Racoon supports X.509 certificates for authentication process. These certificates may be validated by a certification authority (CA). The configuration is similar to that using PSK. It just differs on the authentication section.

path certificate “/etc/racoon/certs”;

remote 192.168.2.100 {

      exchange_mode main;
      certificate_type x509 "my_certificate.pem" "my_private_key.pem";
verify_cert on;
      my_identifier asn1dn;
peers_identifier asn1dn;
      proposal {
              encryption_algorithm aes;
              hash_algorithm sha256;
              authentication_method rsasig;
              dh_group modp4096;
      }

}

sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any {

      pfs_group modp4096;
      encryption_algorithm aes;
      authentication_algorithm hmac_sha1;
      compression_algorithm deflate;

}

Certificate and private key are stored in /etc/racoon/certs. The certificates and the certificate revocation list (CRL) are stored in PEM format, generated by openssl. To create a certificate, see section “How to generate a certificate”. If the certificate should be validated with a CA (verify_cert on; by default), then the CA certificate also should be stored in this directory. For openssl finds the certificate, it should be linked.

ln -s CAfile.pem `openssl x509 -noout -hash < CAfile.pem`.0

If the certificate should be checked with the CRL, the CRL should be stored in the same directory with a similar link.

ln -s CRLfile.pem `openssl x509 -noout -hash < CAfile.pem`.r0

When we work with certificates and private keys, is important to know that racoon can't decrypt a private key. So, the private key should be available in plain text. With this command we can decrypt a private key and store it in a file.

openssl rsa -in my_private_key.pem -out my_private_key.pem read RSA key Enter PEM pass phrase: password writing RSA key