Skip to content

Instantly share code, notes, and snippets.

@jameswhite jameswhite/racoon.conf Secret
Created Jan 5, 2016

Embed
What would you like to do?
path certificate "/etc/racoon/certs";
listen {
isakmp 65.19.178.106 [500];
isakmp_natt 65.19.178.106 [4500];
adminsock disabled;
}
# connection to freyr.websages.com
remote 72.14.177.235 [500] {
exchange_mode main;
peers_identifier asn1dn;
my_identifier asn1dn;
verify_identifier on;
verify_cert on;
certificate_type x509 "odin.websages.com.crt" "odin.websages.com.key";
lifetime time 1440 min;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 5;
lifetime time 86400 sec;
}
}
sainfo address 172.16.0.2/32 any address 172.16.0.1/32 any {
lifetime time 1 hour ;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
# connection to thor.websages.com
remote 207.192.74.54 [500] {
exchange_mode main;
peers_identifier asn1dn;
my_identifier asn1dn;
verify_identifier on;
verify_cert on;
certificate_type x509 "odin.websages.com.crt" "odin.websages.com.key";
lifetime time 1440 min;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 5;
lifetime time 86400 sec;
}
}
sainfo address 172.16.0.2/32 any address 172.16.0.3/32 any {
lifetime time 1 hour ;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
# connection to loki.websages.com
remote 74.207.230.73 [500] {
exchange_mode main;
peers_identifier asn1dn;
my_identifier asn1dn;
verify_identifier on;
verify_cert on;
certificate_type x509 "odin.websages.com.crt" "odin.websages.com.key";
lifetime time 1440 min;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 5;
lifetime time 86400 sec;
}
}
sainfo address 172.16.0.2/32 any address 172.16.0.10/32 any {
lifetime time 1 hour ;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
# connection to vili.websages.com
remote 74.207.235.127 [500] {
exchange_mode main;
peers_identifier asn1dn;
my_identifier asn1dn;
verify_identifier on;
verify_cert on;
certificate_type x509 "odin.websages.com.crt" "odin.websages.com.key";
lifetime time 1440 min;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 5;
lifetime time 86400 sec;
}
}
sainfo address 172.16.0.2/32 any address 172.16.0.11/32 any {
lifetime time 1 hour ;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
# listener for remote mobile devices
remote anonymous {
exchange_mode main;
generate_policy on ;
passive on ;
ca_type x509 "ca.crt";
certificate_type x509 "odin.websages.com.crt" "odin.websages.com.key";
my_identifier asn1dn;
passive on;
nat_traversal on;
mode_cfg on;
script "/etc/racoon/phase1-up.sh" phase1_up;
script "/etc/racoon/phase1-down.sh" phase1_down;
dpd_delay 20;
ike_frag on;
lifetime time 3600 sec;
proposal_check strict;
proposal {
authentication_method xauth_rsa_server;
encryption_algorithm aes;
hash_algorithm sha1;
dh_group 2;
}
}
mode_cfg {
conf_source local;
pfs_group 2;
auth_throttle 3;
auth_source ldap; # Authenticate against LDAP
save_passwd off; # Allow users to save passwords
# group_source ldap; # Verify group membership in LDAP
# auth_groups "ipsec vpn"; # Require users to be member of this group in order to vpn
default_domain "websages.com";
dns4 172.16.0.2;
network4 172.16.0.64;
netmask4 255.255.255.224;
pool_size 32;
# split_network include 172.16.0.0/12; # split tunneling, only tunnel traffic to these subnets
# split_dns "websages.com";
}
ldapcfg {
host "127.0.0.1";
base "dc=websages,dc=com";
subtree on;
bind_dn "cn=LDAP Anonymous,ou=Special,dc=websages,dc=com";
bind_pw "8de47d5aa7d61e92c577d8156b966583f6d7d75d714a3b99fca4fb2f8bfe97c6";
attr_user "uid"; # Searches for (<attr_user>=<userid>)
# attr_group "cn"; # Searches for (&(<attr_group>=<groupname>)(<attr_member>=<userid>))
# attr_member "member";
}
sainfo anonymous {
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
@jameswhite

This comment has been minimized.

Copy link
Owner Author

commented Jan 5, 2016

!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
echo "
spdadd 0.0.0.0/0 ${INTERNAL_ADDR4}/32 any -P out ipsec esp/tunnel/${LOCAL_ADDR}[4500]-${REMOTE_ADDR}[4500]/require;
spdadd ${INTERNAL_ADDR4}/32 0.0.0.0/0 any -P in ipsec esp/tunnel/${REMOTE_ADDR}[4500]-${LOCAL_ADDR}[4500]/require;
" | setkey -c

DEFAULT_GW=netstat -rn | awk '($1 == "0.0.0.0"){print $2}'
echo $@ > /etc/racoon/client.conf
echo "LOCAL_ADDR = ${LOCAL_ADDR}" >> /etc/racoon/client.conf
echo "LOCAL_PORT = ${LOCAL_PORT}" >> /etc/racoon/client.conf
echo "REMOTE_ADDR = ${REMOTE_ADDR}" >> /etc/racoon/client.conf
echo "REMOTE_PORT = ${REMOTE_PORT}" >> /etc/racoon/client.conf
echo "DEFAULT_GW = ${DEFAULT_GW}" >> /etc/racoon/client.conf
echo "INTERNAL_ADDR4 = ${INTERNAL_ADDR4}" >> /etc/racoon/client.conf
echo "INTERNAL_DNS4 = ${INTERNAL_DNS4}" >> /etc/racoon/client.conf

@jameswhite

This comment has been minimized.

Copy link
Owner Author

commented Jan 5, 2016

!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
echo "
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;

spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
spddelete ${INTERNAL_ADDR4}[any] 0.0.0.0/0[any] any -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
" | setkey -c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.