summaryrefslogtreecommitdiffstats
path: root/ipsec-tools/src/racoon/samples/roadwarrior/README
diff options
context:
space:
mode:
Diffstat (limited to 'ipsec-tools/src/racoon/samples/roadwarrior/README')
-rw-r--r--ipsec-tools/src/racoon/samples/roadwarrior/README67
1 files changed, 67 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/samples/roadwarrior/README b/ipsec-tools/src/racoon/samples/roadwarrior/README
new file mode 100644
index 00000000..aac9d431
--- /dev/null
+++ b/ipsec-tools/src/racoon/samples/roadwarrior/README
@@ -0,0 +1,67 @@
+This directory contains sample configurations files used for roadwarrior
+remote access using hybrid authentication. In this setup, the VPN
+gateway authenticates to the client using a certificate, and the client
+authenticates to the VPN gateway using a login and a password.
+
+Moreover, this setup makes use of ISAKMP mode config to autoconfigure
+the client. After a successful login, the client will receive an
+internal address, netmask and DNS from the VPN gateway.
+
+
+Server setups
+=============
+The server setups need racoon built with the following options:
+configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
+ --with-libradius --sysconfdir=/etc/racoon
+
+The first server setup, in server/racoon.conf, is for a VPN gateway
+using authentication against the system password database, and using
+a locally configured pool of addresses.
+
+The second setup, server/racoon.conf-radius, uses a RADIUS server for
+authentication, IP allocation and accounting. The address and secret
+to be used for the RADIUS server are configured in /etc/radius.conf,
+see radius.conf(5).
+
+Both configurations can be used with the Cisco VPN client if it
+is set up to use hybrid authentication (aka mutual group authentication,
+available in Cisco VPN client version 4.0.5 and above). The group
+password configured in the Cisco VPN client is not used by racoon.
+
+After you have installed /etc/racoon/racoon.conf, you will also have
+to install a server certificate and key in /etc/openssl/certs/server.crt
+and /etc/openssl/certs/server.key
+
+
+Client setup
+============
+The client setup needs racoon built with the following options:
+configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
+ --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var
+
+You need to copy client/racoon.conf, client/phase1-up.sh and
+client/phase1-down.sh to /etc/racoon, and you need to copy the
+certificate authority that signed the VPN gateway certificate in
+/etc/openssl/certs/root-ca.crt
+
+Once this is done, you can run racoon, and then you can start
+the VPN using racoonctl:
+racoonctl vc -u username vpn-gateway.example.net
+
+Where username is your login, and vpn-gateway.example.net is
+the DNS or IP address of the VPN gateway. racoonctl will prompt
+you for the password.
+
+The password can be stored in the psk.txt file. In that situation,
+add this directive to the remote section of racoon.conf:
+ xauth_login "username";
+where username is your login.
+
+Note that for now there is no feedback in racoonctl if the authentication
+fails. Peek at the racoon logs to discover what goes wrong.
+
+In order to disconnect from the VPN, do this:
+racoonctl vd vpn-gateway.example.net
+
+This configuration should be compatible with the Cisco VPN 3000 using
+hybrid authentication, though this has not been tested.
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-03 21:24:29 +0000