| Up to higher level directory | |||
| Name | Date | Size | |
|---|---|---|---|
| client/ | 21-Aug-2018 | ||
| README | 21-Aug-2018 | 2.7K | |
| server/ | 21-Aug-2018 | ||
README
1 This directory contains sample configurations files used for roadwarrior 2 remote access using hybrid authentication. In this setup, the VPN 3 gateway authenticates to the client using a certificate, and the client 4 authenticates to the VPN gateway using a login and a password. 5 6 Moreover, this setup makes use of ISAKMP mode config to autoconfigure 7 the client. After a successful login, the client will receive an 8 internal address, netmask and DNS from the VPN gateway. 9 10 11 Server setups 12 ============= 13 The server setups need racoon built with the following options: 14 configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ 15 --with-libradius --sysconfdir=/etc/racoon 16 17 The first server setup, in server/racoon.conf, is for a VPN gateway 18 using authentication against the system password database, and using 19 a locally configured pool of addresses. 20 21 The second setup, server/racoon.conf-radius, uses a RADIUS server for 22 authentication, IP allocation and accounting. The address and secret 23 to be used for the RADIUS server are configured in /etc/radius.conf, 24 see radius.conf(5). 25 26 Both configurations can be used with the Cisco VPN client if it 27 is set up to use hybrid authentication (aka mutual group authentication, 28 available in Cisco VPN client version 4.0.5 and above). The group 29 password configured in the Cisco VPN client is not used by racoon. 30 31 After you have installed /etc/racoon/racoon.conf, you will also have 32 to install a server certificate and key in /etc/openssl/certs/server.crt 33 and /etc/openssl/certs/server.key 34 35 36 Client setup 37 ============ 38 The client setup needs racoon built with the following options: 39 configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ 40 --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var 41 42 You need to copy client/racoon.conf, client/phase1-up.sh and 43 client/phase1-down.sh to /etc/racoon, and you need to copy the 44 certificate authority that signed the VPN gateway certificate in 45 /etc/openssl/certs/root-ca.crt 46 47 Once this is done, you can run racoon, and then you can start 48 the VPN using racoonctl: 49 racoonctl vc -u username vpn-gateway.example.net 50 51 Where username is your login, and vpn-gateway.example.net is 52 the DNS or IP address of the VPN gateway. racoonctl will prompt 53 you for the password. 54 55 The password can be stored in the psk.txt file. In that situation, 56 add this directive to the remote section of racoon.conf: 57 xauth_login "username"; 58 where username is your login. 59 60 Note that for now there is no feedback in racoonctl if the authentication 61 fails. Peek at the racoon logs to discover what goes wrong. 62 63 In order to disconnect from the VPN, do this: 64 racoonctl vd vpn-gateway.example.net 65 66 This configuration should be compatible with the Cisco VPN 3000 using 67 hybrid authentication, though this has not been tested. 68
