Racoon Roadwarrior Configuration - Page 2
On this page
VPN gateway configuration
VPN gateway needs to have a configuration file for racoon, stored in /etc/racoon/racoon.conf. Configuration options are commented below.
#path to the certificate path certificate "/etc/racoon"; #option of controlling racoon by racoonctl tool is disabled listen { adminsock disabled; } #remote section – anonymous address of roadwarrior client remote anonymous { #work mode in IKE first phase exchange_mode aggressive,main; #certificate type, certificate and secret key file name certificate_type x509 "cert.pem" "key.pem"; #claiming the options requested by other peer proposal_check claim; #automatic generation of SPs from the initial connection request generate_policy on; #verifying certificates set to off verify_cert off; #nat-t set to off nat_traversal off; #DPD activation and 20 sec. delay allowed between 2 proof of liveness requests dpd_delay 20; #IKE fragmentation enabled ike_frag on; #agreement proposal in IKE first phase proposal { #cryptography and hash algorithm encryption_algorithm aes; hash_algorithm md5; #authentication method authentication_method hybrid_rsa_server; #Diffie-Hellman exponential group dh_group 2; } } #local network information mode_cfg { #starting address of the IP address pool network4 192.168.112.5; #maximum number of clients pool_size 20; #network mask netmask4 255.255.255.0; #authentication source – user database on the system auth_source system; #configuration source – from data given in this section conf_source local; #DNS and WINS servers IP addresses dns4 192.168.112.202; wins4 192.168.112.202; #banner file – welcome message banner "/etc/racoon/motd"; } #SA information for IKE second phase sainfo anonymous { #Diffie-Hellman exponential group pfs_group 2; #second phase information lifetime lifetime time 1 hour; #cryptography, authentication and compression algorithm encryption_algorithm aes; authentication_algorithm hmac_md5; compression_algorithm deflate; }
Very important parts of this configuration file are mode_cfg section and generate_policy directive inside remote section. Generate_policy directive instructs racoon to automatically generate the needed SPs from data given inside initial connection request. The mod_cfg section defines IP address pool used for roadwarrior clients, authentication method and the welcome message. Remote and sainfo sections are defined for anonymous IP address so that they would accept connections from any IP address, while the client will be authenticated by hybrid RSA authentication method from systems user database which implies hybrid_rsa_server authentication method in the remote section of gateway configuration file. On the other hand, gateway is authenticated to a client through his certificate.
Besides the racoon configuration file, traffic needs to be limited by firewall rules. The simplest security policy is defined in the following shell script and saved as fw.sh. The rules are commented inside the script listing.
#flushing NAT tables iptables -F -t nat #flushing INPUT chain inside filter table iptables -F INPUT #flushing FORWARD chain inside filter table iptables -F FORWARD #flushing OUTPUT chain inside filter table iptables -F OUTPUT #setting default policy for INPUT chain iptables -P INPUT DROP #setting default policy for FORWARD chain iptables -P FORWARD DROP #setting default policy for OUTPUT chain iptables -P OUTPUT ACCEPT #accepting AH (50) protocol coming to interface eth0 iptables -A INPUT -i eth0 -p 50 -j ACCEPT #accepting ESP (51) protocol coming to interface eth0 iptables -A INPUT -i eth0 -p 51 -j ACCEPT #accepting UDP protocol on source port 500 - ISAKMP iptables -A INPUT -i eth0 -p udp --source-port 500 -j ACCEPT #accepting UDP protocol on source port 4500 - NAT-T iptables -A INPUT -i eth0 -p udp --source-port 4500 -j ACCEPT #masquerading packets coming from local network or roadwarrior clients and going to #Internet iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.112.0/24 -j MASQUERADE #forwarding packets from roadwarrior client back to Internet if destination is not #inside the local network iptables -A FORWARD -i eth0 -d ! 192.168.112.0/24 -o eth0 -j ACCEPT #forwarding packets from local network towards Internet iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT #forwarding packets from roadwarriors towards Internet iptables -A FORWARD -i eth0 -s 192.168.112.0/27 -o eth0 -j ACCEPT #forwarding packets from Internet to local network if connections are already #established iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT #forwarding packets from Internet to roadwarriors if connections are already #established iptables -A FORWARD -i eth0 -o eth0 -d 192.168.112.0/27 -m state –state / ESTABLISHED,RELATED -j ACCEPT #accepting packets from Internet if connections are already established iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #marking packets that came by ESP protocol iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1 #accepting packets of all protocols if they are marked iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT #forwarding packets of all protocols if they are marked iptables -A FORWARD -i eth0 -m mark --mark 1 -j ACCEPT
In order to make the purpose of above mentioned rules, the computers in local network need a route to roadwarrior address pool, set by the following command.
# ip route add 192.168.112.0/27 via 192.168.112.202 dev eth1
Also, VPN gateway needs to know where the roadwarriors are, so the following route should be added on the gateway.
# ip route add 192.168.112.0/27 dev eth0 src 192.168.111.129
Besides the mentioned files, VPN gateway must have a server certificate and a server key in files /etc/racoon/cert.pem and /etc/racoon/key.pem respectively, as stated in racoon configuration file. Creating of the certificates is described in the last chapter.
Optionally, the console welcome message for users who connect to VPN gateway can be defined in /etc/racoon/motd file as stated in racoon configuration file.