243f01da16afc8d24c12f7c45

The PSK file will need to be secured so that it is only readable by the root user before racoon will consider it trustworthy. This can be easily accomplished as shown below.

lisa ~ # chmod 0400 /etc/racoon/psk.txt

With the relevant configuration files in place the racoon daemon may be started and added to the default run-level.

lisa ~ # /etc/init.d/racoon start
lisa ~ # rc-update add racoon default

In the following section, we shall introduce some techniques for testing and diagnosing common configuration problems with the racoon daemon and IPsec.