diff options
Diffstat (limited to 'ipsec-tools/src/racoon/samples/roadwarrior/README')
-rw-r--r-- | ipsec-tools/src/racoon/samples/roadwarrior/README | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/samples/roadwarrior/README b/ipsec-tools/src/racoon/samples/roadwarrior/README new file mode 100644 index 00000000..aac9d431 --- /dev/null +++ b/ipsec-tools/src/racoon/samples/roadwarrior/README @@ -0,0 +1,67 @@ +This directory contains sample configurations files used for roadwarrior +remote access using hybrid authentication. In this setup, the VPN +gateway authenticates to the client using a certificate, and the client +authenticates to the VPN gateway using a login and a password. + +Moreover, this setup makes use of ISAKMP mode config to autoconfigure +the client. After a successful login, the client will receive an +internal address, netmask and DNS from the VPN gateway. + + +Server setups +============= +The server setups need racoon built with the following options: +configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ + --with-libradius --sysconfdir=/etc/racoon + +The first server setup, in server/racoon.conf, is for a VPN gateway +using authentication against the system password database, and using +a locally configured pool of addresses. + +The second setup, server/racoon.conf-radius, uses a RADIUS server for +authentication, IP allocation and accounting. The address and secret +to be used for the RADIUS server are configured in /etc/radius.conf, +see radius.conf(5). + +Both configurations can be used with the Cisco VPN client if it +is set up to use hybrid authentication (aka mutual group authentication, +available in Cisco VPN client version 4.0.5 and above). The group +password configured in the Cisco VPN client is not used by racoon. + +After you have installed /etc/racoon/racoon.conf, you will also have +to install a server certificate and key in /etc/openssl/certs/server.crt +and /etc/openssl/certs/server.key + + +Client setup +============ +The client setup needs racoon built with the following options: +configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ + --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var + +You need to copy client/racoon.conf, client/phase1-up.sh and +client/phase1-down.sh to /etc/racoon, and you need to copy the +certificate authority that signed the VPN gateway certificate in +/etc/openssl/certs/root-ca.crt + +Once this is done, you can run racoon, and then you can start +the VPN using racoonctl: +racoonctl vc -u username vpn-gateway.example.net + +Where username is your login, and vpn-gateway.example.net is +the DNS or IP address of the VPN gateway. racoonctl will prompt +you for the password. + +The password can be stored in the psk.txt file. In that situation, +add this directive to the remote section of racoon.conf: + xauth_login "username"; +where username is your login. + +Note that for now there is no feedback in racoonctl if the authentication +fails. Peek at the racoon logs to discover what goes wrong. + +In order to disconnect from the VPN, do this: +racoonctl vd vpn-gateway.example.net + +This configuration should be compatible with the Cisco VPN 3000 using +hybrid authentication, though this has not been tested. |