1This directory contains sample configurations files used for roadwarrior
2remote access using hybrid authentication. In this setup, the VPN
3gateway authenticates to the client using a certificate, and the client
4authenticates to the VPN gateway using a login and a password.
5
6Moreover, this setup makes use of ISAKMP mode config to autoconfigure
7the client. After a successful login, the client will receive an
8internal address, netmask and DNS from the VPN gateway.
9
10
11Server setups
12=============
13The server setups need racoon built with the following options:
14configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
15	  --with-libradius --sysconfdir=/etc/racoon
16
17The first server setup, in server/racoon.conf, is for a VPN gateway
18using authentication against the system password database, and using
19a locally configured pool of addresses.
20
21The second setup, server/racoon.conf-radius, uses a RADIUS server for
22authentication, IP allocation and accounting. The address and secret
23to be used for the RADIUS server are configured in /etc/radius.conf,
24see radius.conf(5).
25
26Both configurations can be used with the Cisco VPN client if it
27is set up to use hybrid authentication (aka mutual group authentication,
28available in Cisco VPN client version 4.0.5 and above). The group
29password configured in the Cisco VPN client is not used by racoon.
30
31After you have installed /etc/racoon/racoon.conf, you will also have
32to install a server certificate and key in /etc/openssl/certs/server.crt
33and /etc/openssl/certs/server.key
34
35
36Client setup
37============
38The client setup needs racoon built with the following options:
39configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
40	  --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var
41
42You need to copy client/racoon.conf, client/phase1-up.sh and
43client/phase1-down.sh to /etc/racoon, and you need to copy the
44certificate authority that signed the VPN gateway certificate in
45/etc/openssl/certs/root-ca.crt
46
47Once this is done, you can run racoon, and then you can start
48the VPN using racoonctl:
49racoonctl vc -u username vpn-gateway.example.net
50
51Where username is your login, and vpn-gateway.example.net is
52the DNS or IP address of the VPN gateway. racoonctl will prompt
53you for the password.
54
55The password can be stored in the psk.txt file. In that situation,
56add this directive to the remote section of racoon.conf:
57	 xauth_login "username";
58where username is your login.
59
60Note that for now there is no feedback in racoonctl if the authentication
61fails. Peek at the racoon logs to discover what goes wrong.
62
63In order to disconnect from the VPN, do this:
64racoonctl vd vpn-gateway.example.net
65
66This configuration should be compatible with the Cisco VPN 3000 using
67hybrid authentication, though this has not been tested.
68