Informations in this document mainly come from a document made by Leonardo Ciociano

Racoon supports X.509 certificates for authentication process. These certificates may be validated by a certification authority (CA). The configuration is similar to that using PSK. It just differs on the authentication section.

path certificate "/etc/racoon/certs";

remote 192.168.2.100 {
        exchange_mode main;
        certificate_type x509 "my_certificate.pem" "my_private_key.pem";
	verify_cert on;
        my_identifier asn1dn;
	peers_identifier asn1dn;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha256;
                authentication_method rsasig;
                dh_group modp4096;
        }
}

sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any {
        pfs_group modp4096;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

Certificate and private key are stored in /etc/racoon/certs. The certificates and the certificate revocation list (CRL) are stored in PEM format, generated by openssl. If the certificate should be validated with a CA (verify_cert on; by default), then the CA certificate also should be stored in this directory. For openssl finds the certificate, it should be linked.

ln -s CAfile.pem `openssl x509 -noout -hash < CAfile.pem`.0

If the certificate should be checked with the CRL, the CRL should be stored in the same directory with a similar link.

ln -s CRLfile.pem `openssl x509 -noout -hash < CAfile.pem`.r0

When we work with certificates and private keys, is important to know that racoon can't decrypt a private key. So, the private key should be available in plain text.