On this page
Racoon Roadwarrior Configuration
Roadwarrior is a client that uses unknown, dynamically assigned IP addresses to connect to a VPN gateway (in this case also firewall). This situation is shown on picture 1.1 and is one of the most interesting and today most needed scenarios in business environment. Here are some of the reasons why that is so:
Client can be any computer (with any IP address assigned) that has Internet access and can initiate connection to VPN gateway.
When connecting to VPN network, client is assigned an internal IP address on the network he is connecting to, which gives an impression that it is directly connected to VPN network, instead of connecting by tunneling through Internet.
When internal IP address is assigned, network administration is easier.
Traffic is protected on the route from the client to the VPN gateway.
When connected, client doesn't have direct access to Internet because traffic is routed through VPN network and firewall (VPN gateway).
In combination with racoon, roadwarrior scenario presents a few problems:
Client's IP address is unknown and cannot be defined in racoon.conf configuration file, or in the PSK keys file. Therefore, another way of client authentication is needed.
It is not possible to define SPs according to which racoon on the gateway will behave, because destination address of the client is unknown. Racoon has to create any needed SPs or SAs when the connection is initiated.
Picture shows roadwarrior scenario simulated by the local network 192.168.112.0/24 inside which is 192.168.112.131 computer and the network is connected to Internet through VPN gateway (also a firewall) with public IP address 192.168.111.129 (address toward local network is 192.168.112.202). Internet is simulated by 192.168.111.0/24 network, containing two computers besides VPN gateway. These computers are roadwarrior client (IP address 192.168.111.203) and the other computer connected to Internet, which is not depended on this roadwarrior scenario (192.168.111.3). To achieve roadwarrior scenario, it is necessary to configure computers that this connection depends to.