Tunnel mode between two Racoon hosts with x509 authentication

Intro

Network diagram

Creating a Certification Authority


See here

Tunnel Mode

Alice

Virtual interface

user@alice # apt-get install uml-utilities
user@alice # tunctl -u admin
user@alice # ifconfig tap0 172.31.0.1
user@alice # ifconfig tap0 up

/etc/racoon/racoon.conf

#path pre_shared_key "/etc/racoon/psk.txt"; 
path certificate "/etc/racoon/certs"; 

listen { 
	isakmp 192.168.0.84 [500]; 
} 

remote 192.168.0.95 { 
	exchange_mode main; 
	my_identifier asn1dn; 
	peers_identifier asn1dn; 
	verify_identifier on; 
	certificate_type x509 "newcert.pem" "privkey.pem"; 
	proposal { 
		encryption_algorithm aes 256; 
		hash_algorithm sha1; 
		authentication_method rsasig ; 
		#authentication_method pre_shared_key; 
		#dh_group modp1024; 
		dh_group 15; 
	} 
#        generate_policy off; 
} 

mode_cfg { 
	network4 172.31.0.2;     # 192.168.100.1 est la premiere adresse allouee aux clients VPN 
	split_network include 172.31.0.0/24; 
	pool_size 20; 
	netmask4 255.255.255.0; 
	auth_source system; 
	#dns4 192.168.200.254;       # 192.168.200.254 est l'adresse du DNS dans le reseau local distant 
	banner "/etc/racoon/motd"; 
	#pfs_group 0; 
} 

#sainfo address 10.0.0.200 any address 10.0.0.118 any { 
sainfo anonymous { 
	lifetime time 1 hour; 
	encryption_algorithm aes 128; 
	authentication_algorithm hmac_sha1; 
	compression_algorithm deflate; 
} 
					

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f 

# NOTE: Do not use this file if you use racoon with racoon-tool 
# utility. racoon-tool will setup SAs and SPDs automatically using 
# /etc/racoon/racoon-tool.conf configuration. 
# 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

spdadd 172.31.0.1 172.31.0.10 any -P out ipsec 
	esp/tunnel/192.168.0.84-192.168.0.95/require; 

spdadd 172.31.0.10 172.31.0.1 any -P in ipsec 
	esp/tunnel/192.168.0.95-192.168.0.84/require;

Bob

Virtual interface

user@bob # ifconfig eth1:1 172.31.0.10 netmask 255.255.255.0

Installation

user@bob # apt-get install racoon ipsec-tools

NB : Choose direct modification during raccon installation process. For security reasons use tun0 interface rather than a alias eth1:1

/etc/racoon/racoon.conf

path certificate "/etc/racoon/certs"; 

remote 192.168.0.84 { 
	exchange_mode main; 
	certificate_type x509 "newcert.pem" "privkey.pem"; 
	ca_type x509 "cacert.pem";      #certificate type and file name 
	my_identifier asn1dn; 
	proposal_check obey;            #obeying the options requested by other peer 
	ike_frag on;                    #IKE fragmentation enabled 
	mode_cfg on;                    #accepting information about the network being connected to 
	verify_cert off;                #verifying certificates set to off 
	proposal { 
		#cryptography and hash algorithm 
		encryption_algorithm aes 256; 
		hash_algorithm sha1; 
		#authentication method 
		authentication_method rsasig ; 
		#Diffie-Hellman exponential group 
		dh_group 15; 
	} 
	generate_policy off; 

#       script "/etc/racoon/phase1-up.sh" phase1_up; 
#       script "/etc/racoon/phase1-down.sh" phase1_down; 

} 

sainfo anonymous { 
	#second phase information lifetime 
	lifetime time 1 hour; 
	#cryptography, authentication and compression algorithm 
	encryption_algorithm aes 128; 
	authentication_algorithm hmac_sha1; 
	compression_algorithm deflate; 
}

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

## Some sample SPDs for use racoon 
# 
spdadd 172.31.0.10 172.31.0.1 any -P out ipsec 
	esp/tunnel/192.168.0.95-192.168.0.84/require; 
#                      
spdadd 172.31.0.1 172.31.0.10 any -P in ipsec 
	esp/tunnel/192.168.0.84-192.168.0.95/require;

Summary

Licence Creative Commons
This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.
Contact :