| This directory contains sample configurations files used for roadwarrior |
| remote access using hybrid authentication. In this setup, the VPN |
| gateway authenticates to the client using a certificate, and the client |
| authenticates to the VPN gateway using a login and a password. |
| |
| Moreover, this setup makes use of ISAKMP mode config to autoconfigure |
| the client. After a successful login, the client will receive an |
| internal address, netmask and DNS from the VPN gateway. |
| |
| |
| Server setups |
| ============= |
| The server setups need racoon built with the following options: |
| configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ |
| --with-libradius --sysconfdir=/etc/racoon |
| |
| The first server setup, in server/racoon.conf, is for a VPN gateway |
| using authentication against the system password database, and using |
| a locally configured pool of addresses. |
| |
| The second setup, server/racoon.conf-radius, uses a RADIUS server for |
| authentication, IP allocation and accounting. The address and secret |
| to be used for the RADIUS server are configured in /etc/radius.conf, |
| see radius.conf(5). |
| |
| Both configurations can be used with the Cisco VPN client if it |
| is set up to use hybrid authentication (aka mutual group authentication, |
| available in Cisco VPN client version 4.0.5 and above). The group |
| password configured in the Cisco VPN client is not used by racoon. |
| |
| After you have installed /etc/racoon/racoon.conf, you will also have |
| to install a server certificate and key in /etc/openssl/certs/server.crt |
| and /etc/openssl/certs/server.key |
| |
| |
| Client setup |
| ============ |
| The client setup needs racoon built with the following options: |
| configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ |
| --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var |
| |
| You need to copy client/racoon.conf, client/phase1-up.sh and |
| client/phase1-down.sh to /etc/racoon, and you need to copy the |
| certificate authority that signed the VPN gateway certificate in |
| /etc/openssl/certs/root-ca.crt |
| |
| Once this is done, you can run racoon, and then you can start |
| the VPN using racoonctl: |
| racoonctl vc -u username vpn-gateway.example.net |
| |
| Where username is your login, and vpn-gateway.example.net is |
| the DNS or IP address of the VPN gateway. racoonctl will prompt |
| you for the password. |
| |
| The password can be stored in the psk.txt file. In that situation, |
| add this directive to the remote section of racoon.conf: |
| xauth_login "username"; |
| where username is your login. |
| |
| Note that for now there is no feedback in racoonctl if the authentication |
| fails. Peek at the racoon logs to discover what goes wrong. |
| |
| In order to disconnect from the VPN, do this: |
| racoonctl vd vpn-gateway.example.net |
| |
| This configuration should be compatible with the Cisco VPN 3000 using |
| hybrid authentication, though this has not been tested. |