How to build a remote user access VPN with Racoon?

How to build a remote user access VPN with Racoon?

RFC 3947 and 3948 describe a method to encapsulate ESP in UDP, and IKE extensions to manage NAT in between endpoints of IPsec streams. The encapsulation method and IKE extensions are together known as NAT Traversal (NAT-T). NAT-T might be encumbered by a US patent. Remote users will often connect from behind DSL modem-router appliances.

Is it safe to use group password with Racoon?

Group password is a weak solution and should not be used, because users are not really authenticated. x509 certificate gives you the highest security, but user certificates might be troublesome to manage. If you can afford it, then everything you need to know is in the IPsec FAQ. Login and password are an average security level.

How to start up Racoon ( 8 ) at boot time?

In order to have racoon (8) started up at boot time, you need the following in /etc/rc.conf : In the configuration sample, esp_frag is specified so that ESP fragmentation is used to avoid sending packets bigger than 552 bytes. 552 bytes is quite low, but it should work with the most broken DSL modem-routers appliances.

How to exchange key with Racoon using Ike?

Racoon exchange them by using IKE. IKE establish own SA by myself while exchanging Key, don’t use IPsec-SA. There are two phase in IKE. One is the phase to establish SA for own communication (IKE-SA). Another is the phase to establish IPsec-SA.

Do you need to know about IPsec to run Racoon?

This document gives priority to run racoon, by giving simple example of the environment, and by putting configuration items to a minimum. The reader may required to know about IPsec architecture, but may not familiar with it. Note that this document refers to racoon included in kame-20001113-*-snap or later.

Which is the best way to setup Racoon?

One is by using manual configuration. Another way is automated configuration. In our implementation, we have a daemon named “racoon” for latter case. Several parameters (Key) must be exchanged between you and peer in order to establish the IPsec-SA. Racoon exchange them by using IKE.