DEPARTMENT OF ELECTRONICS, MICROELECTRONICS, COMPUTER AND INTELLIGENT SYSTEMS

FACULTY OF ELECTRICAL ENGINEERING AND COMPUTING

UNIVERSITY OF ZAGREB

Racoon roadwarrior configuration

Matija Zeman

Zagreb, 2006.
Table of Contents
1. Roadwarrior scenario....................................................................................................... 1
2. VPN gateway configuration.............................................................................................. 3
3. Roadwarrior client configuration....................................................................................... 6
4. Connecting....................................................................................................................... 9
5. Windows XP client – ShrewSoft VPN Client.................................................................. 11
6. Creating certificates........................................................................................................ 15
7. Literature........................................................................................................................ 16
1. Roadwarrior scenario
Roadwarrior is a client that uses unknown, dynamically assigned IP address to connect to a VPN
gateway (in this case also firewall). This situation is shown on picture 1.1 and is one of the most
interesting and today most needed scenarios in business environment. Here are some of the reasons
why that is so:
● Client can be any computer (with any IP address assigned) that has Internet access and can
initiate connection to VPN gateway.
● When connecting to VPN network, client is assigned an internal IP address on the network
he is connecting to, which gives an impression that it is directly connected to VPN network,
instead of connecting by tunneling through Internet.
● When internal IP address is assigned, network administration is easier.
● Traffic is protected on the route from the client to the VPN gateway.
● When connected, client doesn't have direct access to Internet because traffic is routed
through VPN network and firewall (VPN gateway).

Picture 1.1. Roadwarrior scenario

In combination with racoon, roadwarrior scenario presents a few problems:

● Client's IP address is unknown and cannot be defined in racoon.conf configuration file,
or in the PSK keys file. Therefore, another way of client authentication is needed.
● It is not possible to define SPs according to which racoon on the gateway will behave,
because destination address of the client is unknown. Racoon has to create any needed SPs
or SAs when the connection is initiated.

1
Racoon roadwarrior configuration

Picture 1.1. shows roadwarrior scenario simulated by the local network 192.168.112.0/24 inside
which is 192.168.112.131 computer and the network is connected to Internet through VPN gateway
(also a firewall) with public IP address 192.168.111.129 (address toward local network is
192.168.112.202). Internet is simulated by 192.168.111.0/24 network, containing two computers
besides VPN gateway. These computers are roadwarrior client (IP address 192.168.111.203) and the
other computer connected to Internet, which is not depended on this roadwarrior scenario
(192.168.111.3). To achieve roadwarrior scenario, it is necessary to configure computers that this
connection depends to.

2
2. VPN gateway configuration
VPN gateway needs to have a configuration file for racoon, stored in
/etc/racoon/racoon.conf. Configuration options are commented below.
#path to the certificate
path certificate "/etc/racoon";
#option of controlling racoon by racoonctl tool is disabled
listen {
adminsock disabled;
}
#remote section – anonymous address of roadwarrior client
remote anonymous {
#work mode in IKE first phase
exchange_mode aggressive,main;
#certificate type, certificate and secret key file name
certificate_type x509 "cert.pem" "key.pem";
#claiming the options requested by other peer
proposal_check claim;
#automatic generation of SPs from the initial connection request
generate_policy on;
#verifying certificates set to off
verify_cert off;
#nat-t set to off
nat_traversal off;
#DPD activation and 20 sec. delay allowed between 2 proof of liveness requests
dpd_delay 20;
#IKE fragmentation enabled
ike_frag on;
#agreement proposal in IKE first phase
proposal {
#cryptography and hash algorithm
encryption_algorithm aes;
hash_algorithm md5;
#authentication method
authentication_method hybrid_rsa_server;
#Diffie-Hellman exponential group
dh_group 2;
}
}
#local network information
mode_cfg {
#starting address of the IP address pool
network4 192.168.112.5;
#maximum number of clients
pool_size 20;
#network mask
netmask4 255.255.255.0;
#authentication source – user database on the system
auth_source system;
#configuration source – from data given in this section
conf_source local;
#DNS and WINS servers IP addresses
dns4 192.168.112.202;
wins4 192.168.112.202;
#banner file – welcome message
banner "/etc/racoon/motd";
}
#SA information for IKE second phase
sainfo anonymous {
#Diffie-Hellman exponential group
pfs_group 2;
#second phase information lifetime
lifetime time 1 hour;
#cryptography, authentication and compression algorithm
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

3
Racoon roadwarrior configuration

Very important parts of this configuration file are mode_cfg section and generate_policy directive
inside remote section. Generate_policy directive instructs racoon to automatically generate the
needed SPs from data given inside initial connection request. The mod_cfg section defines IP
address pool used for roadwarrior clients, authentication method and the welcome message. Remote
and sainfo sections are defined for anonymous IP address so that they would accept connections
from any IP address, while the client will be authenticated by hybrid RSA authentication method
from systems user database which implies hybrid_rsa_server authentication method in the remote
section of gateway configuration file. On the other hand, gateway is authenticated to a client through
his certificate.
Besides the racoon configuration file, traffic needs to be limited by firewall rules. The simplest
security policy is defined in the following shell script and saved as fw.sh. The rules are
commented inside the script listing.
#flushing NAT tables
iptables -F -t nat
#flushing INPUT chain inside filter table
iptables -F INPUT
#flushing FORWARD chain inside filter table
iptables -F FORWARD
#flushing OUTPUT chain inside filter table
iptables -F OUTPUT
#setting default policy for INPUT chain
iptables -P INPUT DROP
#setting default policy for FORWARD chain
iptables -P FORWARD DROP
#setting default policy for OUTPUT chain
iptables -P OUTPUT ACCEPT
#accepting AH (50) protocol coming to interface eth0
iptables -A INPUT -i eth0 -p 50 -j ACCEPT
#accepting ESP (51) protocol coming to interface eth0
iptables -A INPUT -i eth0 -p 51 -j ACCEPT
#accepting UDP protocol on source port 500 - ISAKMP
iptables -A INPUT -i eth0 -p udp --source-port 500 -j ACCEPT
#accepting UDP protocol on source port 4500 - NAT-T
iptables -A INPUT -i eth0 -p udp --source-port 4500 -j ACCEPT
#masquerading packets coming from local network or roadwarrior clients and going to
#Internet
iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.112.0/24 -j MASQUERADE
#forwarding packets from roadwarrior client back to Internet if destination is not
#inside the local network
iptables -A FORWARD -i eth0 -d ! 192.168.112.0/24 -o eth0 -j ACCEPT
#forwarding packets from local network towards Internet
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#forwarding packets from roadwarriors towards Internet
iptables -A FORWARD -i eth0 -s 192.168.112.0/27 -o eth0 -j ACCEPT
#forwarding packets from Internet to local network if connections are already
#established
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#forwarding packets from Internet to roadwarriors if connections are already
#established
iptables -A FORWARD -i eth0 -o eth0 -d 192.168.112.0/27 -m state –state /
ESTABLISHED,RELATED -j ACCEPT
#accepting packets from Internet if connections are already established
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#marking packets that came by ESP protocol
iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
#accepting packets of all protocols if they are marked
iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT
#forwarding packets of all protocols if they are marked
iptables -A FORWARD -i eth0 -m mark --mark 1 -j ACCEPT

In order to make the purpose of above mentioned rules, the computers in local network need a route
to roadwarrior address pool, set by the following command.
# ip route add 192.168.112.0/27 via 192.168.112.202 dev eth1

4
 2. VPN gateway configuration

Also, VPN gateway needs to know where the roadwarriors are, so the following route should be
added on the gateway.
# ip route add 192.168.112.0/27 dev eth0 src 192.168.111.129

Besides the mentioned files, VPN gateway must have a server certificate and a server key in files
/etc/racoon/cert.pem i /etc/racoon/key.pem respectively, as stated in racoon
configuration file. Creating of the certificates is described in chapter 6.
Optionally, the console welcome message for users who connect to VPN gateway can be defined in
/etc/racoon/motd file as stated in racoon configuration file.

5
3. Roadwarrior client configuration
Roadwarrior clients also need racoon configuration file /etc/racoon/racoon.conf, whose
directives are commented in the file listed below.
#path to the certificate
path certificate "/etc/racoon";
#option of controlling racoon by racoonctl tool is enabled
listen {
adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
}
#remote section – known address of VPN gateway
remote 192.168.111.129 {
#work mode in IKE first phase
exchange_mode aggressive;
#certificate type and file name
ca_type x509 "root-ca.pem";
#obeying the options requested by other peer
proposal_check obey;
#nat-t set to off
nat_traversal off;
#IKE fragmentation enabled
ike_frag on;
#accepting information about the network being connected to
mode_cfg on;
#verifying certificates set to off
verify_cert off;
#IKE first phase starting script
script "/etc/racoon/phase1-up.sh" phase1_up;
#IKE first phase ending script
script "/etc/racoon/phase1-down.sh" phase1_down;
#agreement proposal in IKE first phase
proposal {
#cryptography and hash algorithm
encryption_algorithm aes;
hash_algorithm md5;
#authentication method
authentication_method hybrid_rsa_client;
#Diffie-Hellman exponential group
dh_group 2;
}
}
#SA information for IKE second phase
sainfo anonymous {
#Diffie-Hellman exponential group
pfs_group 2;
#second phase information lifetime
lifetime time 1 hour;
#cryptography, authentication and compression algorithm
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}

Important directives in remote section of the client are mode_cfg directive which instructs racoon
to accept network information from the VPN gateway, including assigned internal IP address, and
hybrid_rsa_client authentication method. In this example, remote section is pointing to a VPN
gateway IP address, while sainfo section is pointing to an anonymous IP address. Because
racoonctl will be used to connect to VPN gateway, it doesn't matter if any one of this sections
are pointing to a VPN gateway or to an anonymous IP address. Also, as shown in racoon
configuration file, racoon will invoke two shell scripts, that have commands to set the
environment (routes, internal IP address, SPs) needed for the roadwarrior connection to function
properly. Phase1-up.sh shell script is being ran while setting the connection to a VPN gateway.
The necessary commands are listed below.

6
 3. Roadwarrior client configuration

#!/bin/sh
#listing known IP addresses and setting PATH environment variable
echo "internal address: ${INTERNAL_ADDR4}" #internal address in local network
echo "local address: ${LOCAL_ADDR}" #current global IP address
echo "remote address: $REMOTE_ADDR" #VPN gateway IP address
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#defining variable to hold the name of virtual network interface
if=dummy0
#adding internal IP address to virtual network interface
ip address add dev ${if} ${INTERNAL_ADDR4}
#deleting default route
ip route del default
#adding route to VPN gateway
ip route add ${REMOTE_ADDR} via 192.168.111.129
#adding default route with new source address
ip route add default via 192.168.111.129 src ${INTERNAL_ADDR4}
#deleting existing route towards local network
ip route delete 192.168.112.0/24 via 192.168.111.129 dev eth0
#deleting existing route towards Internet
ip route delete 192.168.111.0/24 dev eth0
#setting SPs form local network address towards all other IP addresses through tunnel
#from roadwarrior client to VPN gateway, and vice verse, and also deleting the
#forwarding SP
echo "
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any
-P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any
-P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
" | setkey -c
echo "
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any
-P fwd ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
" | setkey -c

This shell script defines a virtual network interface and assigns it an internal IP address that is given
by the VPN gateway, deletes existing routes and sets the new routes towards local network, VPN
gateway and the default route. Besides, it adds needed SPs on the client side.
Phase1-down.sh shell script is being ran while disconnecting from the VPN gateway, and the
commands are listed below.
#!/bin/sh
#listing known IP addresses and setting PATH environment variable
echo "----------------"
echo "internal address: ${INTERNAL_ADDR4}"
echo "local address: ${LOCAL_ADDR}"
echo "remote address: $REMOTE_ADDR"
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#defining variable to hold the name of virtual network interface
if=dummy0
#deleting internal IP address from virtual network interface
ip address delete ${INTERNAL_ADDR4} dev ${if}
#deleting route towards VPN gateway
ip route delete ${REMOTE_ADDR} via 192.168.111.129
#adding default route through network interface eth0
ip route add default dev eth0
#adding routes towards local network and Internet
ip route add 192.168.112.0/24 via 192.168.111.129 dev eth0
ip route add 192.168.111.0/24 dev eth0 src ${LOCAL_ADDR}
#flushing SPD and SAD
setkey -F
setkey -FP

This shell script returns the client to a state it was before the connection by erasing assigned internal
IP address, as well as routes that are not needed any more, and setting back up previously deleted
routes. The script also deletes SPD and SAD databases, but it's important to mention that in more
complex cases (for example, client connecting on two VPN gateways at the same time), deleting of

7
Racoon roadwarrior configuration

this database entries should be done in a way which will not delete all entries, but only the ones that
define the connection in closing.
Besides already mentioned files, roadwarrior client must have a root certificate stored as
/etc/racoon/root-ca.pem as defined in racoon configuration file. As it was already
pointed out, creation of the needed certificates is described in chapter 6.

8
4. Making a connection
In order to make a connection, first the VPN gateway should be set up. The firewall rules are set by
running a shell script that was stored as fw.sh. After that, racoon is started with the following
command.
# ./fw.sh
# racoon -F -f /etc/racoon/racoon.conf

VPN gateway is now ready and is waiting for the clients to initiate connection.
Racoon is then started on roadwarrior client with the following command.
# racoon -f /etc/racoon.conf

After racoon is active, it can be controlled using racoonctl tool. The connection is initiated by
running the following command.
# racoonctl vc -u username 192.168.111.129

Username is a name of the one of the existing users on the VPN gateway. Racoonctl will ask for
his password, and if the requested information are correct, client is presented with the information
about assigned internal IP address, and a welcome message.
# racoonctl vc -u mac 192.168.111.129
Password:
Bound to address 192.168.112.5
Welcome

Ping can now be run on the client side, trying to ping computer 192.168.112.131 that is inside the
local network.
# ping 192.168.112.131
connect: Resource temporarily unavailable
# ping 192.168.112.131
PING 192.168.112.131 (192.168.112.131) 56(84) bytes of data.
64 bytes from 192.168.112.131: icmp_seq=1 ttl=63 time=164 ms
64 bytes from 192.168.112.131: icmp_seq=2 ttl=63 time=8.75 ms
64 bytes from 192.168.112.131: icmp_seq=3 ttl=63 time=5.86 ms
64 bytes from 192.168.112.131: icmp_seq=4 ttl=63 time=37.7 ms
64 bytes from 192.168.112.131: icmp_seq=5 ttl=63 time=16.5 ms
64 bytes from 192.168.112.131: icmp_seq=6 ttl=63 time=6.10 ms

--- 192.168.112.131 ping statistics ---

6 packets transmitted, 6 received, 0% packet loss, time 5011ms
rtt min/avg/max/mdev = 5.860/39.901/164.394/56.744 ms
#

The “connect: Resource temporarily unavailable” message is normal. It is a message from the
ping command trying to connect to the VPN gateway, which results in VPN gateway getting the
information about needed SPs. When this information is available to VPN gateway, it sets needed
SPs. If ping is repeated, as in example above, the computer is available and the connection is set
up.
For checking of proper connection setup, traffic can be recorded by any available tool (Ethereal,
tcpdump) while preforming the pinging. Traffic can be recorded on the route from roadwarrior
client toward VPN gateway, as well as the traffic on the local network. On the outside network, ESP

9
Racoon roadwarrior configuration

packets will be seen between the public IP addresses of the roadwarrior client and the VPN gateway.
Inside these ESP packets are encapsulated ICMP Echo Request and ICMP Echo Reply packets
between the assigned internal IP address of the roadwarrior client and the computer that is being
pinged, which can be seen by recording packets on the local network. Also, if the roadwarrior client
tries to ping some other computer on the Internet (192.168.111.3), traffic recording will show that
the client sends ESP packets toward VPN gateway, and then VPN gateway sends ICMP Echo
Request packet toward the pinged computer. When VPN gateway recieves the ICMP Echo Reply as
an answer to his packet, VPN gateway encapsulates it into ESP and sends it back to the roadwarrior
client. This shows that all the traffic towards Internet from the roadwarrior client passes through the
VPN gateway, which is also used as a firewall protecting the local network. This shows that the
roadwarrior client is considered as a part of the local network, all the time while the secure
connection is running.
To disconnect from the VPN gateway, the following command is used on the roadwarrior client.
# racoonctl vd 192.168.111.129
VPN connexion terminated
#

10
5. Windows XP client – ShrewSoft VPN Client
ShrewSoft VPN Client is a free software. It was made to ensure interoperability between IPsec-tools
(racoon) and Microsoft Windows. The focus of this chapter is not exploring all its possibilities,
but setting it up as a client in roadwarrior scenario. After it's installed and ran, a window as shown
in picture 5.1. opens. The new connection can be added here.

Picture 5.1. Main window of

the ShrewSoft VPN Client tool

On the first tab of the configuration window are network preferences. IP address of VPN gateway
should be inserted, as well as other options shown in picture 5.2.

Picture 5.2. Network options of

the ShrewSoft VPN Client tool

On the second tab of the configuration window are options to manually set internal IP address of the
client. This should be set to be obtained automatically, as shown on picture 5.3.

11
Racoon roadwarrior configuration

Picture 5.3. Client options of

the ShrewSoft VPN Client tool

First authentication tab configures the clients identity as shown on picture 5.4, and the
authentication method is set to Hybrid RSA + XAuth.

Picture 5.4: First authentication

tab of the ShrewSoft VPN
Client tool

The second authentication tab configures the gateway identity in a same way as clients identity
above. The third authentication tab configures path of the used root certificate, as shown on picture
5.5.

12
 5. Windows XP client – ShrewSoft VPN Client

Picture 5.5. Third

authentication tab of the
ShrewSoft VPN Client tool

The fourth tab configures IKE first phase options. These should be set as shown on picture 5.6. to
correspond to the options set on racoon roadwarrior client.

Picture 5.6. IKE first phase

options of the ShrewSoft VPN
Client tool

The fifth tab defines IKE second phase options. These should be set as shown on picture 5.7. to also
correspond to the options set on racoon roadwarrior client.

13
Racoon roadwarrior configuration

Picture 5.7. IKE second phase

options of the ShrewSoft VPN
Client tool

Finally, the last tab defines the needed SPs. The simplest is to add the needed local network
192.168.112.0 with 255.255.255.0 net mask, as shown in picture 5.8.

Picture 5.8. SP policy

configuration of the ShrewSoft
VPN Client tool

After configuration, the connection is established by clicking the “Connect” button after inserting
necessary user name and password. The connection is then established, as it can be seen by traffic
recording explained in the previous chapter. It should be mentioned that this doesn't apply to all the
traffic because the needed routes are not set up in the Windows environment. For that purpose, the
Windows console tools (ipconfig and route) are available.

14
6. Creating certificates
To create needed OpenSSL certificates, few commands have to be executed. These commands are
shown in this chapter, but to insure the correct certificate creation, the reader should refer to
literature 4. and 11.
To create a root certificate the following command needs to be executed.
# openssl req -new -x509 -extensions v3_ca -keyout privateKey/cakey.pem -out /
cacert.pem -days 3650 -config ./openssl.conf

This creates two files, the key file cakey.pem and the root certificate file cacert.pem. After
that, the certificate request should be created by executing the following command.
# openssl req -new -nodes -out req.pem -config ./openssl.conf

This command also creates two files, key file key.pem and the certificate request file req.pem.
The last step is to sign the certificate request by executing the following command.
# openssl ca -out cert.pem -config ./openssl.conf -infiles req.pem

The result is the necessary certificate file cert.pem.

The roadwarrior client needs to have the root certificate created in the first step, while the VPN
gateway needs to have the key file created in the second step, and the signed certificate created in
the last step.

15
7. Literature
1. NETFILTER/iptables, available on Internet address
http://www.netfilter.org/projects/iptables/index.html, (11/12/2005)
2. Packet Filtering HOWTO, available on Internet address
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html,
(11/12/2005)
3. NAT HOWTO, available on Internet address
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html, (11/12/2005)
4. Ralf Spenneberg, IPsec HOWTO, available on Internet address
http://www.ipsec-howto.org, (15/5/2006)
5. Shrew Soft Inc. , ShrewSoft VPN Client, available on Internet address
http://www.shrew.net/, (10/6/2006)
6. IPsec-tools, available on Internet address http://ipsec-tools.sourceforge.net/, (15/5/2006)
7. Setkey manual, available on Internet address
http://netbsd.gw.com/cgi-bin/man-cgi?setkey++NetBSD-current, (15/5/2006)
8. Racoon manual, available on Internet address
http://netbsd.gw.com/cgi-bin/man-cgi?racoon++NetBSD-current, (15/5/2006)
9. Racoon.conf manual, available on Internet address
http://netbsd.gw.com/cgi-bin/man-cgi?racoon.conf+5+NetBSD-current, (15/5/2006)
10. Racoonctl manual, available on Internet address
http://netbsd.gw.com/cgi-bin/man-cgi?racoonctl++NetBSD-current, (15/5/2006)
11. Ana Kukec, OpenSSL certifikati, available on Internet address
http://anchie.esa.fer.hr/My_Documents/Dokumenti/OpenSSL-certifikati.pdf, (2/6/2006)

16