Racoon (ipsec-tools) config for remote-access to Cisco asa5500
This page describes how to configure the racoon daemon from the ipsec-tools package to connect as a remote-access client to a Cisco asa5500 series vpn server.
1. Versions and distributions
Connecting to an ASA5500 in remote-access mode became an option using a set of patches against ipsec-tools v0.7:
In addition to applying these patches, an ISAKMP phase-1 setup script must be copied to the
1.1. Fedora (8 or later)
If you're on Fedora (8 or later), all this should already be available to you (via
yum install ipsec-tools), since their version of ipsec-tools has the backported patches applied and the phase-1 script included in the RPM package.
1.2. Ubuntu (8.10)
For Ubuntu 8-10, please download and install the following packages:
Install the packages:
dpkg --install ipsec-tools_0.7-2.1ubuntu2_i386.deb racoon_0.7-2.1ubuntu2_i386.deb
then also install the
p1_up_down script in
2. Download and install a CMU VPN certificate
Register your VPN host on the "VPN - General Users" subnet, then follow the "Manage Certificates" link to obtain a VPN certificate. You will end up downloading a certificate file "<machine-name>.USER.VPN.CMU.LOCAL.p12", encrypted with a transport password of your choice. Copy this file to the
/etc/racoon/certs directory. Use the following commands to extract the CA and client certificates, as well as the client key:
openssl pkcs12 -cacerts -nokeys -in <machine-name>.USER.VPN.CMU.LOCAL.p12 -out ca.crt
openssl pkcs12 -clcerts -nokeys -in <machine-name>.USER.VPN.CMU.LOCAL.p12 -out <machine-name>.user.vpn.cmu.local.crt
openssl pkcs12 -nocerts -in <machine-name>.USER.VPN.CMU.LOCAL.p12 -out <machine-name>.rsa
openssl rsa -in <machine-name>.rsa -out <machine-name>.user.vpn.cmu.local.key
You will be asked to enter the transport password ("
Enter Import Password:"), as well as to pick an RSA passphrase ("
Enter PEM pass phrase:" and "
Enter pass phrase for <machine-name>.rsa:") during this process. Keep entering the transport password you picked when downloading the certificate file from NetReg, and you'll eventually end up with the three files you really need:
<machine-name>.user.vpn.cmu.local.crt, and the cleartext client key file
<machine-name>.user.vpn.cmu.local.key, all located in the
3. Configuring and operating racoon
Here is an example of a working /etc/racoon/racoon.conf
file. Please be sure to substitute each occurrence of
<machine-name> with your chosen machine name (in essence, make sure you refer to the appropriate certificate file names in
Once all this is done, start racoon as a daemon (via
/etc/init.d/racoon start on Fedora, or via whatever service startup mechanism is supported by your distribution). Then, to bring up the VPN connection, type:
racoonctl vc server.vpn.cmu.edu
To stop the VPN connection, use:
racoonctl vd server.vpn.cmu.edu
L. Gabriel Somlo, Feb. 19, 2009. For questions or corrections, please contact somlo<at>cmu.edu