Configuring IPsec Tools

An IPsec Client uses the IKE protocol to establish communications with a VPN Gateway. There are several open source products that can be used with a Gateway that implement the IKE protocol. We will be using the IPsec Tools daemon ( "racoon" ) which provides advanced functionality for VPN Client connectivity. For racoon to be useful, you will need to build a detailed configuration that contains your desired operating parameters.

Configuration Directory

The racoon configuration files are typically stored in a subdirectory named racoon under the etc system configuration directory. The location of your etc system subdirectory will be operating system dependent. If you use Linux or NetBSD, the path would typically be /etc/racoon. If you are using FreeBSD, the path would typically be /usr/local/etc/racoon as the /etc system configuration directory is reserved for the base operating system and pre-installed software.

When racoon is started, it will attempt to load the main configuration file named racoon.conf from the /etc/racoon subdirectory. You can optionally specify an alternate path to the configuration file by using the -f command line option when starting racoon as shown below:

racoon -f <alternate path>/racoon.conf

If racoon encounters a problem while loading the configuration file, it will report the error as command line output.

Main Configuration File

For our test environment, we will use the configuration file shown below. This document will describe the example configuration file parameters and how they are used to facilitate VPN Client connectivity. You can this this example as a starting point when writing a configuration file for your VPN Gateway. For a complete reference of the racoon.conf file format, please see the racoon.conf manual page which is distributed with the IPsec Tools package.


# Path Specifications


path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/cert";


# Listen Section




    isakmp [500];

    isakmp_natt [4500];



# Timer Section




    natt_keepalive 15 seconds;



# Remote Section


remote anonymous


    exchange_mode aggressive;

    verify_identifier on;

    my_identifier fqdn "";

    peers_identifier fqdn "";

    generate_policy unique;

    ike_frag on;

    nat_traversal on;

    dpd_delay 30;

    proposal_check claim;

    lifetime time 24 hours;



        encryption_algorithm aes 256;

        hash_algorithm sha1;

        authentication_method xauth_psk_server;

        dh_group 5;




# Mode Config Section





    pool_size 253;


    split_network include;

    split_dns "";

    auth_source system;

    auth_groups "vpn-user";

    group_source system;

    conf_source local;



    default_domain "";

    banner "/usr/local/etc/racoon/motd";



# SA Info Section


sainfo anonymous


    lifetime time 3600 seconds;

    encryption_algorithm aes 256;

    authentication_algorithm hmac_md5,hmac_sha1;

    compression_algorithm none;


Example raoon.conf configuration file.

Preshared Key Configuration File

If a PSK authentication method is used, you will need to create a preshared key text file and add the path to the listen section  of your main configuration file. The preshared key file lists the remote peer identifier followed by a preshared secret value.


# PSK text file

#        mysharedsecret

Example psk.txt configuration file.

see also :

Configuring IPsec Tools : Preshared Key File Path

Copyright 2010, Shrew Soft Inc