====== Racoon setup for roadwarriors ======

<code>Informations in this document mainly come from a document made by Leonardo Ciociano</code>

RoadWarriors are clients that always connect to the network from a different and unknown IP address. (E.g. Notebook on a trip, client behind a crappy ISP). This shows us two problems:

- IP address is unknown, and it cannot be specified in the Racoon configuration or /etc/racoon/psk.txt file. So, another way of client identification should be found. PSK requires the use of aggresive-mode for phase 1, but it is insecure. Best solution is to use [[docs:ipsec:racoon_x509|X.509 Certificates]].

- SP can't be defined, because destination IP address is unknown. Racoon should create SP and SA on the fly.

So, we need to make modifications on the racoon configuration file.

<code>path certificate "/etc/certs";

remote anonymous {
        exchange_mode main;
        generate_policy on;
        passive on;
        certificate_type x509 "my_certificate.pem" "my_private_key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha256;
                authentication_method rsasig;
                dh_group modp4096;
        }
}


sainfo anonymous {
        pfs_group modp4096;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}</code>

Option 'generate_policy on' tells racoon to create an appropriate policy at connection initialization.

Option 'passive on' makes racoon stays in pasive mode and wait for a new connection. Racoon is not allowed to start a connection. Most important thing is to define an anonymous connection on the remote and sainfo lines. This way, racoon will accept connections from any place.