Annotation of elwix/config/etc/default/racoon/roadwarrior/README, revision 1.1
1.1 ! misho 1: This directory contains sample configurations files used for roadwarrior
! 2: remote access using hybrid authentication. In this setup, the VPN
! 3: gateway authenticates to the client using a certificate, and the client
! 4: authenticates to the VPN gateway using a login and a password.
! 5:
! 6: Moreover, this setup makes use of ISAKMP mode config to autoconfigure
! 7: the client. After a successful login, the client will receive an
! 8: internal address, netmask and DNS from the VPN gateway.
! 9:
! 10:
! 11: Server setups
! 12: =============
! 13: The server setups need racoon built with the following options:
! 14: configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
! 15: --with-libradius --sysconfdir=/etc/racoon
! 16:
! 17: The first server setup, in server/racoon.conf, is for a VPN gateway
! 18: using authentication against the system password database, and using
! 19: a locally configured pool of addresses.
! 20:
! 21: The second setup, server/racoon.conf-radius, uses a RADIUS server for
! 22: authentication, IP allocation and accounting. The address and secret
! 23: to be used for the RADIUS server are configured in /etc/radius.conf,
! 24: see radius.conf(5).
! 25:
! 26: Both configurations can be used with the Cisco VPN client if it
! 27: is set up to use hybrid authentication (aka mutual group authentication,
! 28: available in Cisco VPN client version 4.0.5 and above). The group
! 29: password configured in the Cisco VPN client is not used by racoon.
! 30:
! 31: After you have installed /etc/racoon/racoon.conf, you will also have
! 32: to install a server certificate and key in /etc/openssl/certs/server.crt
! 33: and /etc/openssl/certs/server.key
! 34:
! 35:
! 36: Client setup
! 37: ============
! 38: The client setup needs racoon built with the following options:
! 39: configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
! 40: --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var
! 41:
! 42: You need to copy client/racoon.conf, client/phase1-up.sh and
! 43: client/phase1-down.sh to /etc/racoon, and you need to copy the
! 44: certificate authority that signed the VPN gateway certificate in
! 45: /etc/openssl/certs/root-ca.crt
! 46:
! 47: Once this is done, you can run racoon, and then you can start
! 48: the VPN using racoonctl:
! 49: racoonctl vc -u username vpn-gateway.example.net
! 50:
! 51: Where username is your login, and vpn-gateway.example.net is
! 52: the DNS or IP address of the VPN gateway. racoonctl will prompt
! 53: you for the password.
! 54:
! 55: The password can be stored in the psk.txt file. In that situation,
! 56: add this directive to the remote section of racoon.conf:
! 57: xauth_login "username";
! 58: where username is your login.
! 59:
! 60: Note that for now there is no feedback in racoonctl if the authentication
! 61: fails. Peek at the racoon logs to discover what goes wrong.
! 62:
! 63: In order to disconnect from the VPN, do this:
! 64: racoonctl vd vpn-gateway.example.net
! 65:
! 66: This configuration should be compatible with the Cisco VPN 3000 using
! 67: hybrid authentication, though this has not been tested.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>