mode_cfg { statements }
Defines the information to return for remote hosts' ISAKMP mode
config requests. Also defines the authentication source for
remote peers authenticating through Xauth.
The following are valid statements:
auth_source (system | radius | pam);
Specify the source for authentication of users through
Xauth. system means to use the Unix user database. This
is the default. radius means to use a RADIUS server. It
works only if racoon(8) was built with libradius support,
and the configuration is done in radius.conf(5). pam
means to use PAM. It works only if racoon(8) was build
with libpam support.
conf_source (local | radius);
Specify the source for IP addresses and netmask allocated
through ISAKMP mode config. local means to use the local
IP pool defined by the network4 and pool_size keywords.
This is the default. radius means to use a RADIUS
server. It works only if racoon(8) was build with libra-
dius support, and the configuration is done in
radius.conf(5). RADIUS configuration requires RADIUS
authentication.
accounting (none | system | radius | pam);
Enable or disable accounting for Xauth logins and
logouts. Default is none, which disable accounting.
system enable system accounting through utmp(5). radius
enable RADIUS accounting. It works only if racoon(8) was
build with libradius support, and the configuration is
done in radius.conf(5). RADIUS accounting require RADIUS
authentication. pam enable PAM accounting. It works
only if racoon(8) was build with libpam support. PAM
accounting require PAM authentication.
pool_size size
Specify the size of the IP address pool, either local or
allocated through RADIUS. conf_source selects the local
pool or the RADIUS configuration, but in both configura-
tions, you cannot have more than size users connected at
the same time. The default is 255.
network4 address;
netmask4 address;
The local IP pool base address and network mask from
which dynamically allocated IPv4 addresses should be
taken. This is used if conf_source is set to local or if
the RADIUS server returned 255.255.255.254. Default is
0.0.0.0/0.0.0.0.
dns4 addresses;
A list of IPv4 addresses for DNS servers, separated by
commas, or on multiple dns4 lines.
nbns4 addresses;
A list of IPv4 address for WINS servers.
split_network (include | local_lan) network/mask, ...
The network configuration to send, in cidr notation (e.g.
192.168.1.0/24). If include is specified, the tunnel
should be only used to encrypt the indicated destinations
; otherwise, if local_lan is used, everything will pass
through the tunnel but those destinations.
default_domain domain;
The default DNS domain to send.
banner path;
The path of a file displayed on the client at connection
time. Default is /etc/motd.
auth_throttle delay;
On each failed Xauth authentication attempt, refuse new
attempts for delay more seconds. This is to avoid dic-
tionary attacks on Xauth passwords. Default is one sec-
ond. Set to zero to disable authentication delay.
pfs_group group;
Sets the PFS group used in the client proposal (Cisco VPN
client only). Default is 0.
save_passwd (on | off);
Allow the client to save the Xauth password (Cisco VPN
client only). Default is off.