Making a connection

In order to make a connection, first the VPN gateway should be set up. The firewall rules are set by running a shell script that was stored as fw.sh. After that, racoon is started with the following command.

# ./fw.sh
# racoon -F -f /etc/racoon/racoon.conf

VPN gateway is now ready and is waiting for the clients to initiate connection.

Racoon is then started on roadwarrior client with the following command.

# racoon -f /etc/racoon.conf

After racoon is active, it can be controlled using racoonctl tool. The connection is initiated by running the following command.

# racoonctl vc -u username 192.168.111.129

Username is a name of the one of the existing users on the VPN gateway. Racoonctl will ask for his password, and if the requested information are correct, client is presented with the information about assigned internal IP address, and a welcome message.

# racoonctl vc -u mac 192.168.111.129
Password:
Bound to address 192.168.112.5
Welcome
#

Ping can now be run on the client side, trying to ping computer 192.168.112.131 that is inside the local network.

# ping 192.168.112.131
connect: Resource temporarily unavailable
# ping 192.168.112.131
PING 192.168.112.131 (192.168.112.131) 56(84) bytes of data.
64 bytes from 192.168.112.131: icmp_seq=1 ttl=63 time=164 ms
64 bytes from 192.168.112.131: icmp_seq=2 ttl=63 time=8.75 ms
64 bytes from 192.168.112.131: icmp_seq=3 ttl=63 time=5.86 ms
64 bytes from 192.168.112.131: icmp_seq=4 ttl=63 time=37.7 ms
64 bytes from 192.168.112.131: icmp_seq=5 ttl=63 time=16.5 ms
64 bytes from 192.168.112.131: icmp_seq=6 ttl=63 time=6.10 ms
--- 192.168.112.131 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5011ms
rtt min/avg/max/mdev = 5.860/39.901/164.394/56.744 ms
#

The connect: Resource temporarily unavailable message is normal. It is a message from the ping command trying to connect to the VPN gateway, which results in VPN gateway getting the information about needed SPs. When this information is available to VPN gateway, it sets needed SPs. If ping is repeated, as in example above, the computer is available and the connection is set up.

For checking of proper connection setup, traffic can be recorded by any available tool (Ethereal, tcpdump) while preforming the pinging. Traffic can be recorded on the route from roadwarrior client toward VPN gateway, as well as the traffic on the local network. On the outside network, ESP packets will be seen between the public IP addresses of the roadwarrior client and the VPN gateway. Inside these ESP packets are encapsulated ICMP Echo Request and ICMP Echo Reply packets between the assigned internal IP address of the roadwarrior client and the computer that is being pinged, which can be seen by recording packets on the local network. Also, if the roadwarrior client tries to ping some other computer on the Internet (192.168.111.3), traffic recording will show that the client sends ESP packets toward VPN gateway, and then VPN gateway sends ICMP Echo Request packet toward the pinged computer. When VPN gateway recieves the ICMP Echo Reply as an answer to his packet, VPN gateway encapsulates it into ESP and sends it back to the roadwarrior client. This shows that all the traffic towards Internet from the roadwarrior client passes through the VPN gateway, which is also used as a firewall protecting the local network. This shows that the roadwarrior client is considered as a part of the local network, all the time while the secure connection is running.

To disconnect from the VPN gateway, the following command is used on the roadwarrior client.

# racoonctl vd 192.168.111.129
VPN connexion terminated
#