Re: Tunneling in NetBSD

[Brett Lymn <blymn%internode.on.net@localhost>]

On Thu, Nov 19, 2020 at 07:08:38AM +1030, Brett Lymn wrote:
> 
> I will dig up the document I wrote about the setup.  My fuzzy memory is that there
> were no hacks required.

Little wonder my memory was fuzzy - I did this 13 years ago.  I found
the documentation.  I did use a radius server as the backend auth along
with a self-signed certificate for hybrid rsa-xauth.

Unfortunately, the document I have not not generic and contains some
confidential details but I am happy to provide sanitised snippets to
help out.

Below is the racoon.conf, if you need to see the radiusd.conf I have
that too but it is fairly long.

This is the racoon.conf, there were 3 classes of users, the data entry
people, admin staff and developers.  The radius server was used to map
the user to the appropriate class depending on group membership:


========================================================================

path certificate "/etc/openssl/certs";

listen {
        adminsock "/var/racoon/racoon.sock";

             isakmp 192.168.1.253 [500];
             isakmp_natt 192.168.1.253 [4500];

}

timer {
             counter 30;

             phase1 60 seconds;
             phase2 40 seconds;

             natt_keepalive 20 seconds;
}

remote anonymous {

        exchange_mode aggressive;

        certificate_type x509 "vpngw.crt" "vpngw.key";

        my_identifier asn1dn;

        proposal_check claim;

        generate_policy on;              # automatically generate IPsec policies

   dpd_delay 20;                         # DPD poll every 20 seconds

   dpd_maxfail 50;                       # Wait a long time to consider things dead

        nat_traversal force;             # always use NATT

        ike_frag on;                     # use IKE fragmentation

   passive on;

        proposal {

                encryption_algorithm aes;

                hash_algorithm sha1;

                authentication_method hybrid_rsa_server;

                dh_group 2;

        }

}

mode_cfg {

        pool_size 25;                    # size of the VPN IP pool: 253 addresses

   auth_source radius;                   # login validated against RADIUS

   conf_source radius;                   # IPv4 address obtained by RADIUS

   accounting radius;                    # RADIUS accounting

        dns4 192.168.2.254;                     # IPv4 DNS server

        wins4 192.168.2.254;             # IPv4 WINS server

   default_domain "corporate.local";

   split_network include 192.168.0.0/24,192.168.1.0/24,192.168.2.0/24;

        banner "/etc/racoon/motd"; # Banner message for clients

   pfs_group 2;

}

sainfo anonymous {
             pfs_group 2;

        lifetime time 1 hour;
        encryption_algorithm aes;

        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;

}

-- 
Brett Lymn
--
Sent from my NetBSD device.

"We are were wolves",
"You mean werewolves?",
"No we were wolves, now we are something else entirely",
"Oh"