racoon düzgün çalışabilmek için bir yapılandırma dosyasına ihtiyaç duyar. Bu dosyada daha önce setkey kullanılarak atanmış olan güvenlik politikası ile ilgili ayarlar bulunur.
Dosya: /etc/racoon/racoon.conf
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
listen
{
isakmp 2001:db8:1:1::1;
}
remote 2001:db8:2:2::2
{
exchange_mode main;
lifetime time 24 hour;
proposal
{
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
# gateway-to-gateway
sainfo address 2001:db8:1:1::1 any address 2001:db8:2:2::2 any
{
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
sainfo address 2001:db8:2:2::2 any address 2001:db8:1:1::1 any
{
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Önceden paylaşılan sır da ayarlanmalıdır:
Dosya: /etc/racoon/psk.txt
# file for pre-shared keys used for IKE authentication
# format is: 'identifier' 'key'
2001:db8:2:2::2 verysecret
En azından artalan süreci çalıştırılmış olmalıdır. İlk çalıştırmada hata ayıklama ve ön planda çalışma kiplerini kullanın. Aşağıdaki örnek IKE safha 1 (ISAKMP-SA) ve 2'nin (IPsec-SA) başarılı bir şekilde çalıştırılmasını göstermektedir:
# racoon -F -v -f /etc/racoon/racoon.conf
Foreground mode.
2005-01-01 20:30:15: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
2005-01-01 20:30:15: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
2005-01-01 20:30:15: INFO: 2001:db8:1:1::1[500] used as isakmp port (fd=7)
2005-01-01 20:31:06: INFO: IPsec-SA request for 2001:db8:2:2::2 queued due to no phase1 found.
2005-01-01 20:31:06: INFO: initiate new phase 1 negotiation: 2001:db8:1:1::1[500]<=>2001:db8:2:2::2[500]
2005-01-01 20:31:06: INFO: begin Identity Protection mode.
2005-01-01 20:31:09: INFO: ISAKMP-SA established 2001:db8:1:1::1[500]-2001:db8:2:2::2[500] spi:da3d3693289c9698:ac039a402b2db401
2005-01-01 20:31:09: INFO: initiate new phase 2 negotiation: 2001:6f8:900:94::2[0]<=>2001:db8:2:2::2[0]
2005-01-01 20:31:10: INFO: IPsec-SA established: ESP/Tunnel 2001:db8:2:2::2->2001:db8:1:1::1 spi=253935531(0xf22bfab)
2005-01-01 20:31:10: INFO: IPsec-SA established: ESP/Tunnel 2001:db8:1:1::1->2001:db8:2:2::2 spi=175002564(0xa6e53c4)
Her yön IPsec standartlarında belirtildiği gibi kendi IPsec-SA'sına sahiptir. İlgili arabirimde tcpdump ile IPv6 ping sonucunu görürsünüz:
20:35:55.305707 2001:db8:1:1::1 > 2001:db8:2:2::2: ESP(spi=0x0a6e53c4,seq=0x3)
20:35:55.537522 2001:db8:2:2::2 > 2001:db8:1:1::1: ESP(spi=0x0f22bfab,seq=0x3)
Beklendiği gibi burada SPI'lar kullanılmışlardır.
setkey kullanılarak etkin parametreler görüntülenir:
# # setkey -D
2001:db8:1:1::1 2001:db8:2:2::2
esp mode=tunnel spi=175002564(0x0a6e53c4) reqid=0(0x00000000)
E: 3des-cbc bd26bc45 aea0d249 ef9c6b89 7056080f 5d9fa49c 924e2edd
A: hmac-md5 60c2c505 517dd8b7 c9609128 a5efc2db
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jan 1 20:31:10 2005 current: Jan 1 20:40:47 2005
diff: 577(s) hard: 3600(s) soft: 2880(s)
last: Jan 1 20:35:05 2005 hard: 0(s) soft: 0(s)
current: 540(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=1 pid=22358 refcnt=0
2001:db8:2:2::2 2001:db8:1:1::1
esp mode=tunnel spi=253935531(0x0f22bfab) reqid=0(0x00000000)
E: 3des-cbc c1ddba65 83debd62 3f6683c1 20e747ac 933d203f 4777a7ce
A: hmac-md5 3f957db9 9adddc8c 44e5739d 3f53ca0e
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jan 1 20:31:10 2005 current: Jan 1 20:40:47 2005
diff: 577(s) hard: 3600(s) soft: 2880(s)
last: Jan 1 20:35:05 2005 hard: 0(s) soft: 0(s)
current: 312(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=0 pid=22358 refcnt=0