This directory contains sample configurations files used for roadwarrior
remote access using hybrid authentication. In this setup, the VPN 
gateway authenticate to the client using a certificate, and the client
authenticate to the VPN gateway using a login and a password.

Moreover, this setup makes use of ISAKMP mode config to autoconfigure 
the client. After a successful login, the client will receive an 
internal address, netmask and DNS from the VPN gateway.


Server setups
=============
The server setups need racoon built with the following options:
configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
	  --with-libradius --sysconfdir=/etc/racoon

The first server setup, in server/racoon.conf, is for a VPN gateway 
using authentication against the system password database, and using 
a locally configured pool of addresses. 

The second setup, server/racoon.conf-radius, uses a RADIUS server for 
authentication, IP allocation and accounting. The address and secret
to be used for the RADIUS server are configured in /etc/radius.conf, 
see radius.conf(5).

Both config file use the server/phase1-down.sh script, which is used to 
workaround a bug in automatically generated SAD and SPD flush in 
racoon. This script will not be needed anymore the day this problem
will be fixed.

Both configurations can be used with the Cisco VPN client if it
is setup to use hybrid authentication (aka mutual group authentication,
available in Cisco VPN client version 4.0.5 and above). The group 
password configured in the Cisco VPN client is unused by racoon.

Once you will have installed /etc/racoon/racoon.conf and 
/etc/racoon/phase1-down.sh, you will also have to install a server
certificate and key in /etc/openssl/certs/server.crt and 
/etc/openssl/certs/server.key


Client setup
============
The client setup needs racoon built with the following options:
configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
	  --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var

You need to copy client/racoon.conf, client/phase1-up.sh and
client/phase1-down.sh to /etc/racoon, and you need to copy the 
certificate authority that signed the VPN gateway certificate in
/etc/openssl/certs/root-ca.crt

Once this is done, you can run racoon, and then you can start
the VPN using racoonctl:
racoonctl vc -u username vpn-gateway.example.net

Where username is your login, and vpn-gateway.example.net is
the DNS or IP address of the VPN gateway. racoonctl will prompt 
you for the password.

The password can be stored in the psk.txt file. In that situation, 
add this directive to the remote section of racoon.conf:
	 xauth_login "username";
Where username is your login.

Note that for now there is no feedback in racoonctl if the authentication
fails. Peek at racoon logs to discover what goes wrong.

In order to disconnect from the VPN, do this:
racoonctl vd vpn-gateway.example.net

This configuration should be compatible with the Cisco VPN 3000 using 
hybrid authentication, though this has not been tested.
