Return to README CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / elwix / config / etc / default / racoon / roadwarrior |
1.1 misho 1: This directory contains sample configurations files used for roadwarrior 2: remote access using hybrid authentication. In this setup, the VPN 3: gateway authenticates to the client using a certificate, and the client 4: authenticates to the VPN gateway using a login and a password. 5: 6: Moreover, this setup makes use of ISAKMP mode config to autoconfigure 7: the client. After a successful login, the client will receive an 8: internal address, netmask and DNS from the VPN gateway. 9: 10: 11: Server setups 12: ============= 13: The server setups need racoon built with the following options: 14: configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ 15: --with-libradius --sysconfdir=/etc/racoon 16: 17: The first server setup, in server/racoon.conf, is for a VPN gateway 18: using authentication against the system password database, and using 19: a locally configured pool of addresses. 20: 21: The second setup, server/racoon.conf-radius, uses a RADIUS server for 22: authentication, IP allocation and accounting. The address and secret 23: to be used for the RADIUS server are configured in /etc/radius.conf, 24: see radius.conf(5). 25: 26: Both configurations can be used with the Cisco VPN client if it 27: is set up to use hybrid authentication (aka mutual group authentication, 28: available in Cisco VPN client version 4.0.5 and above). The group 29: password configured in the Cisco VPN client is not used by racoon. 30: 31: After you have installed /etc/racoon/racoon.conf, you will also have 32: to install a server certificate and key in /etc/openssl/certs/server.crt 33: and /etc/openssl/certs/server.key 34: 35: 36: Client setup 37: ============ 38: The client setup needs racoon built with the following options: 39: configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ 40: --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var 41: 42: You need to copy client/racoon.conf, client/phase1-up.sh and 43: client/phase1-down.sh to /etc/racoon, and you need to copy the 44: certificate authority that signed the VPN gateway certificate in 45: /etc/openssl/certs/root-ca.crt 46: 47: Once this is done, you can run racoon, and then you can start 48: the VPN using racoonctl: 49: racoonctl vc -u username vpn-gateway.example.net 50: 51: Where username is your login, and vpn-gateway.example.net is 52: the DNS or IP address of the VPN gateway. racoonctl will prompt 53: you for the password. 54: 55: The password can be stored in the psk.txt file. In that situation, 56: add this directive to the remote section of racoon.conf: 57: xauth_login "username"; 58: where username is your login. 59: 60: Note that for now there is no feedback in racoonctl if the authentication 61: fails. Peek at the racoon logs to discover what goes wrong. 62: 63: In order to disconnect from the VPN, do this: 64: racoonctl vd vpn-gateway.example.net 65: 66: This configuration should be compatible with the Cisco VPN 3000 using 67: hybrid authentication, though this has not been tested.