1 | This directory contains sample configurations files used for roadwarrior |
---|
2 | remote access using hybrid authentication. In this setup, the VPN |
---|
3 | gateway authenticates to the client using a certificate, and the client |
---|
4 | authenticates to the VPN gateway using a login and a password. |
---|
5 | |
---|
6 | Moreover, this setup makes use of ISAKMP mode config to autoconfigure |
---|
7 | the client. After a successful login, the client will receive an |
---|
8 | internal address, netmask and DNS from the VPN gateway. |
---|
9 | |
---|
10 | |
---|
11 | Server setups |
---|
12 | ============= |
---|
13 | The server setups need racoon built with the following options: |
---|
14 | configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ |
---|
15 | --with-libradius --sysconfdir=/etc/racoon |
---|
16 | |
---|
17 | The first server setup, in server/racoon.conf, is for a VPN gateway |
---|
18 | using authentication against the system password database, and using |
---|
19 | a locally configured pool of addresses. |
---|
20 | |
---|
21 | The second setup, server/racoon.conf-radius, uses a RADIUS server for |
---|
22 | authentication, IP allocation and accounting. The address and secret |
---|
23 | to be used for the RADIUS server are configured in /etc/radius.conf, |
---|
24 | see radius.conf(5). |
---|
25 | |
---|
26 | Both configurations can be used with the Cisco VPN client if it |
---|
27 | is set up to use hybrid authentication (aka mutual group authentication, |
---|
28 | available in Cisco VPN client version 4.0.5 and above). The group |
---|
29 | password configured in the Cisco VPN client is not used by racoon. |
---|
30 | |
---|
31 | After you have installed /etc/racoon/racoon.conf, you will also have |
---|
32 | to install a server certificate and key in /etc/openssl/certs/server.crt |
---|
33 | and /etc/openssl/certs/server.key |
---|
34 | |
---|
35 | |
---|
36 | Client setup |
---|
37 | ============ |
---|
38 | The client setup needs racoon built with the following options: |
---|
39 | configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ |
---|
40 | --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var |
---|
41 | |
---|
42 | You need to copy client/racoon.conf, client/phase1-up.sh and |
---|
43 | client/phase1-down.sh to /etc/racoon, and you need to copy the |
---|
44 | certificate authority that signed the VPN gateway certificate in |
---|
45 | /etc/openssl/certs/root-ca.crt |
---|
46 | |
---|
47 | Once this is done, you can run racoon, and then you can start |
---|
48 | the VPN using racoonctl: |
---|
49 | racoonctl vc -u username vpn-gateway.example.net |
---|
50 | |
---|
51 | Where username is your login, and vpn-gateway.example.net is |
---|
52 | the DNS or IP address of the VPN gateway. racoonctl will prompt |
---|
53 | you for the password. |
---|
54 | |
---|
55 | The password can be stored in the psk.txt file. In that situation, |
---|
56 | add this directive to the remote section of racoon.conf: |
---|
57 | xauth_login "username"; |
---|
58 | where username is your login. |
---|
59 | |
---|
60 | Note that for now there is no feedback in racoonctl if the authentication |
---|
61 | fails. Peek at the racoon logs to discover what goes wrong. |
---|
62 | |
---|
63 | In order to disconnect from the VPN, do this: |
---|
64 | racoonctl vd vpn-gateway.example.net |
---|
65 | |
---|
66 | This configuration should be compatible with the Cisco VPN 3000 using |
---|
67 | hybrid authentication, though this has not been tested. |
---|