Debian racoon package unfortunately doesn’t come with radius support (I needed it for implementing a VPN server and taking authentication info from Active Directory by using Network Policy Server, I know guys that there is such thing as RRAS, but I preferred more Cisco VPN Client). Below, I’ll provide a necessary steps/commands in order to build racoon deb package which will have necessary radius support. I’ll be short as possible, cause I don’t have a free time for explanations of all commands.
1. Get necessary packages for building .deb package:
mkdir ~/build && cd ~/build
apt-get install build-essential fakeroot dpkg-dev
mkdir ~/build && cd ~/build
apt-get install build-essential fakeroot dpkg-dev
2. Get racoon source and necessary dependencies:
apt-get source racoon
apt-get build-dep racoon
apt-get source racoon
apt-get build-dep racoon
3. Get necessary libs which will be used during racoon compilation/installation, etc. (I used sed utility for necessary makefile modifications):
wget http://portal-to-web.de/tacacs/libmd.tar.gz && tar xzf libmd.tar.gz && cd libmd && mkdir -p /usr/local/man/man3
sed -i
make install
wget http://portal-to-web.de/tacacs/libradius-linux-20040827.tar.gz && tar xzf libradius-linux-20040827.tar.gz && cd libradius-linux
sed -i
make install
wget http://portal-to-web.de/tacacs/libmd.tar.gz && tar xzf libmd.tar.gz && cd libmd && mkdir -p /usr/local/man/man3
sed -i
's/O2/O2 -fPIC/g' Makefilemake install
wget http://portal-to-web.de/tacacs/libradius-linux-20040827.tar.gz && tar xzf libradius-linux-20040827.tar.gz && cd libradius-linux
sed -i
's/O2/O2 -fPIC/g' Makefilemake install
4. Applying necessary patches to racoon source files, modifying a few files and trying to get and installing a new package (in my case I used 32bit Debian version and that’s why I’ve got the package with i386 symbols at the end:
dpkg-source -x ipsec-tools_0.7.3-12.dsc
cd ipsec-tools-0.7.3
sed -i
sed -i
fakeroot debian/rules binary
ln -s /usr/local/lib/libradius.so /usr/lib/
dpkg -i ../ipsec-tools_0.7.3-12_i386.deb
dpkg-source -x ipsec-tools_0.7.3-12.dsc
cd ipsec-tools-0.7.3
sed -i
's/context/context --with-libradius/g' debian/rulessed -i
's/buggygetaddrinfo=yes/buggygetaddrinfo=no/g' configurefakeroot debian/rules binary
ln -s /usr/local/lib/libradius.so /usr/lib/
dpkg -i ../ipsec-tools_0.7.3-12_i386.deb
5. Creating a new SSL CA:
mkdir ~/ssl && cd ~/ssl
openssl genrsa -aes256 -out ca.key -rand rnd 2048
openssl req -new -x509 -days 7300 -key ca.key -out ca.crt -rand rnd
mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo
mkdir ~/ssl && cd ~/ssl
openssl genrsa -aes256 -out ca.key -rand rnd 2048
openssl req -new -x509 -days 7300 -key ca.key -out ca.crt -rand rnd
mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo
"00" > demoCA/serial
6. Creating client & server certificates (if you’ll have any city/country/region mismatch problems, modify .cnf file):
openssl req -out vpn.csr -new -newkey rsa:2048 -days 3650 -nodes -keyout vpn.key
openssl ca -in vpn.csr -keyfile ca.key -cert ca.crt -out vpn.crt
openssl req -out vpn.csr -new -newkey rsa:2048 -days 3650 -nodes -keyout vpn.key
openssl ca -in vpn.csr -keyfile ca.key -cert ca.crt -out vpn.crt
7. Copy client & server certificates into racoon directory:
mkdir /etc/racoon/certs && cp ~/ssl/vpn.crt /etc/racoon/certs && cp ~/ssl/vpn.key /etc/racoon/certs
mkdir /etc/racoon/certs && cp ~/ssl/vpn.crt /etc/racoon/certs && cp ~/ssl/vpn.key /etc/racoon/certs
8. Modify racoon.conf file:
path certificate
listen {
# change it to necessary IP address or leave it empty
# isakmp 1.2.3.4 [500];
# isakmp_natt 1.2.3.4 [4500];
}
path certificate
"/etc/racoon/certs";listen {
# change it to necessary IP address or leave it empty
# isakmp 1.2.3.4 [500];
# isakmp_natt 1.2.3.4 [4500];
}
log notify;
#log debug2;
#log debug2;
padding {
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer {
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
remote anonymous {
exchange_mode aggressive;
nonce_size 16;
lifetime time 1440 min;
initial_contact on;
proposal_check obey;
certificate_type x509
my_identifier asn1dn;
verify_identifier on;
verify_cert off;
weak_phase1_check on;
support_proxy on;
passive on;
generate_policy on;
dpd_delay 20;
nat_traversal force;
ike_frag on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method hybrid_rsa_server;
dh_group modp1024;
}
}
exchange_mode aggressive;
nonce_size 16;
lifetime time 1440 min;
initial_contact on;
proposal_check obey;
certificate_type x509
"vpn.crt" "vpn.key";my_identifier asn1dn;
verify_identifier on;
verify_cert off;
weak_phase1_check on;
support_proxy on;
passive on;
generate_policy on;
dpd_delay 20;
nat_traversal force;
ike_frag on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method hybrid_rsa_server;
dh_group modp1024;
}
}
mode_cfg {
network4 192.168.60.1;
netmask4 255.255.255.255;
pool_size 200;
auth_source radius;
#dns4 10.100.10.12;
#wins4 10.100.10.12;
banner
pfs_group 2;
split_network include 192.168.100.0/24; # specify your networks here
}
network4 192.168.60.1;
netmask4 255.255.255.255;
pool_size 200;
auth_source radius;
#dns4 10.100.10.12;
#wins4 10.100.10.12;
banner
"/etc/racoon/motd"; # you can comment it also, or leave it empty in order to omit message of the day, otherwise system motd will be shownpfs_group 2;
split_network include 192.168.100.0/24; # specify your networks here
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
9. Create or modify /etc/radius.conf:
auth radius-ip-or-hostname preshared key
auth radius-ip-or-hostname preshared key
10. Create new connection in Cisco VPN Client (authentication should be mutual), write anything for username and password, import ca.crt file (client file of your CA, select Certificates drop-down menu -> Import) and try to make a connection.
