A Mode Config Section is used to configure extended authentication operation and the settings provided to the client during the configuration exchange.
Configuration Example
In our configuration example, we define the Mode Config section as shown below:
# # Mode Config Section # mode_cfg { auth_source system; auth_groups "vpn-user"; group_source system; conf_source local; network4 192.168.254.1; pool_size 253; netmask4 255.255.255.0; dns4 10.1.2.253; default_domain "shrew.net"; split_dns "shrew.net"; wins4 10.1.2.253; split_network include 10.1.2.0/24; banner "/usr/local/etc/racoon/motd"; } |
The user authentication settings can be defined to configure the XAuth operating parameters. The auth_source statement specifies the account source that is used to perform authentication. When set to system, racoon will use the local unix password database. The auth_groups statement prevents an XAuth authentication from succeeding unless a user is a member of one of the specified groups. This is useful when you have a centralized account database and would like to limit remote access to only a subset of the users. The group_source specifies the group account source that is used to perform group inclusion checking. When set to system, racoon will use the local unix group database.
see also:
Client Authentication : Extended Authentication
Client Configuration : Authentication Method
The network configuration settings can be defined to automatically provide a private address to a Client operating in Virtual Adapter mode. The conf_source statement specifies the configuration source that is used for address and netmask assignment. When set to local, racoon will manage its own address pool. The other possible options, radius and ldap, are not covered in this document. The network4 statement specifies the base address for the pool. The pool_size statement specifies the available number of addresses in the pool. The netmask4 statement specifies the network mask to be assigned to the client virtual interface.
see also:
Client Management : Private Address Configuration
Client Configuration : Address Method
The name service configuration can be defined to automatically provide DNS and WINS settings to a Client. The dns4 statement specifies a list of DNS server addresses to be used by the Client. The default_domain statement specifies the default domain to be used by the client when submitting DNS requests. The split_dns statement specifies a list of DNS suffixes to be used by the Client. This is useful if you would like the Client to selectively forward DNS requests to a tunnel defined DNS server. The wins4 statement specifies a list of WINS server addresses to be used by the Client.
see also:
Client Management : Name Services Configuration
Site Configuration : Name Resolution Settings
The split network configuration can be defined to provide a client with Split Tunnel information. The split_network statement specifies either the include or local_lan modifier followed by a list of target networks. If the include modifier is used, the client will only tunnel packets destined to the specified target networks. If the local_lan modifier is used, the client will only tunnel packets not destined to the specified target networks.
see also:
Client Management : Split Tunnel Configuration
Client Configuration : Remote Network Resources
Reference
mode_cfg { statements }
Defines the information to be returned for a remote hosts' ISAKMP modeconfig request. Also defines the authentication source for remote peers authenticating through Xauth.
The following are valid statements:
auth_source (system | radius | pam | ldap); |
Specifies the source for authentication of users through Xauth. system means to use the Unix user database. This is the default. radius means to use a RADIUS server. It works only if racoon was built with libradius support, and the configuration is done in radius.conf. pam means to use PAM. It works only if racoon was built with libpam support. ldap means to use LDAP. It works only if racoon was built with libldap support, and the configuration is handled by adding statements to the ldapcfg section. |
auth_groups group1, ...; |
Specifies the group memberships for Xauth in quoted group name strings. When defined, the authenticating user must be a member of at least one group for Xauth to succeed. |
group_source (system | ldap); |
Specifies the source for group validation of users through Xauth. system means to use the Unix user database. This is the default. ldap means to use LDAP. It works only if racoon was built with libldap support, and the configuration is handled by adding statements to the ldapcfg section. |
conf_source (local | radius | ldap); |
Specifies the source for IP addresses and netmask allocated through ISAKMP mode config. local means to use the local IP pool defined by the network4 and pool_size keywords. This is the default. radius means to use a RADIUS server. It works only if racoon was built with libradius support, and the configuration is done in radius.conf. RADIUS configuration requires RADIUS authentication. ldap means to use an LDAP server. It works only if racoon was built with libldap support, and the configuration is done in the ldapcfg section. LDAP configuration requires LDAP authentication. |
accounting (none | system | radius | pam); |
Enables or disables accounting for Xauth logins and logouts. Default is none, which disables accounting. system enables system accounting through utmp. radius enables RADIUS accounting. It works only if racoon was built with libradius support, and the configuration is done in radius.conf. RADIUS accounting require RADIUS authentication. pam enables PAM accounting. It works only if racoon was built with libpam support. PAM accounting requires PAM authentication. |
pool_size size |
Specifies the size of the IP address pool, either local or allocated through RADIUS. conf_source selects the local pool or the RADIUS configuration, but in both configurations, you cannot have more than size users connected at the same time. The default is 255. |
network4 address; netmask4 address; |
The local IP pool base address and network mask from which dynamically allocated IPv4 addresses should be taken. This is used if conf_source is set to local or if the RADIUS server returned 255.255.255.254. Default is 0.0.0.0/0.0.0.0. |
dns4 addresses;
|
A list of IPv4 addresses for DNS servers, separated by commas, or on multiple dns4 lines. |
nbns4 addresses; |
A list of IPv4 address for WINS servers. |
split_network (include | local_lan) network/mask, ...; |
The network configuration to send, in cidr notation (e.g. 192.168.1.0/24). If include is specified, the tunnel should only be used to encrypt the indicated destinations. Otherwise, if local_lan is used, everything will pass through the tunnel but the indicated destinations. |
default_domain domain; |
The default DNS domain to send. |
split_dns domain, ...; |
The split dns configuration to send, in quoted domain name strings. This list can be used to describe a list of domain names for which a peer should query a modecfg assigned dns server. DNS queries for all other domains would be handled locally. (Cisco VPN client only). |
banner path; |
The path of a file displayed on the client at connection time. Default is /etc/motd. |
auth_throttle delay; |
On each failed Xauth authentication attempt, refuse new attempts for a set delay of one or more seconds. This is to avoid dictionary attacks on Xauth passwords. Default is one second. Set to zero to disable authentication delay. |
pfs_group group; |
Sets the PFS group used in the client proposal (Cisco VPN client only). Default is 0. |
save_passwd (on | off); |
Allow the client to save the Xauth password (Cisco VPN client only). Default is off. |