| 1 | This directory contains sample configurations files used for roadwarrior |
|---|
| 2 | remote access using hybrid authentication. In this setup, the VPN |
|---|
| 3 | gateway authenticates to the client using a certificate, and the client |
|---|
| 4 | authenticates to the VPN gateway using a login and a password. |
|---|
| 5 | |
|---|
| 6 | Moreover, this setup makes use of ISAKMP mode config to autoconfigure |
|---|
| 7 | the client. After a successful login, the client will receive an |
|---|
| 8 | internal address, netmask and DNS from the VPN gateway. |
|---|
| 9 | |
|---|
| 10 | |
|---|
| 11 | Server setups |
|---|
| 12 | ============= |
|---|
| 13 | The server setups need racoon built with the following options: |
|---|
| 14 | configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ |
|---|
| 15 | --with-libradius --sysconfdir=/etc/racoon |
|---|
| 16 | |
|---|
| 17 | The first server setup, in server/racoon.conf, is for a VPN gateway |
|---|
| 18 | using authentication against the system password database, and using |
|---|
| 19 | a locally configured pool of addresses. |
|---|
| 20 | |
|---|
| 21 | The second setup, server/racoon.conf-radius, uses a RADIUS server for |
|---|
| 22 | authentication, IP allocation and accounting. The address and secret |
|---|
| 23 | to be used for the RADIUS server are configured in /etc/radius.conf, |
|---|
| 24 | see radius.conf(5). |
|---|
| 25 | |
|---|
| 26 | Both configurations can be used with the Cisco VPN client if it |
|---|
| 27 | is set up to use hybrid authentication (aka mutual group authentication, |
|---|
| 28 | available in Cisco VPN client version 4.0.5 and above). The group |
|---|
| 29 | password configured in the Cisco VPN client is not used by racoon. |
|---|
| 30 | |
|---|
| 31 | After you have installed /etc/racoon/racoon.conf, you will also have |
|---|
| 32 | to install a server certificate and key in /etc/openssl/certs/server.crt |
|---|
| 33 | and /etc/openssl/certs/server.key |
|---|
| 34 | |
|---|
| 35 | |
|---|
| 36 | Client setup |
|---|
| 37 | ============ |
|---|
| 38 | The client setup needs racoon built with the following options: |
|---|
| 39 | configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ |
|---|
| 40 | --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var |
|---|
| 41 | |
|---|
| 42 | You need to copy client/racoon.conf, client/phase1-up.sh and |
|---|
| 43 | client/phase1-down.sh to /etc/racoon, and you need to copy the |
|---|
| 44 | certificate authority that signed the VPN gateway certificate in |
|---|
| 45 | /etc/openssl/certs/root-ca.crt |
|---|
| 46 | |
|---|
| 47 | Once this is done, you can run racoon, and then you can start |
|---|
| 48 | the VPN using racoonctl: |
|---|
| 49 | racoonctl vc -u username vpn-gateway.example.net |
|---|
| 50 | |
|---|
| 51 | Where username is your login, and vpn-gateway.example.net is |
|---|
| 52 | the DNS or IP address of the VPN gateway. racoonctl will prompt |
|---|
| 53 | you for the password. |
|---|
| 54 | |
|---|
| 55 | The password can be stored in the psk.txt file. In that situation, |
|---|
| 56 | add this directive to the remote section of racoon.conf: |
|---|
| 57 | xauth_login "username"; |
|---|
| 58 | where username is your login. |
|---|
| 59 | |
|---|
| 60 | Note that for now there is no feedback in racoonctl if the authentication |
|---|
| 61 | fails. Peek at the racoon logs to discover what goes wrong. |
|---|
| 62 | |
|---|
| 63 | In order to disconnect from the VPN, do this: |
|---|
| 64 | racoonctl vd vpn-gateway.example.net |
|---|
| 65 | |
|---|
| 66 | This configuration should be compatible with the Cisco VPN 3000 using |
|---|
| 67 | hybrid authentication, though this has not been tested. |
|---|
![[RTEMS Logo]](/images/logo.png){kind=logo}
