1This directory contains sample configurations files used for roadwarrior 2remote access using hybrid authentication. In this setup, the VPN 3gateway authenticates to the client using a certificate, and the client 4authenticates to the VPN gateway using a login and a password. 5 6Moreover, this setup makes use of ISAKMP mode config to autoconfigure 7the client. After a successful login, the client will receive an 8internal address, netmask and DNS from the VPN gateway. 9 10 11Server setups 12============= 13The server setups need racoon built with the following options: 14configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ 15 --with-libradius --sysconfdir=/etc/racoon 16 17The first server setup, in server/racoon.conf, is for a VPN gateway 18using authentication against the system password database, and using 19a locally configured pool of addresses. 20 21The second setup, server/racoon.conf-radius, uses a RADIUS server for 22authentication, IP allocation and accounting. The address and secret 23to be used for the RADIUS server are configured in /etc/radius.conf, 24see radius.conf(5). 25 26Both configurations can be used with the Cisco VPN client if it 27is set up to use hybrid authentication (aka mutual group authentication, 28available in Cisco VPN client version 4.0.5 and above). The group 29password configured in the Cisco VPN client is not used by racoon. 30 31After you have installed /etc/racoon/racoon.conf, you will also have 32to install a server certificate and key in /etc/openssl/certs/server.crt 33and /etc/openssl/certs/server.key 34 35 36Client setup 37============ 38The client setup needs racoon built with the following options: 39configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \ 40 --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var 41 42You need to copy client/racoon.conf, client/phase1-up.sh and 43client/phase1-down.sh to /etc/racoon, and you need to copy the 44certificate authority that signed the VPN gateway certificate in 45/etc/openssl/certs/root-ca.crt 46 47Once this is done, you can run racoon, and then you can start 48the VPN using racoonctl: 49racoonctl vc -u username vpn-gateway.example.net 50 51Where username is your login, and vpn-gateway.example.net is 52the DNS or IP address of the VPN gateway. racoonctl will prompt 53you for the password. 54 55The password can be stored in the psk.txt file. In that situation, 56add this directive to the remote section of racoon.conf: 57 xauth_login "username"; 58where username is your login. 59 60Note that for now there is no feedback in racoonctl if the authentication 61fails. Peek at the racoon logs to discover what goes wrong. 62 63In order to disconnect from the VPN, do this: 64racoonctl vd vpn-gateway.example.net 65 66This configuration should be compatible with the Cisco VPN 3000 using 67hybrid authentication, though this has not been tested. 68