Racoon Roadwarrior Configuration - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by matija.zeman (Contact Author) (Forums) on Fri, 2006-11-10 17:56. ::

VPN gateway configuration

VPN gateway needs to have a configuration file for racoon, stored in /etc/racoon/racoon.conf. Configuration options are commented below.

#path to the certificate
path certificate "/etc/racoon";
#option of controlling racoon by racoonctl tool is disabled
listen {
	adminsock disabled;
}
#remote section – anonymous address of roadwarrior client
remote anonymous {
#work mode in IKE first phase
	exchange_mode aggressive,main;
#certificate type, certificate and secret key file name
	certificate_type x509 "cert.pem" "key.pem";
	#claiming the options requested by other peer
proposal_check claim;
#automatic generation of SPs from the initial connection request
	generate_policy on;
#verifying certificates set to off
	verify_cert off;
#nat-t set to off
	nat_traversal off;
#DPD activation and 20 sec. delay allowed between 2 proof of liveness requests
	dpd_delay 20;
#IKE fragmentation enabled
	ike_frag on;
#agreement proposal in IKE first phase
	proposal {
#cryptography and hash algorithm
		encryption_algorithm aes;
		hash_algorithm md5;
#authentication method
		authentication_method hybrid_rsa_server;
#Diffie-Hellman exponential group
		dh_group 2;
	}
}
#local network information
mode_cfg {
#starting address of the IP address pool
	network4 192.168.112.5;
#maximum number of clients
	pool_size 20;
#network mask
	netmask4 255.255.255.0; 
#authentication source – user database on the system
	auth_source system;
#configuration source – from data given in this section
	conf_source local;
#DNS and WINS servers IP addresses
	dns4 192.168.112.202;
	wins4 192.168.112.202;
#banner file – welcome message
	banner "/etc/racoon/motd";
}	       
#SA information for IKE second phase
sainfo anonymous {
#Diffie-Hellman exponential group
	pfs_group 2;
#second phase information lifetime
	lifetime time 1 hour;
#cryptography, authentication and compression algorithm
	encryption_algorithm aes;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
}   

Very important parts of this configuration file are mode_cfg section and generate_policy directive inside remote section. Generate_policy directive instructs racoon to automatically generate the needed SPs from data given inside initial connection request. The mod_cfg section defines IP address pool used for roadwarrior clients, authentication method and the welcome message. Remote and sainfo sections are defined for anonymous IP address so that they would accept connections from any IP address, while the client will be authenticated by hybrid RSA authentication method from systems user database which implies hybrid_rsa_server authentication method in the remote section of gateway configuration file. On the other hand, gateway is authenticated to a client through his certificate.

Besides the racoon configuration file, traffic needs to be limited by firewall rules. The simplest security policy is defined in the following shell script and saved as fw.sh. The rules are commented inside the script listing.

#flushing NAT tables
iptables -F -t nat
#flushing INPUT chain inside filter table
iptables -F INPUT
#flushing FORWARD chain inside filter table
iptables -F FORWARD
#flushing OUTPUT chain inside filter table
iptables -F OUTPUT
#setting default policy for INPUT chain
iptables -P INPUT DROP 
#setting default policy for FORWARD chain
iptables -P FORWARD DROP
#setting default policy for OUTPUT chain
iptables -P OUTPUT ACCEPT
#accepting AH (50) protocol coming to interface eth0
iptables -A INPUT -i eth0 -p 50 -j ACCEPT
#accepting ESP (51) protocol coming to interface eth0
iptables -A INPUT -i eth0 -p 51 -j ACCEPT
#accepting UDP protocol on source port 500 - ISAKMP
iptables -A INPUT -i eth0 -p udp --source-port 500 -j ACCEPT
#accepting UDP protocol on source port 4500 - NAT-T
iptables -A INPUT -i eth0 -p udp --source-port 4500 -j ACCEPT
#masquerading packets coming from local network or roadwarrior clients and going to #Internet
iptables -t nat -A POSTROUTING -o eth0  -d ! 192.168.112.0/24 -j MASQUERADE
#forwarding packets from roadwarrior client back to Internet if destination is not #inside the local network
iptables -A FORWARD -i eth0 -d ! 192.168.112.0/24 -o eth0 -j ACCEPT
#forwarding packets from local network towards Internet
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#forwarding packets from roadwarriors towards Internet
iptables -A FORWARD -i eth0 -s 192.168.112.0/27 -o eth0 -j ACCEPT
#forwarding packets from Internet to local network if connections are already #established
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#forwarding packets from Internet to roadwarriors if connections are already #established
iptables -A FORWARD -i eth0 -o eth0 -d 192.168.112.0/27 -m state –state / ESTABLISHED,RELATED -j ACCEPT
#accepting packets from Internet if connections are already established
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#marking packets that came by ESP protocol
iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
#accepting packets of all protocols if they are marked
iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT
#forwarding packets of all protocols if they are marked
iptables -A FORWARD -i eth0 -m mark --mark 1 -j ACCEPT

In order to make the purpose of above mentioned rules, the computers in local network need a route to roadwarrior address pool, set by the following command.

# ip route add 192.168.112.0/27 via 192.168.112.202 dev eth1

Also, VPN gateway needs to know where the roadwarriors are, so the following route should be added on the gateway.

# ip route add 192.168.112.0/27 dev eth0 src 192.168.111.129

Besides the mentioned files, VPN gateway must have a server certificate and a server key in files /etc/racoon/cert.pem and /etc/racoon/key.pem respectively, as stated in racoon configuration file. Creating of the certificates is described in the last chapter.

Optionally, the console welcome message for users who connect to VPN gateway can be defined in /etc/racoon/motd file as stated in racoon configuration file.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.