Racoon Roadwarrior Configuration - Page 3

Want to support HowtoForge? Become a subscriber!
 
Submitted by matija.zeman (Contact Author) (Forums) on Fri, 2006-11-10 17:58. ::

Roadwarrior client configuration

Roadwarrior clients also need racoon configuration file /etc/racoon/racoon.conf, whose directives are commented in the file listed below.

#path to the certificate
path certificate "/etc/racoon";
#option of controlling racoon by racoonctl tool is enabled
listen {
	adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
}
#remote section – known address of VPN gateway
remote 192.168.111.129 {
#work mode in IKE first phase
exchange_mode aggressive;
#certificate type and file name
	ca_type x509 "root-ca.pem";
#obeying the options requested by other peer
        proposal_check obey;
#nat-t set to off
	nat_traversal off;
#IKE fragmentation enabled
	ike_frag on;
#accepting information about the network being connected to
	mode_cfg on;
#verifying certificates set to off
	verify_cert off;
#IKE first phase starting script
	script "/etc/racoon/phase1-up.sh" phase1_up;
#IKE first phase ending script
	script "/etc/racoon/phase1-down.sh" phase1_down;
#agreement proposal in IKE first phase
proposal {
#cryptography and hash algorithm
               encryption_algorithm aes;
               hash_algorithm md5;
#authentication method
               authentication_method hybrid_rsa_client;
#Diffie-Hellman exponential group
               dh_group 2;
        }
}
#SA information for IKE second phase
sainfo anonymous {
#Diffie-Hellman exponential group
pfs_group 2;
#second phase information lifetime
lifetime time 1 hour;
#cryptography, authentication and compression algorithm
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}

Important directives in remote section of the client are mode_cfg directive which instructs racoon to accept network information from the VPN gateway, including assigned internal IP address, and hybrid_rsa_client authentication method. In this example, remote section is pointing to a VPN gateway IP address, while sainfo section is pointing to an anonymous IP address. Because racoonctl will be used to connect to VPN gateway, it doesn't matter if any one of this sections are pointing to a VPN gateway or to an anonymous IP address. Also, as shown in racoon configuration file, racoon will invoke two shell scripts, that have commands to set the environment (routes, internal IP address, SPs) needed for the roadwarrior connection to function properly. Phase1-up.sh shell script is being ran while setting the connection to a VPN gateway. The necessary commands are listed below.

#!/bin/sh
#listing known IP addresses and setting PATH environment variable
echo "internal address: ${INTERNAL_ADDR4}" #internal address in local network
echo "local address: ${LOCAL_ADDR}" #current global IP address
echo "remote address: $REMOTE_ADDR" #VPN gateway IP address
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#defining variable to hold the name of virtual network interface
if=dummy0
#adding internal IP address to virtual network interface
ip address add dev ${if} ${INTERNAL_ADDR4}
#deleting default route
ip route del default
#adding route to VPN gateway
ip route add ${REMOTE_ADDR} via 192.168.111.129
#adding default route with new source address
ip route add default via 192.168.111.129 src ${INTERNAL_ADDR4}
#deleting existing route towards local network
ip route delete 192.168.112.0/24 via 192.168.111.129 dev eth0
#deleting existing route towards Internet
ip route delete 192.168.111.0/24 dev eth0
#setting SPs form local network address towards all other IP addresses through tunnel #from roadwarrior client to VPN gateway, and vice verse, and also deleting the #forwarding SP
echo "
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any
  -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any
  -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
" | setkey -c
echo "
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any
  -P fwd ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
" | setkey -c

This shell script defines a virtual network interface and assigns it an internal IP address that is given by the VPN gateway, deletes existing routes and sets the new routes towards local network, VPN gateway and the default route. Besides, it adds needed SPs on the client side.

Phase1-down.sh shell script is being ran while disconnecting from the VPN gateway, and the commands are listed below.

#!/bin/sh
#listing known IP addresses and setting PATH environment variable
echo "----------------"
echo "internal address: ${INTERNAL_ADDR4}"
echo "local address: ${LOCAL_ADDR}"
echo "remote address: $REMOTE_ADDR"
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#defining variable to hold the name of virtual network interface
if=dummy0
#deleting internal IP address from virtual network interface
ip address delete ${INTERNAL_ADDR4} dev ${if}
#deleting route towards VPN gateway
ip route delete ${REMOTE_ADDR} via 192.168.111.129
#adding default route through network interface eth0
ip route add default dev eth0
#adding routes towards local network and Internet
ip route add 192.168.112.0/24 via 192.168.111.129 dev eth0
ip route add 192.168.111.0/24 dev eth0 src ${LOCAL_ADDR}
#flushing SPD and SAD
setkey -F
setkey -FP

This shell script returns the client to a state it was before the connection by erasing assigned internal IP address, as well as routes that are not needed any more, and setting back up previously deleted routes. The script also deletes SPD and SAD databases, but it's important to mention that in more complex cases (for example, client connecting on two VPN gateways at the same time), deleting of this database entries should be done in a way which will not delete all entries, but only the ones that define the connection in closing.

Besides already mentioned files, roadwarrior client must have a root certificate stored as /etc/racoon/root-ca.pem as defined in racoon configuration file. As it was already pointed out, creation of the needed certificates is described in the last chapter.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.