Racoon Roadwarrior Pre-shared key

Discussion in 'Installation/Configuration' started by neostyx, Sep 19, 2011.

  1. neostyx

    neostyx New Member

    Hi,

    I've been carefully reading the racoon roadwarrior set up on howtoforge which was very instructive to me. Actually, it's explaining about certificat authentification mode, in my current work, i need to set it up using pre-shared keys.

    I've taken the config file presented on the tutorial and changed some parameters so that it could fit for psk mode. In the certificate mode, i can reach phase2 and get the welocme message and IP, but not in the psk mode, I've been looking around, couldn't explain why..

    Here is my config file on the client side :

    Code:
    path pre_shared_key "/etc/racoon/psk.txt";

#option of controlling racoon by racoonctl tool is enabled
listen {
        adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660;
}

timer {
        phase1 60 seconds;
        phase2 60 seconds;
}

#remote section – known address of VPN gateway
remote 10.0.0.40 {

        #new
        doi ipsec_doi;
        situation identity_only;
        lifetime time 1 hour;
        passive on;
        my_identifier address 10.0.0.93;

        #weak_phase1_check on;

#work mode in IKE first phase
        exchange_mode aggressive, main;
#certificate type and file name
        #ca_type x509 "root-ca.pem";
#obeying the options requested by other peer
        proposal_check obey;
#nat-t set to off
        nat_traversal off;
#IKE fragmentation enabled
        ike_frag on;
#accepting information about the network being connected to
        mode_cfg on;
#verifying certificates set to off
        #verify_cert off;
#IKE first phase starting script
        script "/etc/racoon/phase1-up.sh" phase1_up;
#IKE first phase ending script
        script "/etc/racoon/phase1-down.sh" phase1_down;
#agreement proposal in IKE first phase
proposal {
#cryptography and hash algorithm
               encryption_algorithm aes;
               hash_algorithm md5;
#authentication method
                #authentication_method hybrid_rsa_client;
                authentication_method pre_shared_key;
#Diffie-Hellman exponential group
               #dh_group 2;
               dh_group modp1024;
        }
}
    and on the server side :

    Code:
    #path to the certificate
#path certificate "/etc/racoon";

#path to the pre-shared key file
path pre_shared_key = "/etc/racoon/psk.txt";

#option of controlling racoon by racoonctl tool is disabled
listen {
        #adminsock disabled;
        adminsock "/var/racoon/racoon.sock";
}

#new
timer {
        phase1 60 seconds;
        phase2 60 seconds;
}


#remote section . anonymous address of roadwarrior client
remote anonymous {
#work mode in IKE first phase

        #new
        doi ipsec_doi;
        situation identity_only;
        lifetime time 1 hour;
        passive on;

        #verify_identifier on;

        exchange_mode aggressive,main;
#certificate type, certificate and secret key file name
        #certificate_type x509 "cert.pem" "key.pem";
        #claiming the options requested by other peer
        proposal_check claim;
#automatic generation of SPs from the initial connection request
        generate_policy on;
#verifying certificates set to off
        #verify_cert off;
#nat-t set to off
        nat_traversal off;
#DPD activation and 20 sec. delay allowed between 2 proof of liveness requests
        dpd_delay 20;
#IKE fragmentation enabled
        ike_frag on;
#agreement proposal in IKE first phase
        proposal {
#cryptography and hash algorithm
                encryption_algorithm aes;
                hash_algorithm md5;
#authentication method
                #authentication_method hybrid_rsa_server;
                authentication_method pre_shared_key;
#Diffie-Hellman exponential group
                #dh_group 2;
                dh_group modp1024;
        }
}
#local network information
mode_cfg {
#starting address of the IP address pool
        network4 192.168.112.5;
#maximum number of clients
        pool_size 20;
#network mask
        netmask4 255.255.255.0;
#authentication source . user database on the system
        #auth_source pam;
        auth_source system;
#configuration source . from data given in this section
        conf_source local;
#DNS and WINS servers IP addresses
        dns4 192.168.112.1;
        wins4 192.168.112.1;
#banner file . welcome message
        banner "/etc/racoon/motd";
}
#SA information for IKE second phase
sainfo anonymous {
#Diffie-Hellman exponential group
        #pfs_group 2;
        pfs_group modp1024;
#second phase information lifetime
        lifetime time 1 hour;
#cryptography, authentication and compression algorithm
        encryption_algorithm aes;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
    The first phase seems to be ok, but i don't get the motd message and no ip is assigned to the virtual device, nothing happens, any help would be appreciated.

    I can add the log if needed or the phase1-up / down script, but they work with the certificate, so i guess the problem is in the config ?
    Best regards,

    Sébastien
     
    Last edited: Sep 19, 2011
    neostyx, Sep 19, 2011
    #1

Share This Page