Very simple and working configuration for old and dead Cisco Vpn with cert authentication. All you need on Fedora is package ipsec-tools (no racoon2).
Configuration /etc/racoon/racoon.conf:
- Code: Select all
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
sainfo anonymous
{
lifetime time 1 hour ;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
remote YOUR_CISCOVPN_GATE_IP
{
exchange_mode main;
my_identifier asn1dn;
certificate_type x509 "client.crt" "client.key";
ca_type x509 "ca.crt";
mode_cfg on;
script "p1_up_down" phase1_up;
script "p1_up_down" phase1_down;
proposal
{
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method xauth_rsa_client;
dh_group modp1024;
}
}
Prepare certs:
- Code: Select all
openssl pkcs12 -in YOUR.p12 -out ca.crt -nokeys -cacerts
openssl pkcs12 -in YOUR.p12 -out client.crt -nokeys -clcerts
openssl pkcs12 -in YOUR.p12 -out client.key -nodes -nocerts
All certs put in /etc/racoon/certs
and setup racoon with
- Code: Select all
sudo racoon -F
connect with
- Code: Select all
sudo racoonctl -d vc YOUR_CISCOVPN_GATE_IP
After this: VPN connexion established
