On Thu, Nov 19, 2020 at 07:08:38AM +1030, Brett Lymn wrote:
>
> I will dig up the document I wrote about the setup. My fuzzy memory is that
> there
> were no hacks required.
Little wonder my memory was fuzzy - I did this 13 years ago. I found
the documentation. I did use a radius server as the backend auth along
with a self-signed certificate for hybrid rsa-xauth.
Unfortunately, the document I have not not generic and contains some
confidential details but I am happy to provide sanitised snippets to
help out.
Below is the racoon.conf, if you need to see the radiusd.conf I have
that too but it is fairly long.
This is the racoon.conf, there were 3 classes of users, the data entry
people, admin staff and developers. The radius server was used to map
the user to the appropriate class depending on group membership:
========================================================================
path certificate "/etc/openssl/certs";
listen {
adminsock "/var/racoon/racoon.sock";
isakmp 192.168.1.253 [500];
isakmp_natt 192.168.1.253 [4500];
}
timer {
counter 30;
phase1 60 seconds;
phase2 40 seconds;
natt_keepalive 20 seconds;
}
remote anonymous {
exchange_mode aggressive;
certificate_type x509 "vpngw.crt" "vpngw.key";
my_identifier asn1dn;
proposal_check claim;
generate_policy on; # automatically generate IPsec policies
dpd_delay 20; # DPD poll every 20 seconds
dpd_maxfail 50; # Wait a long time to consider things
dead
nat_traversal force; # always use NATT
ike_frag on; # use IKE fragmentation
passive on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method hybrid_rsa_server;
dh_group 2;
}
}
mode_cfg {
pool_size 25; # size of the VPN IP pool: 253
addresses
auth_source radius; # login validated against RADIUS
conf_source radius; # IPv4 address obtained by RADIUS
accounting radius; # RADIUS accounting
dns4 192.168.2.254; # IPv4 DNS server
wins4 192.168.2.254; # IPv4 WINS server
default_domain "corporate.local";
split_network include 192.168.0.0/24,192.168.1.0/24,192.168.2.0/24;
banner "/etc/racoon/motd"; # Banner message for clients
pfs_group 2;
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
--
Brett Lymn
--
Sent from my NetBSD device.
"We are were wolves",
"You mean werewolves?",
"No we were wolves, now we are something else entirely",
"Oh"
