Subject: [HEADS-UP] switched from KAME racoon to ipsec-tools racoon
To: None <>
From: Emmanuel Dreyfus <>
List: current-users
Date: 02/19/2005 19:51:25

We switched from KAME racoon to ipsec-tools racoon. We now also build
setkey and libipsec from ipsec-tools sources.

ipsec-tools is a KAME racoon fork initially performed by Linux people
that needed Linux support into racoon. It has also absorbed many
features that did not made their way into KAME racoon. Today ipsec-tools
builds on Linux, NetBSD and FreeBSD. It has the following new features
over our previous IKE daemon:

- IPsec NAT-Traversal as described in RFC 3947 and RFC 3948. This
require a -current kernel built with the IPSEC_NAT_T option. There is an
IPR disclosure made by Microsoft on NAT-T at the IETF. We are convinced
that we did not implement what is covered by the patent (the Original
Address stuff), but be aware that there might be a problem with using
NAT-T in some countries.=20

- Dead Peer Detection (DPD), as described in RFC 3706. This is used to
kill a security association when the peer does not answer, without
having to wait for the phase 2 lifetime to end.

- Interoperability with the Cisco VPN client. racoon can replace the
Cisco VPN 3000 operating in Xauth with hybrid auth mode.

Xauth is a login/pasword authentication that occurs between phase 1 and
phase 2. It is secured by phase 1, and is insecure if you use the
infamous group password authentication in phase 1. racoon can validate
logins against the system database, or over PAM. It's also able to
directly use RADIUS without PAM, but this require libradius that has not
yet been imported (this will come soon). Accounting for Xauth logins is
also supported through PAM (and soon directly through RADIUS).=20

hybrid auth is just about breaking phase 1 symetry: the VPN gateway
authenticate to the client using a certificate, and the client does not
authenticate in phase 1. It will be authenticated by the Xauth exchange
before being allowed to start a phase 2. In Cisco VPN client, this is
known as the "mutual group authentication".

- IKE mode config: this is used with Xauth to autoconfigure a VPN
client: the VPN gateway will send the internal IP, netmask and DNS.

- GSSAPI fixes for interoperability with Microsoft Windows IKE

- Privilege separation: you can run most of racoon as an unprivilegied
user. It will fork and have a privilegied instance for the few
operations that require root privileges (opening the PFKEY socket,
reading keys, validating Xauth logins...)=20

- IKE fragmentation: this is an extension introduced by Cisco to
fragment IKE packets so that they are able to get through broken DSL
routers the drop big UDP packets. Most DSL routers are broken, so this
is extremely useful. =20

- ESP fragmentation: this fixes the same problem as above with ESP
packets in tunnel mode. Instead of sending fragments of ESP packets
carrying unfragmented IP packets on the network, we fragment before ESP
encapsulation and send unfragmented ESP packets containing fragmented IP
packets. The devices between the IPsec endpoints never see a fragmented
packets and you are able to get through broken devices that would have
filtered your fragments.   =20

- Certificate authority path used to validate certificate can now be

- hook scripts: it's now possible to run shell scripts hook on phase 1
creation and deletion. This is useful to configure special routes or
tweak packet filtering rules.

Sample config files can be found in /usr/share/examples/racoon. The
roadwarrior directory contains the config files for using racoon as a
server for the Cisco VPN client, and the config file for racoon to
connect to racoon in the server config. It seems it does not work for
connecting to Cisco VPN 3000 yet, but this will come later.=20

Of course the man pages have been updated do document all the new

I am not aware of any feature regression from KAME racoon, but should
you find any, please notify me.

Emmanuel Dreyfus
Publicit=E9 subliminale: achetez ce livre!