Racoon (ipsec-tools) config for remote-access to Cisco asa5500

This page describes how to configure the racoon daemon from the ipsec-tools package to connect as a remote-access client to a Cisco asa5500 series vpn server.

1. Versions and distributions

Connecting to an ASA5500 in remote-access mode became an option using a set of patches against ipsec-tools v0.7:

In addition to applying these patches, an ISAKMP phase-1 setup script must be copied to the /etc/racoon/scripts/ directory:

/etc/racoon/scripts/p1_up_down

1.1. Fedora (8 or later)

If you're on Fedora (8 or later), all this should already be available to you (via yum install ipsec-tools), since their version of ipsec-tools has the backported patches applied and the phase-1 script included in the RPM package.

1.2. Ubuntu (8.10)

For Ubuntu 8-10, please download and install the following packages:

Install the packages:

dpkg --install ipsec-tools_0.7-2.1ubuntu2_i386.deb racoon_0.7-2.1ubuntu2_i386.deb

then also install the p1_up_down script in /etc/racoon/scripts/.

2. Download and install a CMU VPN certificate

Register your VPN host on the "VPN - General Users" subnet, then follow the "Manage Certificates" link to obtain a VPN certificate. You will end up downloading a certificate file "<machine-name>.USER.VPN.CMU.LOCAL.p12", encrypted with a transport password of your choice. Copy this file to the /etc/racoon/certs directory. Use the following commands to extract the CA and client certificates, as well as the client key:

openssl pkcs12 -cacerts -nokeys -in <machine-name>.USER.VPN.CMU.LOCAL.p12 -out ca.crt
openssl pkcs12 -clcerts -nokeys -in <machine-name>.USER.VPN.CMU.LOCAL.p12 -out <machine-name>.user.vpn.cmu.local.crt
openssl pkcs12 -nocerts -in <machine-name>.USER.VPN.CMU.LOCAL.p12 -out <machine-name>.rsa
openssl rsa -in <machine-name>.rsa -out <machine-name>.user.vpn.cmu.local.key

You will be asked to enter the transport password ("Enter Import Password:"), as well as to pick an RSA passphrase ("Enter PEM pass phrase:" and "Enter pass phrase for <machine-name>.rsa:") during this process. Keep entering the transport password you picked when downloading the certificate file from NetReg, and you'll eventually end up with the three files you really need: ca.crt, <machine-name>.user.vpn.cmu.local.crt, and the cleartext client key file <machine-name>.user.vpn.cmu.local.key, all located in the /etc/racoon/certs directory.

3. Configuring and operating racoon

Here is an example of a working /etc/racoon/racoon.conf file. Please be sure to substitute each occurrence of <machine-name> with your chosen machine name (in essence, make sure you refer to the appropriate certificate file names in /etc/racoon/certs.

Once all this is done, start racoon as a daemon (via /etc/init.d/racoon start on Fedora, or via whatever service startup mechanism is supported by your distribution). Then, to bring up the VPN connection, type:

racoonctl vc server.vpn.cmu.edu

To stop the VPN connection, use:

racoonctl vd server.vpn.cmu.edu

L. Gabriel Somlo, Feb. 19, 2009. For questions or corrections, please contact somlo<at>cmu.edu