File:
[ELWIX - Embedded LightWeight unIX -] /
elwix /
config /
etc /
default /
racoon /
roadwarrior /
README
Revision
1.1.1.1 (vendor branch):
download - view:
text,
annotated -
select for diffs -
revision graph
Tue Jul 5 23:43:00 2011 UTC (13 years, 2 months ago) by
misho
Branches:
misho,
MAIN
CVS tags:
start,
elwix2_3,
elwix2_2,
elwix2_1,
elwix2_0,
elwix1_9_mips,
elwix1_9,
elwix1_8,
elwix1_7,
elwix1_6,
elwix1_5,
elwix1_4,
Patch1,
HEAD,
ELWIX2_2p0,
ELWIX2_1,
ELWIX2_0,
ELWIX1_9,
ELWIX1_8,
ELWIX1_7,
ELWIX1_6,
ELWIX1_5
ELWIX project
1: This directory contains sample configurations files used for roadwarrior
2: remote access using hybrid authentication. In this setup, the VPN
3: gateway authenticates to the client using a certificate, and the client
4: authenticates to the VPN gateway using a login and a password.
5:
6: Moreover, this setup makes use of ISAKMP mode config to autoconfigure
7: the client. After a successful login, the client will receive an
8: internal address, netmask and DNS from the VPN gateway.
9:
10:
11: Server setups
12: =============
13: The server setups need racoon built with the following options:
14: configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
15: --with-libradius --sysconfdir=/etc/racoon
16:
17: The first server setup, in server/racoon.conf, is for a VPN gateway
18: using authentication against the system password database, and using
19: a locally configured pool of addresses.
20:
21: The second setup, server/racoon.conf-radius, uses a RADIUS server for
22: authentication, IP allocation and accounting. The address and secret
23: to be used for the RADIUS server are configured in /etc/radius.conf,
24: see radius.conf(5).
25:
26: Both configurations can be used with the Cisco VPN client if it
27: is set up to use hybrid authentication (aka mutual group authentication,
28: available in Cisco VPN client version 4.0.5 and above). The group
29: password configured in the Cisco VPN client is not used by racoon.
30:
31: After you have installed /etc/racoon/racoon.conf, you will also have
32: to install a server certificate and key in /etc/openssl/certs/server.crt
33: and /etc/openssl/certs/server.key
34:
35:
36: Client setup
37: ============
38: The client setup needs racoon built with the following options:
39: configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
40: --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var
41:
42: You need to copy client/racoon.conf, client/phase1-up.sh and
43: client/phase1-down.sh to /etc/racoon, and you need to copy the
44: certificate authority that signed the VPN gateway certificate in
45: /etc/openssl/certs/root-ca.crt
46:
47: Once this is done, you can run racoon, and then you can start
48: the VPN using racoonctl:
49: racoonctl vc -u username vpn-gateway.example.net
50:
51: Where username is your login, and vpn-gateway.example.net is
52: the DNS or IP address of the VPN gateway. racoonctl will prompt
53: you for the password.
54:
55: The password can be stored in the psk.txt file. In that situation,
56: add this directive to the remote section of racoon.conf:
57: xauth_login "username";
58: where username is your login.
59:
60: Note that for now there is no feedback in racoonctl if the authentication
61: fails. Peek at the racoon logs to discover what goes wrong.
62:
63: In order to disconnect from the VPN, do this:
64: racoonctl vd vpn-gateway.example.net
65:
66: This configuration should be compatible with the Cisco VPN 3000 using
67: hybrid authentication, though this has not been tested.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>