$Id: config-usage.ja.txt,v 1.74 2006/10/04 08:16:42 fukumoto Exp $

+ ե (racoon.conf)

	racoon2եʸˡ˴ؤƵҤ롣

o : racoon1 Ȥΰ㤤
	ơȥȤνλ ";" ˤʤä { } νλ ";" ǽ餻

o ¤

	եϰʲ9ĤΥǥ쥯ƥ֤ʬव롣

	setval
		եΤǰդʸ롣
		եΤɤ߹Ȥɾ롣

	default
		ǥեȤͤ
		줾Υǥ쥯ƥ֤ˤ񤭤롣

	interface
		ƥץȥΥ󥿡ե롣

	resolver
		resolverꤹ롣

	remote
		򴹤롣
		1İʾpolicyremote_indexǻȤ롣
		1Ĥselectorselecor_indexǻȤ뤳Ȥ롣

	selector
		쥯롣
		selector_indexեΤǰդ
		10x7fffffffޤǤο͡
		1Ĥpolicypolicy_indexǻȤ롣
		: selector_index ϥͥǤȤΤǿͤˤ

	policy
		쥯˥ޥåѥåȤεư롣
		IPsecˤSAΥɥ쥹٥롣
		1İʾipsecipsec_indexǻȤ롣
		1İʾselectorpolicy_indexǻȤ롣
		1Ĥ remoteremote_indexǻȤ롣

	ipsec
		SAХɥ롣
		1İʾsasa_indexǻȤ롣
		1Ĥpolicyipsec_indexǻȤ롣

	sa
		1ĤSA롣
		1Ĥipsecsa_indexǻȤ롣

	ƥǥ쥯ƥ֤δطϰʲ̤Ǥ롣

	    setval    default    interface    resolver

     +---(selector_index)--- remote
     |                         ^
     |                         |
     |                   (remote_index)                       +-(sa_index)-> sa
     v                         |                              |
selector -+                    |     +-(ipsec_index)-> ipsec -+-(sa_index)-> sa
          |                    |     |  
selector -+-(policy_index)-> policy -+-(ipsec_index)-> ipsec ---(sa_index)-> sa
          |                          |
selector -+                          +-(ipsec_index)-> ipsec ...
          :                          :

o ǥ쥯ƥ
	ǥ쥯ƥ֤ϣĤstring1ʾvalueǹ롣

	ǥ쥯ƥ֤ͤꤹˤ
		directive value ;

	ĤΥǥ쥯ƥ֤ʣͤꤹˤ
		directive {
			value ;
			value ;
			:
		};

	valueϡ˥ǥ쥯ƥ֤ˤʤ礬롣

	ʲΥǥ쥯ƥ֤ˤ
		remote
		selector
		policy
		ipsec
		sa
	եΤǰդʣĤ indexʤФʤʤ
	indexϤ줾
		remote_index
		selector_index
		policy_index
		ipsec_index
		sa_index
	Υǥ쥯ƥ֤ǻȤ롣

o ѤǤʸ

	" (0x22)ǳʸȤư롣
	ͽ󤵤Ƥʤʸ " (0x22) ǳʤФʤʤ
	index [0-9a-zA-Z_] Τ߻ѤǤä˳ɬפϤʤ
	IPɥ쥹ݡȤɬפϤʤ

	" (0x22) ǳ餺˻Ȥͽ󤵤줿ʸϰʲʸǹ롣
		0x30-0x39 0-9
		0x41-0x5a A-Z
		0x61-0x7a a-z
		0x25      %
		0x2a      *
		0x2d      -
		0x2e      .
		0x2f      /
		0x3a      :
		0x3f      ?
		0x40      @
		0x5f      _

o IPɥ쥹ɽˡ
	IPv4ɥ쥹 0-9 .
		203.178.141.194

	IPv6ɥ쥹 0-9a-fA-F : %
		2001:200:0:8002:203:47ff:fea5:3085

	FQDNŸ롣
		www.kame.net

	ݡֹ port (port) IPɥ쥹θ롣
		MY_IP port 80
		203.178.141.194 port any
	ʸ any ƤΥݡֹ˥ޥå롣
	10ʿɽ
		: 0 ΰϥƥˤäưۤʤ롣(⤷ʤ)
	portˤ /etc/servicesʸȤ롣

	ץե / (number) ɽ롣
		::1/0

	ɥ쥹ϰϤ - Ƕڤ롣
		XXX ̤
		10.0.0.0-10.1.255.255

	ʣ¾Υǥ쥯ƥ֤Ʊͤ롣
		src {
			10.2.0.1;
			10.2.0.2;
		};

	ѤǤޥϰʲ̤
		MY_IP
		MY_IPV6
		MY_IPV6_GLOBAL
		MY_IPV6_LINKLOCAL
		MY_IPV4

		ʾ '%'򶴤ǥ󥿡ե̾Ǥ
			. MY_IP%(interface name)
	
		MY_COA: ̤
		IP_ANY: ::  0.0.0.0 

o Хȿɽˡ
	˥Хȿǥ쥯ƥ
		nonce_size
		max_pad_len
		max_retry_to_send
		kmp_sa_lifetime_byte
		ipsec_sa_lifetime_byte
	Ȥñ
		B,byte,bytes
		KB
		MB
		GB

o ֤ɽˡ
	˻֤ǥ쥯ƥ
		interval_to_send
		times_per_send
		kmp_sa_lifetime_time
		kmp_sa_nego_time_limit
		ipsec_sa_nego_time_limit
		ipsec_sa_lifetime_time
	Ȥñ
		infinite
		sec,secs,second,seconds
		min,mins,minute,minutes
		hour,hours
		day,days
	 0  infinitẹ롣

o 르ꥺɽˡ
	kmp_enc_alg
	esp_enc_alg
	esp_auth_alg
	ah_auth_alg
	ϰʲΤ褦˸ĹȸǤ롣

		(algorithm̾)[,(Ĺ)[,()]]

	16ɽϢ³16ʿ 0xƬˤĤ롣
	Ĺϥ르ꥺˤƤ롣

	algorithm̾ȸϰʲΤ褦ˤ롣
	
		(algorithm̾),,()

	ʣꤹˤ ';' Ƕڤ󤹤롣
		kmp_enc_alg { aes192_cbc,,0x1234; aes192_cbc; 3des_cbc; };

	kmp_enc_alg, esp_enc_alg
		des_cbc_iv64
		des_cbc
		3des_cbc
		rc5_cbc
		idea_cbc
		cast128_cbc
		blowfish_cbc
		3idea_cbc
		des_cbc_iv32
		rc4_cbc
		null_enc
		rijndael_cbc
		aes128_cbc
		aes192_cbc
		aes256_cbc
		twofish_cbc

	kmp_hash_alg
		md5
		sha1
		tiger
		sha2_256
		sha2_384
		sha2_512

	In case of IKEv2, kmp_hash_alg directive is used to specify an
	integrity check (MAC) algorithm for IKE_SA communication, and
	the following algorithm types are accepted.

		hmac_md5
		hmac_sha1
		aes_xcbc
		aes_cmac


	kmp_prf_alg
		hmac_md5
		hmac_sha1
		hmac_sha2_256
		hmac_sha2_384
		hmac_sha2_512
		aes_xcbc
		aes_cmac
		des_mac
		kpdk_md5

	kmp_dh_group˻Ǥ륰롼ֹޤ̾Τɤ餫ǻꤹ롣
		1	modp768
		2	modp1024
		3	ec2n155
		4	ec2n185
		5	modp1536
		14	modp2048
		15	modp3072
		16	modp4096
		17	modp6144
		18	modp8192

	kmp_auth_method˻Ȥ륢르ꥺ̾
		psk
		dss
		rsasig
		rsaenc
		rsarev
		gssapi_krb

	esp_auth_alg, ah_auth_alg
		hmac_md5
		hmac_sha1
		aes_xcbc
		hmac_sha2_256
		hmac_sha2_384
		hmac_sha2_512
		kpdk_md5
		non_auth

	ipcomp_alg
		oui
		deflate
		lzs

o եɾ
	եΤɤ߹Ȥ1ɾ롣
	ʸȤɾս˻Ȥ롣
	ʣϥ顼ˤʤեɾλ롣

	Ķѿ
		եǤ $[string] ǻȤ롣

	setval ǥ쥯ƥ֤Ǥ
		եǤ ${string} ǻȤ롣
			string value ;
		η롣
		setval뱦(value)ˤϴĶѿΤߤɾ롣

		stringȤƻȤΤϰʲʸǤ롣
			ǽʸ A-Z˸¤롣
			0x30-0x39 0-9
			0x41-0x5a A-Z
			0x5f      _

o 
	# (0x23) ʹߤϥȤȤư̵뤵롣

o include
	include (file) ;

	¾եɤ߹

	(file)˵Ҥ줿ʸΤsetvalޥŸʤ
	ĶѿŸ롣

o setval
	setval { (directives) } ;

	եΤǰդ롣

	(string) (value) ;
		string valueꤹ롣

o default
	default { (directives) } ;

	ǥեȤͤ
	ǥ쥯ƥ֤Ǥ(ͽ)
	줾Υǥ쥯ƥ֤ˤ񤭤롣

o interface
	interface { (directives) } ;

	ƥץȥΥ󥿡ե롣
	directives ϰʲ̤ꡣ

	ike (address) [port (port)] ;
		IKEǡ󤬻ȤݡȤ롣(ʣ)

	kink (address) [port (port)] ;
		KINKǡ󤬻ȤݡȤ롣(ʣ)

	spmd (address) [port (port)] ;
		򴹥ǡspmd̿ѤݡȤ롣(ʣ)
		ǥХåѡ(--enable-debug 줿ȤΤ߻Ѳ)

	spmd unix (file);
		򴹥ǡspmdΥ󥿡ե
		UNIX-domainåȤξˡ

o spmd
	spmd { (directives) } ;

	spmdꤹ롣
	directives ϰʲ̤ꡣ

	resolver (on|off) ;
		spmdresolverȤƤεư
		ǥե off

	nameserver (address) [port (port)] ;
		̤DNSХɥ쥹ꤹ롣(ʣ)
		portΥǥեȤ 53

	dns_query (address) [port (port)] ;
		queryդ륢ɥ쥹ꤹ롣(ʣ)
		portΥǥեȤ 53

o password (file) ;
	spmdȤ³ѥɤǼե̾

o remote
	remote (remote_index) { (directives) } ;

	򴹤롣
	directivesϰʲ̤ꡣ

	ikev1 { (directives) } ;
	ikev2 { (directives) } ;
	kink  { (directives) } ;
		Ƹ򴹥ץȥꤹ롣

	acceptable_kmp (ikev1|ikev2|kink) ;
		responder˼Ĥ븰򴹥ץȥꤹ롣(ʣ)
		ǽץȥinitiator˻Ȥ
		default ikev2

	selector_index (selector_index) ;
		Ȥselectorselector_index롣
		RW to HOST/SGW ResponderλˤΤ߻Ȥ롣

	ʲƸ򴹥ץȥꤹǥ쥯ƥ

		logmode (normal|debug) ;
			default normal

		logfile (file) ;
			̤Υեꤹ롣
			˻ꤷƤΤΥϽϤ롣

		passive (on|off) ;
			responderȤƤʤ

		peers_ipaddr (address) [port (port)];
			IPɥ쥹ꤹ롣IKEv2IKEv1main⡼ɤ
			responderλremoteκǽθˤʤ롣ά
			IP_RWȽ񤯾ˤdefaultǥ쥯ƥ֤ɬסʣġ

		verify_id (on|off) ;
		verify_pubkey (on|off) ;
		send_cert (on|off) ;
		send_cert_req (on|off) ;
		nonce_size (number) ;
		initial_contact (on|off) ;

		support_proxy (on|off) ;
			transport modeξˤΤͭ
			phase2ID payloadID TS(IKEv1)
			SAΥɥɥ쥹Ȥư

		my_id (ipaddr|email|fqdn|keyid|x509_subject) (value) ;
		peers_id (ipaddr|email|fqdn|keyid|x509_subject) (value) ;
			ipaddr (ip address)
				IPv4 or IPv6ɥ쥹
			fqdn (FQDN)
				FQDN
			email (e-mail address)
				 E-Mailɥ쥹
			keyid (filename)
				KEY-ID
			x509_subject (filename)
				Subject
			ʣ

		selector_check (obey|exact) ;
			responder¦IDTSӽ롣
			obey
				initiatorΥݥꥷSPD˥󥹥ȡ뤹
			exact
				initiatorΥݥꥷSPDˤʤХ顼ˤ롣
			³Τ˥ǥեȤ obey
			racoon1 generate_policy on롣

		proposal_check (obey|strict|claim|exact) ;
			responder¦Υݥꥷӽ롣
			obey
				initiatorΥݥꥷSPD˥󥹥ȡ뤹
			strict
				initiatorͤʤлȤ
				ǤʤХ顼
				ȤlifetimeϾPFSϻȤȤ
			claim
				IKEv1Τͭ
				strictλ˥顼ˤresponderͤȤ
				RESPONDER_LIFETIME֤
			exact
				initiatorͤפƤʤлȤ
				ǤʤХ顼

		random_pad_content (on|off) ;
		padlen_random (on|off) ;
		max_padlen (number) ;
			ѥǥ󥰤˴ؤꤹ

		max_retry_to_send (number) ;
		interval_to_send (number) ;
		times_per_send (number) ;
			˴ؤꤹ롣

		kmp_sa_lifetime_time (number) ;
		kmp_sa_lifetime_byte (number) ;
		kmp_sa_nego_time_limit (number) ;
		ipsec_sa_nego_time_limit (number) ;
			򴹤֤˴ؤ

		kmp_enc_alg (algorithm) ;
			Ź楢르ꥺ
			ʣǽ
		kmp_hash_alg (algorithm) ;
			ϥå奢르ꥺ
			ʣǽ
		kmp_prf_alg (algorithm) ;
			ǧڥ르ꥺ
			ʣǽ
		kmp_dh_group (algorithm) ;
			DH롼
			ʣǽ
		kmp_auth_method (algorithm) ;
			ǧˡ
			ʣǽ

		exchange_mode (main|aggressive|base|all) ;
			ikev1ǤΤͭʥǥ쥯ƥ
			exchange modeꤹ롣
			responder˼Ĥmodeꤹ롣(ʣ)
			ǽmodeinitiator˻Ȥ

		my_gssapi_id (string) ;
			ikev1Ǥͭʥǥ쥯ƥ
			GSSAPI ID롣
			XXX my_principal ΤȤʡ

		cookie_required (on|off);
			ikev2ǤΤͭʥǥ쥯ƥ
			respondercookie׵᤹뤫ɤΥե饰
			ǥե off

		need_pfs (on|off) ;
			ikev1,ikev2ǤΤͭʥǥ쥯ƥ
			PFSͭˤ뤫ɤ롣
			IKEv1Ǥphase2KE롣
			ǥե off

		my_public_key (x509pem|pkcs12|ascii) (pubkey) (privkey)
		peers_public_key (x509pem|pkcs12|ascii) (pubkey)
			XXX TBD
			ikev1,ikev2ǤΤͭʥǥ쥯ƥ
			񤬳Ǽ줿եؤΥѥ(ʣ)
			x509pem
				X.509 PEM
			pkcs12
				PKCS12
			ascii
				PGP ASCII ARMORED

		pre_shared_key (file)
			ikev1,ikev2ǤΤͭʥǥ쥯ƥ
			ͭǼ줿եؤΥѥ
			ХʥȤư롣

		my_princiapl (principal-id)
		peers_princiapl (principal-id)
			kinkǤΤͭʥǥ쥯ƥ
			ץ󥷥ѥID롣
			principal-id "principal@realm"

o selector
	selector (selector_index) { (directives) } ;

	쥯롣
	1Ĥpolicypolicy_indexǻȤ롣
	directivesϰʲ̤ꡣ

	order (number) ;
		ͥɾɾֹ롣
		դɬפϤʤ

	direction (inbound|outbound);
		ѥåȤ

	src (address) [port (port)];
	dst (address) [port (port)];
		쥯롣
		XXX ꥹȤϽ񤱤ʤ

	upper_layer_protocol (protocol) [(options)];
		ޥåإåκǸΥإå
		ץȥֹ롣
		/etc/prototols줿ʸ any Ȥ롣

	next_header_including (protocol)[:(option)];
		XXX ̤
		ޥåإå˴ޤޤץȥֹ롣
		/etc/protocols줿ʸȤ롣
		ʣ

		(option)protocol˰¸ͤ롣

		Ǥoptionϰʲ̤

		ipv6-icmp (type) (code)

	policy_index (policy_index) ;
		Ȥpolicypolicy_index롣

o policy
	policy (policy_index) { (directives) } ;

	IPsecΥץݡ롣
	1İʾipsecipsec_indexǻȤ롣
	Ȥipsecϸ򴹥ץȥǤORɾ롣
	1İʾselectorpolicy_indexǻȤ롣
	1Ĥ remoteremote_indexǻȤ롣
	directivesϰʲ̤ꡣ

	action (auto_ipsec|static_ipsec|discard|none) ;

	remote_index
		Ȥremoteremote_index롣

	ipsec_index
		Ȥipsecipsec_index롣
		ʣǽ

	my_sa_ipaddr (address) ;
	peers_sa_ipaddr (address) ;
		SAνüIPɥ쥹롣IPɥ쥹,FQDN,ޥ񤱤롣
		action static_ipsecξ硢ޤ tunnel⡼ɤȤ
		롣peers_sa_ipaddrIP_RWȽ񤯤ȡgenerate policy롣

	ipsec_level (unique|require|use) ;
		use
			XXX ̤
			SA̵곫Ϥ뤬ѥåȤФ롣
		require
			SA̵곫ϤSAǤޤǥѥåȤ˴롣
			¾policyȤǽ롣
		unique
			XXX Ȥꤢͥˤꤵ뤬
			XXX 򴹥ǡ̤ǧ
			require˲ä¾policy¾Ū˻Ȥ

	ipsec_mode (transport|tunnel) ;
		IPsec⡼ɤ롣

o ipsec
	ipsec (ipsec_index) { (directives) } ;

	SAХɥ롣
	1İʾsasa_indexǻȤ롣
	Ȥsaϸ򴹥ץȥǤANDɾ롣
	1Ĥpolicyipsec_indexǻȤ롣
	directivesϰʲ̤ꡣ

	ipsec_sa_lifetime_time (number) ;
	ipsec_sa_lifetime_byte (number) ;
		SAͭ¤롣

	ext_sequence (on|off) ;
		ĥ󥹤̵ͭ

	sa_index (sa_index) ;
		3Ĥޤǻǽ
		SAڥɤǤANDɾSAХɥɽ롣

		ʣꤹsasa_protocolν
		AH
		ESP
		IPCOMP
		AH_ESP
		AH_IPCOMP
		ESP_IPCOMP
		AH_ESP_IPCOMP

o sa
	sa (sa_index) { (directives) } ;

	1ĤSA롣
	1Ĥipsecsa_indexǻȤ롣
	directivesϰʲ̤ꡣ

	sa_protocol (ah|esp|ipcomp) ;
		SAΥץȥ롣

	esp_enc_alg (algorithm) ;
	esp_auth_alg (algorithm) ;
		ʣǽ
		򴹥ץȥǤORɾ롣
		sa_protocol espξˤΤͭ

	ah_auth_alg (algorithm) ;
		ʣǽ
		򴹥ץȥǤORɾ롣
		sa_protocol ahξˤΤͭ

	ipcomp_alg (algorithm) ;
		ʣǽ
		򴹥ץȥǤORɾ롣
		sa_protocol ipcompξˤΤͭ

	spi (spi) ;
		(ѻߡ)
		ŪSASPI롣
