Configuring IPsec Tools

An IPsec Client uses the IKE protocol to establish communications with a VPN Gateway. There are several open source products that can be used with a Gateway that implement the IKE protocol. We will be using the IPsec Tools daemon ( "racoon" ) which provides advanced functionality for VPN Client connectivity. For racoon to be useful, you will need to build a detailed configuration that contains your desired operating parameters.



Configuration Directory



The racoon configuration files are typically stored in a subdirectory named racoon under the etc system configuration directory. The location of your etc system subdirectory will be operating system dependent. If you use Linux or NetBSD, the path would typically be /etc/racoon. If you are using FreeBSD, the path would typically be /usr/local/etc/racoon as the /etc system configuration directory is reserved for the base operating system and pre-installed software.


When racoon is started, it will attempt to load the main configuration file named racoon.conf from the /etc/racoon subdirectory. You can optionally specify an alternate path to the configuration file by using the -f command line option when starting racoon as shown below:


racoon -f <alternate path>/racoon.conf


If racoon encounters a problem while loading the configuration file, it will report the error as command line output.



Main Configuration File



For our test environment, we will use the configuration file shown below. This document will describe the example configuration file parameters and how they are used to facilitate VPN Client connectivity. You can this this example as a starting point when writing a configuration file for your VPN Gateway. For a complete reference of the racoon.conf file format, please see the racoon.conf manual page which is distributed with the IPsec Tools package.


#

# Path Specifications

#


path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/cert";


#

# Listen Section

#


listen

{

    isakmp 10.1.1.1 [500];

    isakmp_natt 10.1.1.1 [4500];

}


#

# Timer Section

#


timer

{

    natt_keepalive 15 seconds;

}


#

# Remote Section

#


remote anonymous

{

    exchange_mode aggressive;


    verify_identifier on;

    my_identifier fqdn "vpngw.shrew.net";

    peers_identifier fqdn "client.shrew.net";


    generate_policy unique;

    ike_frag on;

    nat_traversal on;

    dpd_delay 30;


    proposal_check claim;

    lifetime time 24 hours;


    proposal

    {

        encryption_algorithm aes 256;

        hash_algorithm sha1;

        authentication_method xauth_psk_server;

        dh_group 5;

    }

}


#

# Mode Config Section

#


mode_cfg

{

    network4 192.168.254.1;

    pool_size 253;

    netmask4 255.255.255.0;

    split_network include 10.1.2.0/24;

    split_dns "shrew.net";

    auth_source system;

    auth_groups "vpn-user";

    group_source system;

    conf_source local;

    wins4 10.1.2.253;

    dns4 10.1.2.253;

    default_domain "shrew.net";

    banner "/usr/local/etc/racoon/motd";

}


#

# SA Info Section

#


sainfo anonymous

{

    lifetime time 3600 seconds;

    encryption_algorithm aes 256;

    authentication_algorithm hmac_md5,hmac_sha1;

    compression_algorithm none;

}

Example raoon.conf configuration file.



Preshared Key Configuration File



If a PSK authentication method is used, you will need to create a preshared key text file and add the path to the listen section  of your main configuration file. The preshared key file lists the remote peer identifier followed by a preshared secret value.


#

# PSK text file

#


client.shrew.net        mysharedsecret

Example psk.txt configuration file.


see also :


Configuring IPsec Tools : Preshared Key File Path


Copyright © 2010, Shrew Soft Inc