A client of mine has several IPSec-compatible VPN appliances protecting access to their data centre and internal networks. I knew the appliances were compatible with racoon (the built-in firewall on OSX) but had a lot of trouble figuring out how to configure the various files properly and didn't really want to cough up $100+ for VPNTracker (a fine GUI, but the single connection is rather limiting and the price was a little steep for me).
I also got really tired of creating a new racoon.conf file for each an every IP address that my machine obtained as I moved around, so I wanted to create a simple configuration script that would take all of the work out of getting connected and simply generate the relevant config files and start up racoon.
The referenced scripts/modules will hopefully allow you to concentrate on working with your sysadmins to get the server-side configured properly rather than wondering how on earth to get started with the racoon.conf file.
There are three files:
[robg adds: Read the rest of the hint for more info on these scripts; I have not tested these...]
With luck, the only file you'll need to adjust is Profile.pm which contains the connection profiles for every network that you want to connect with. The syntax is fairly simple: key => val and it supports nested arrays and hashes.
Here's how it works:
- INTERFACE -- the interface to use for setting up racoon. Normally set to en0 or en1
- PROFILES -- an array of hashes. Each hash represents a VPN appliance or computer to which to connect from your client. So in the sample Profile.pm file there are two VPN boxes listening on IP addresses 1.2.3.4 and 5.6.7.8. The parameters are as follows:
- NAME -- a meaningless parameter just to let you know what the script is working on
- SERVER_IP -- the IP address of the VPN server to which you are attempting to connect
- USER_FQDN -- this is basically the username recognised by the server.
- NETWORKS -- the subnets on the other side of the VPN server to which you are attempting to connect.
- CLIENT_IP -- not used unless script cannot determine your IP address by using ifconfig. If you see a client IP of 169.254.0.0 then the script has resorted to the default.
- KEY -- location of the shared secrets file
- PFS_GROUP -- connection-specific. You will probably need to work this out with your sysadmin
- DH_GROUP -- ditto
- ENCRYPT -- what type of encryption to use. Again, speak with your sysadmin.
- HASH -- what type of hashing algorithm to use. Speak with sysadmin.
- IDENT -- the authentication protocal. Speak with sysadmin.
Note that this script assumes that all VPN 'servers' will use the same PFS Group, DH Group, Encryption, Authentical, and Hashing protocols. If you are connecting to multiple companies' VPNs this probably will not be true, but it's a quick hack of the Profiles.pm and Templates.pm files.
HTH.
P.S. You're on your own for configuring the server-side, I'm afraid, since every VPN is different and not all appliances are IPSec-compatible.

