1: This directory contains sample configurations files used for roadwarrior
2: remote access using hybrid authentication. In this setup, the VPN
3: gateway authenticates to the client using a certificate, and the client
4: authenticates to the VPN gateway using a login and a password.
5:
6: Moreover, this setup makes use of ISAKMP mode config to autoconfigure
7: the client. After a successful login, the client will receive an
8: internal address, netmask and DNS from the VPN gateway.
9:
10:
11: Server setups
12: =============
13: The server setups need racoon built with the following options:
14: configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
15: --with-libradius --sysconfdir=/etc/racoon
16:
17: The first server setup, in server/racoon.conf, is for a VPN gateway
18: using authentication against the system password database, and using
19: a locally configured pool of addresses.
20:
21: The second setup, server/racoon.conf-radius, uses a RADIUS server for
22: authentication, IP allocation and accounting. The address and secret
23: to be used for the RADIUS server are configured in /etc/radius.conf,
24: see radius.conf(5).
25:
26: Both configurations can be used with the Cisco VPN client if it
27: is set up to use hybrid authentication (aka mutual group authentication,
28: available in Cisco VPN client version 4.0.5 and above). The group
29: password configured in the Cisco VPN client is not used by racoon.
30:
31: After you have installed /etc/racoon/racoon.conf, you will also have
32: to install a server certificate and key in /etc/openssl/certs/server.crt
33: and /etc/openssl/certs/server.key
34:
35:
36: Client setup
37: ============
38: The client setup needs racoon built with the following options:
39: configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
40: --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var
41:
42: You need to copy client/racoon.conf, client/phase1-up.sh and
43: client/phase1-down.sh to /etc/racoon, and you need to copy the
44: certificate authority that signed the VPN gateway certificate in
45: /etc/openssl/certs/root-ca.crt
46:
47: Once this is done, you can run racoon, and then you can start
48: the VPN using racoonctl:
49: racoonctl vc -u username vpn-gateway.example.net
50:
51: Where username is your login, and vpn-gateway.example.net is
52: the DNS or IP address of the VPN gateway. racoonctl will prompt
53: you for the password.
54:
55: The password can be stored in the psk.txt file. In that situation,
56: add this directive to the remote section of racoon.conf:
57: xauth_login "username";
58: where username is your login.
59:
60: Note that for now there is no feedback in racoonctl if the authentication
61: fails. Peek at the racoon logs to discover what goes wrong.
62:
63: In order to disconnect from the VPN, do this:
64: racoonctl vd vpn-gateway.example.net
65:
66: This configuration should be compatible with the Cisco VPN 3000 using
67: hybrid authentication, though this has not been tested.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>