Setting up a site-to-site VPN with Racoon
# Server (WAN IP 100.100.100.100, VPN IP 10.9.255.1)
Certificates
We will install the CA and certificates in /etc/racoon/conf. mkdir /etc/racoon/conf, then copy the following files:
### build_ca.sh
#!/bin/sh
IPSEC_CA="./ca/ipsec_ca"
rm -rf ./ca
mkdir -p ca/certs
mkdir -p ca/newcerts
mkdir -p ca/crl
mkdir -p ca/private
touch ./ca/index.txt
echo '01' > ./ca/serial
Build root CA
openssl req -new -x509 -config ./openssl.cnf -newkey rsa:2048 -days 3650 -nodes -keyout ./ca/private/ipsec_ca.key -out ./ca/ipsec_ca.pem
build_cert.sh
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
CERTPATH="/etc/racoon/conf"
openssl req -newkey rsa:2048 -nodes -config $CERTPATH/openssl.cnf -keyout $CERTPATH/ca/certs/$1.key -out $CERTPATH/ca/certs/$1.req
openssl ca -in $CERTPATH/ca/certs/$1.req -out $CERTPATH/ca/certs/$1.pem -config $CERTPATH/openssl.cnf
make_crl.sh
#!/bin/sh
openssl ca -gencrl -config ./openssl.cnf -out ca/crl.pem
cd ca ; ln -sf crl.pem `openssl x509 -hash -noout -in ipsec_ca.pem`.r0 ;
cd ..
### revoke.sh
#!/bin/sh
openssl ca -revoke /etc/racoon/conf/ca/newcerts/$1.pem
Before you can create certificates, you need to create a CA; a self-signed one will serve our purpose just as well: ./build_ca.sh Then, create certificates: ./build_cert.sh peter
Also, don’t forget to create the CRL by doing: ./make_crl.sh
The following file can be used to keep tracked of all certificates (whether still valid or revoked): ca/index.txt
In order to revoke a certificate, get its serial number from ca/index.txt (the third column, a two-digit number), then use: ./revoke.sh <serial number> If the serial number appears as “03”, then you MUST include the leading zero: ./revoke.sh 03 Once you’ve revoked a certificate, you need to refresh the CRL: ./make_crl.sh
B) Network configuration (tap interface + iptables)
tunctl -u root -t ipsec0 ifconfig ipsec0 10.9.255.1 netmask 255.255.0.0 mtu 1380 iptables -t nat -I POSTROUTING -d 10.9.0.0/16 -j SNAT –to-source 10.9.255.1
Note: you won’t see the traffic on the ipsec0 interface; instead, you will it see it on the WAN interface, and you will see both encrypted and decrypted packets.
C) Racoon
path certificate "/etc/racoon/conf/ca" ;
path pre_shared_key "/etc/racoon/psk.txt";
listen
{
isakmp 100.100.100.100[500];
isakmp_natt 100.100.100.100[4500];
adminsock disabled;
}
timer
{
natt_keepalive 15 seconds;
}
remote anonymous
{
exchange_mode main;
verify_identifier on;
my_identifier asn1dn;
peers_identifier asn1dn;
# Certificate and private key
certificate_type x509 "ipsec_ca.pem" "private/ipsec_ca.key" ;
ca_type x509 "ipsec_ca.pem" ;
generate_policy on;
ike_frag on;
nat_traversal on;
dpd_delay 30;
proposal_check claim;
lifetime time 24 hour ; # sec,min,hour
passive off;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig ;
#authentication_method xauth_rsa_server;
dh_group 5;
}
}
mode_cfg {
network4 10.9.0.2;
pool_size 20;
netmask4 255.255.0.0;
auth_source system;
dns4 127.0.0.1;
banner "/etc/racoon/motd";
pfs_group 2;
}
sainfo anonymous
{
lifetime time 3600 seconds;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Linux Client (WAN IP 200.200.200.200, VPN IP 10.9.255.254)
Certificate
We will put the certificate (peter.pem), private key (peter.key) and server certificate (ipsec_ca.pem) in /etc/racoon/cert.
Network configuration (tap interface + iptables)
tunctl -u root -t ipsec0 ifconfig ipsec0 10.9.255.254 netmask 255.255.0.0 mtu 1380 iptables -t nat -A POSTROUTING -d 10.9.0.0/16 -j SNAT –to-source 10.9.255.254 iptables -A INPUT -s 10.9.0.0/16 -d 10.9.255.254 -j ACCEPT
Racoon
Policies
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
INTERNAL_ADDR="10.9.255.254"
VPN_NETWORK="10.9.0.0/16"
OUTBOUND_IP="192.168.1.10" # if you're behind a router/gateway,
otherwise use WAN IP
VPN_GATEWAY="100.100.100.100"
setkey -c <<EOF
flush;
spdflush;
spdadd $VPN_NETWORK[any] $INTERNAL_ADDR[any] any -P in ipsec
esp/tunnel/$VPN_GATEWAY-$OUTBOUND_IP/require;
spdadd $INTERNAL_ADDR[any] $VPN_NETWORK[any] any -P out ipsec
esp/tunnel/$OUTBOUND_IP-$VPN_GATEWAY/require;
#spddelete $VPN_NETWORK[any] $INTERNAL_ADDR[any] any -P fwd ipsec
esp/tunnel/$VPN_GATEWAY-$OUTBOUND_IP/require;
EOF
racoon.conf
path certificate "/etc/racoon/cert" ;
path pre_shared_key "/etc/racoon/psk.txt";
listen
{
isakmp 192.168.1.10[500]; # if you're behind a router/gateway,
otherwise use WAN IP
isakmp_natt 192.168.1.10[4500]; # if you're behind a
router/gateway, otherwise use WAN IP
#adminsock disabled;
}
remote 100.100.100.100
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
verify_identifier on;
# Certificate and private key
ca_type x509 "ipsec_ca.pem" ;
certificate_type x509 "peter.pem" "peter.key";
ike_frag on;
nat_traversal force;
dpd_delay 30;
proposal_check obey;
lifetime time 24 hour ; # sec,min,hour
mode_cfg on;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 5;
}
}
sainfo anonymous
{
lifetime time 3600 seconds;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}