Server (WAN IP 100.100.100.100, VPN IP 10.9.255.1)

Certificates

We will install the CA and certificates in /etc/racoon/conf. mkdir /etc/racoon/conf, then copy the following files:

 build_ca.sh

#!/bin/sh
IPSEC_CA="./ca/ipsec_ca"

rm -rf ./ca
mkdir -p ca/certs
mkdir -p ca/newcerts
mkdir -p ca/crl
mkdir -p ca/private

touch ./ca/index.txt
echo '01' > ./ca/serial

Build root CA

openssl req -new -x509 -config ./openssl.cnf -newkey rsa:2048 -days 3650 -nodes -keyout ./ca/private/ipsec_ca.key -out ./ca/ipsec_ca.pem

build_cert.sh

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
CERTPATH="/etc/racoon/conf"
openssl req -newkey rsa:2048 -nodes -config $CERTPATH/openssl.cnf -keyout $CERTPATH/ca/certs/$1.key -out $CERTPATH/ca/certs/$1.req
openssl ca -in $CERTPATH/ca/certs/$1.req -out $CERTPATH/ca/certs/$1.pem -config $CERTPATH/openssl.cnf

make_crl.sh

#!/bin/sh
openssl ca -gencrl -config ./openssl.cnf -out ca/crl.pem
cd ca ; ln -sf crl.pem `openssl x509 -hash -noout -in ipsec_ca.pem`.r0 ;
cd ..

 revoke.sh

#!/bin/sh
openssl ca -revoke /etc/racoon/conf/ca/newcerts/$1.pem

Before you can create certificates, you need to create a CA; a self-signed one will serve our purpose just as well: ./build_ca.sh Then, create certificates: ./build_cert.sh peter

Also, don’t forget to create the CRL by doing: ./make_crl.sh

The following file can be used to keep tracked of all certificates (whether still valid or revoked): ca/index.txt

In order to revoke a certificate, get its serial number from ca/index.txt (the third column, a two-digit number), then use: ./revoke.sh <serial number> If the serial number appears as “03”, then you MUST include the leading zero: ./revoke.sh 03 Once you’ve revoked a certificate, you need to refresh the CRL: ./make_crl.sh

B) Network configuration (tap interface + iptables)

tunctl -u root -t ipsec0 ifconfig ipsec0 10.9.255.1 netmask 255.255.0.0 mtu 1380 iptables -t nat -I POSTROUTING -d 10.9.0.0/16 -j SNAT –to-source 10.9.255.1

Note: you won’t see the traffic on the ipsec0 interface; instead, you will it see it on the WAN interface, and you will see both encrypted and decrypted packets.

C) Racoon

path certificate "/etc/racoon/conf/ca" ;
path pre_shared_key "/etc/racoon/psk.txt";

listen
{
         isakmp 100.100.100.100[500];
         isakmp_natt 100.100.100.100[4500];
         adminsock disabled;
}

timer
{
         natt_keepalive 15 seconds;
}

remote anonymous
   {

         exchange_mode main;

         verify_identifier on;
         my_identifier asn1dn;
         peers_identifier asn1dn;

           # Certificate and private key
         certificate_type x509 "ipsec_ca.pem" "private/ipsec_ca.key" ;
         ca_type x509 "ipsec_ca.pem" ;

         generate_policy on;
         ike_frag on;
         nat_traversal on;
         dpd_delay 30;
         proposal_check claim;
         lifetime time 24 hour ; # sec,min,hour
         passive off;

         # phase 1 proposal (for ISAKMP SA)
         proposal {
                 encryption_algorithm aes 256;
                 hash_algorithm sha1;
                 authentication_method rsasig ;
                 #authentication_method xauth_rsa_server;
                 dh_group 5;
         }

   }

   mode_cfg {
         network4 10.9.0.2;
         pool_size 20;
         netmask4 255.255.0.0;
         auth_source system;
         dns4 127.0.0.1;
         banner "/etc/racoon/motd";
         pfs_group 2;
   }

   sainfo anonymous
   {
         lifetime time 3600 seconds;
         encryption_algorithm aes 256;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate;
   }

Linux Client (WAN IP 200.200.200.200, VPN IP 10.9.255.254)

## Certificate We will put the certificate (peter.pem), private key (peter.key) and server certificate (ipsec_ca.pem) in /etc/racoon/cert.

Network configuration (tap interface + iptables)

tunctl -u root -t ipsec0 ifconfig ipsec0 10.9.255.254 netmask 255.255.0.0 mtu 1380 iptables -t nat -A POSTROUTING -d 10.9.0.0/16 -j SNAT –to-source 10.9.255.254 iptables -A INPUT -s 10.9.0.0/16 -d 10.9.255.254 -j ACCEPT

Racoon

Policies

#!/bin/sh

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

INTERNAL_ADDR="10.9.255.254"
VPN_NETWORK="10.9.0.0/16"

OUTBOUND_IP="192.168.1.10" # if you're behind a router/gateway,
otherwise use WAN IP
VPN_GATEWAY="100.100.100.100"

setkey -c &lt;&lt;EOF
flush;
spdflush;

spdadd $VPN_NETWORK[any] $INTERNAL_ADDR[any] any -P in ipsec
esp/tunnel/$VPN_GATEWAY-$OUTBOUND_IP/require;
spdadd $INTERNAL_ADDR[any] $VPN_NETWORK[any] any -P out ipsec
esp/tunnel/$OUTBOUND_IP-$VPN_GATEWAY/require;
#spddelete $VPN_NETWORK[any] $INTERNAL_ADDR[any] any -P fwd ipsec
esp/tunnel/$VPN_GATEWAY-$OUTBOUND_IP/require;

EOF

racoon.conf

path certificate "/etc/racoon/cert" ;
path pre_shared_key "/etc/racoon/psk.txt";

listen
{
         isakmp 192.168.1.10[500]; # if you're behind a router/gateway,
otherwise use WAN IP
         isakmp_natt 192.168.1.10[4500]; # if you're behind a
router/gateway, otherwise use WAN IP
         #adminsock disabled;
}

remote 100.100.100.100
   {

         exchange_mode main;
         my_identifier asn1dn;
         peers_identifier asn1dn;
         verify_identifier on;

           # Certificate and private key
         ca_type x509 "ipsec_ca.pem" ;
         certificate_type x509 "peter.pem" "peter.key";

         ike_frag on;
         nat_traversal force;
         dpd_delay 30;
         proposal_check obey;
         lifetime time 24 hour ; # sec,min,hour
         mode_cfg on;

         # phase 1 proposal (for ISAKMP SA)
         proposal {
                 encryption_algorithm aes 256;
                 hash_algorithm sha1;
                 authentication_method rsasig ;
                 dh_group 5;
         }

   }

   sainfo anonymous
   {
         lifetime time 3600 seconds;
         encryption_algorithm aes 256;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate;
   }