Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A Perl script for configuring and starting racoon UNIX

A client of mine has several IPSec-compatible VPN appliances protecting access to their data centre and internal networks. I knew the appliances were compatible with racoon (the built-in firewall on OSX) but had a lot of trouble figuring out how to configure the various files properly and didn't really want to cough up $100+ for VPNTracker (a fine GUI, but the single connection is rather limiting and the price was a little steep for me).

I also got really tired of creating a new racoon.conf file for each an every IP address that my machine obtained as I moved around, so I wanted to create a simple configuration script that would take all of the work out of getting connected and simply generate the relevant config files and start up racoon.

The referenced scripts/modules will hopefully allow you to concentrate on working with your sysadmins to get the server-side configured properly rather than wondering how on earth to get started with the racoon.conf file.

There are three files:

[robg adds: Read the rest of the hint for more info on these scripts; I have not tested these...]



With luck, the only file you'll need to adjust is Profile.pm which contains the connection profiles for every network that you want to connect with. The syntax is fairly simple: key => val and it supports nested arrays and hashes.

Here's how it works:

  • INTERFACE -- the interface to use for setting up racoon. Normally set to en0 or en1
  • PROFILES -- an array of hashes. Each hash represents a VPN appliance or computer to which to connect from your client. So in the sample Profile.pm file there are two VPN boxes listening on IP addresses 1.2.3.4 and 5.6.7.8. The parameters are as follows:
    • NAME -- a meaningless parameter just to let you know what the script is working on
    • SERVER_IP -- the IP address of the VPN server to which you are attempting to connect
    • USER_FQDN -- this is basically the username recognised by the server.
    • NETWORKS -- the subnets on the other side of the VPN server to which you are attempting to connect.
  • CLIENT_IP -- not used unless script cannot determine your IP address by using ifconfig. If you see a client IP of 169.254.0.0 then the script has resorted to the default.
  • KEY -- location of the shared secrets file
  • PFS_GROUP -- connection-specific. You will probably need to work this out with your sysadmin
  • DH_GROUP -- ditto
  • ENCRYPT -- what type of encryption to use. Again, speak with your sysadmin.
  • HASH -- what type of hashing algorithm to use. Speak with sysadmin.
  • IDENT -- the authentication protocal. Speak with sysadmin.

Note that this script assumes that all VPN 'servers' will use the same PFS Group, DH Group, Encryption, Authentical, and Hashing protocols. If you are connecting to multiple companies' VPNs this probably will not be true, but it's a quick hack of the Profiles.pm and Templates.pm files.

HTH.

P.S. You're on your own for configuring the server-side, I'm afraid, since every VPN is different and not all appliances are IPSec-compatible.

    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[14,352 views]  

A Perl script for configuring and starting racoon | 9 comments | Create New Account
Click here to return to the 'A Perl script for configuring and starting racoon' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Don't forget freeware
Authored by: wfolta on Apr 01, '03 11:02:52AM

I haven't tried the scripts yet, but a freeware IPSec tool you might want to check out is VaporSec from afp548.com.



[ Reply to This | # ]
vaporsec throws errors, try ipsecuritas
Authored by: simonlok on Apr 17, '04 04:59:03PM

I've found that VaporSec doesn't quite work right under Panther,
it throws Applescript errors and whatnot, at least right now it does.
I did find, after a very frustrating set of searches, this:

IPSecuritas

http://www.lobotomo.com/products/IPSecuritas/

This works for me beautifully. I'm connecting to an OpenBSD
box using IPsec in tunnel mode. Couldn't ask for anything more.
It's donationware so you don't have to pay for it, but I did
anyway, they really earned it.



[ Reply to This | # ]
A Perl script for configuring and starting racoon
Authored by: ssevenup on Apr 01, '03 03:22:34PM
I knew the appliances were compatible with racoon (the built-in firewall on OSX)

Wouldn't that be the built in VPN in OSX, not firewall? And I think racoon is just the key manager.

---
Mark Moorcroft
ELORET Corp. - NASA/Ames RC
Sys. Admin.

[ Reply to This | # ]

A Perl script for configuring and starting racoon
Authored by: jreades on Apr 01, '03 06:28:32PM

Sorry, you're exactly right -- got carried away with a rhetorical flourish and reversed the sense of the sentence. My client uses NetScreen VPN appliances to provide access to subnets behind a firewall. NetScreen's appliances are IPSec compatible which means that racoon is able to negotiate a secure connection with them and provide tranparent access to machines behind the firewall.

Sorry about any confusion.



[ Reply to This | # ]
A Perl script for configuring and starting racoon
Authored by: jreades on Dec 13, '03 08:18:19AM

I've tested this script in Panther too without any problems (although I have added a slight tweak to make it easier to use).

I've also moved the pages associated with the hint to:

http://www.reades.com/hints/vpn.html

Cheers,

jon



[ Reply to This | # ]
A Perl script for configuring and starting racoon
Authored by: tji on Feb 13, '04 05:01:13PM

This script is great. I just used it to set up a VPN connection to my "Check Point VPN-1 NG AI" firewall. Here are a few notes on my config settings:

- I used Pre-Shared secrets for authentication. Note that this is not the same as OS Password or other password methods. Check Point uses their proprietary "hybrid mode" authentication for those. You must define the user's password in the pre-shared secrets config on the firewall.

- My VPN-1 was configured to use AES encryption, so I had to tweak the configuration a bit to do this (leave the crypto in the proposal section as 3des, in the sainfo section change it to "aes 128"). The script uses the same encryption algorithm for the proposal (IKE) as the IPSec session. This is not necessarily correct. IPSec devices sometimes use different encryption for each. Mine uses AES-256 or 3DES for IKE, and AES-128 IPSec. This could also be changed in the VPN-1 user settings, so it would use 3DES for both.

- I have "Aggressive mode" enabled on VPN-1. The VPNTracker docs say to enable this. I'm not sure if it's really needed or not. I may try to disable it & see if I can still connect. (Aggressive mode is OFF by default in VPN-1)

- VPNTracker has settings to do certificates with VPN-1, so I assume it's possible. If I get real ambitious, I might try to do this too.


The debugging capabilities of MacOS's IPSec are not great.. If your firewall admin is not willing to work with you on this, it could be very difficult to determine what is stopping it from working.

Also, there are some other VPN-1 features that might stop this from working.. VPN-1 can be configured to enforce "SCV Checks", this is a feature of their SecureClient software that confirms the client is using the approved firewall policy on their system, various OS security/integrity checks are passed, and sometimes that related apps like anti-virus scanners are installed and up to date. If the admin has it configured to disallow clients that don't pass these checks, you will not be able to connect.



[ Reply to This | # ]
A Perl script for configuring and starting racoon
Authored by: tji on Feb 13, '04 07:42:29PM

A bit more on using FireWall-1 / VPN-1

- Aggressive mode MUST be enabled to use shared secrets. I vaguely recall this being a limitation of IPSec/IKE that causes this. The config for aggressive mode is kinda hidden. In the Firewall object, VPN->Traditional Mode Configuration->Advanced->Support Aggressive Mode

- Changing the user settings to 3des encryption allows the default script settings to work fine. Either set 3DES as the global user setting under Global->Remote Access->VPN-Advanced, or de-select the option to "Enforce Encryption Algorithm ... on all users" on that same page - then set 3DES on the individual user's settings.

FYI - A symptom of using "Aggressive Mode" and shared secrets is that the User ID will be sent in the clear. This is why it is disabled by default. So, if you use this, pick a good password. Or, better yet, get the certificates working.



[ Reply to This | # ]
A Perl script for configuring and starting racoon
Authored by: tji on Feb 20, '04 08:42:58PM

Here is another free IPSec configuration GUI called <a href="http://www.lobotomo.com/products/IPSecuritas/index.html">IPSecuritas</a>. It is quite good, and allows a lot of configuration.



[ Reply to This | # ]
A Perl script for configuring and starting racoon
Authored by: jreades on Mar 11, '04 06:47:34AM

I've updated the code to properly handle certificates as well (thanks to Todd for doing the heavy lifting of figuring out *how* certs work in racoon and how to generate them). There is some documentation in the Profiles.pm file on how to generate certs for a VPN-1.

As well, the script has been substantially re-written to improve a number of aspects:

1. Each connection now has its SA and Profile details in the same section of the racoon.conf file (no more scrolling back and forth to check settings)

2. You can now override almost *any* setting (and hopefully all of the important ones) on a per-network basis -- so a mixed environment where some connections use certs and others private shared keys should work smoothly.

3. A lot more parameters are now configurable from the Profiles.pm file (see '2')

4. It will now automatically generate a psk.txt file from the connections you've defined. Note that each time you run configure, if the psk.txt file already exists it will first copy the existing file to psk.txt.bak and then write the new one. This happens every time, so you *should* create a backup of your psk.txt file before starting to use my script in case there are settings that you should have put in your Profiles.pm file.

5. It will now chown and chmod the output dir -- all files in the output dir will be chowned to root:wheel, and chmodded to 600, all dirs will also be chowned and then chmodded to 700. This is for your own protection (i.e. anyone who steals your Profiles.pm file would be able to access any of your private networks). I strongly recommend placing the Profiles.pm file in /etc/racoon, and it wouldn't hurt to put the vpn.pl and Templates.pm file there as well for safety.

6. The default behaviour of the script is now to restart racoon. This is the most likely need from day-to-day, so now you can simply run `sudo vpn.pl` and it'll kill racoon, rerun the interfaces shell script, and then restart racoon for you.

7. The default input and output directories for the script are /etc/racoon/. You can still override this by passing in your own params, but in the normal course of things there'd be no reason to do this.

Hope this helps. I'm also working on a Konfabulator widget as a front-end to the Perl script but am trying to deal with some issues around protecting the connections paramters from casual access.

The files are still available to download from here: http://www.reades.com/hints/vpn.html (although I need to udpate the content of the HTML page)

Cheers,

jon



[ Reply to This | # ]