# Securing 802.11 with racoon

## stream

hy,

i am searching for a howto to secure my wlan.

I found this great howto http://klake.org/~jt/tips/80211.html

but it is only for openbsd.

have someone a good howto for linux + racoon + x509?Last edited by stream on Wed Jun 16, 2004 7:54 pm; edited 1 time in total

----------

## jmk

Is it setting up IPSec you are after then have a look at http://www.ipsec-howto.org/.  I have never set up IPSec on linux myself so I can't help you on that matter.

If you arn't to botherd about encrypting the IP traffic you may just want to secure your wlan with WEP and MAC filtering from the AP. It's not secure but it keeps off the casual wardriver.   :Wink: 

----------

## jmk

Sorry, didn't read you post properly.  :Embarassed: 

 *Quote:*   

> have someone a good howto for linux + racoon + x509?

 I have to say no to that.

----------

## stream

ok

server ip 192.168.1.1

client ip 192.168.1.5

the config for the server

```

path certificate "/etc/certs";

remote anonymous {

        exchange_mode main;

        generate_policy on;

        passive on;

        certificate_type x509 "my_certificate.pem" "my_private_key.pem";

        my_identifier asn1dn;

        peers_identifier asn1dn;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm md5;

                authentication_method rsasig;

                dh_group modp1024;

        }

}

sainfo anonymous {

        pfs_group modp1024;

        encryption_algorithm 3des;

        authentication_algorithm hmac_md5;

        compression_algorithm deflate;

}

```

config for the client

```

path certificate "/etc/certs";

remote 192.168.1.1 {

        exchange_mode main;

        certificate_type x509 "my_certificate.pem" "my_private_key.pem";

   verify_cert on

        my_identifier asn1dn;

   peers_identifier asn1dn;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm md5;

                authentication_method rsasig;

                dh_group modp1024;

        }

}

sainfo address ???/24 any address ???/24 any {

        pfs_group modp768;

        encryption_algorithm 3des;

        authentication_algorithm hmac_md5;

        compression_algorithm deflate;

}

```

Is a setkey config necessary?

----------

## stream

Can nobody help me?   :Crying or Very sad: 

----------

## stream

^^

----------

## stream

...

----------

## stream

 :Question: 

----------

## primero.gentoo

Ok,   :Twisted Evil:   :Rolling Eyes:   :Wink:   :Crying or Very sad:   :Arrow:   :Idea:   :Idea:   :Question:   :Exclamation: 

Since you like emoticons it seems .

First of all i really don't think that my conf is "SECURE" , but maybe is something near.

To document myself i've used the links above in the thread and also 

lartc

and ipsec-tools mailing list on sourceforge. There is not much more documentation on the net about ipsec-tools and Linux .... Ah, and RFCs abvoiusly , wich are included in your ipsec-tools tar.gz.

 *Quote:*   

> 
> 
> Is a setkey config necessary?
> 
> 

 

Sure.

setkey configuration is used to set the Policy of Ipsec. I've seen you used the generate policy option in racoon server configuration, i never used it so i don't know if it can replace the setkey configuration.

I use this solution to get an ipsec on my 802.11 wlan:

setkey ipsec.conf:

```

#Sec policies

spdadd 192.168.100.2 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.100.2-192.168.100.1/require;

spdadd 0.0.0.0/0 192.168.100.2 any -P in ipsec esp/tunnel/192.168.100.1-192.168.100.2/require;

```

ip 192.168.100.2 is the Ip address of my wireless laptop. here we say Everything from 192.168.100.2 to anywhere require ESP encryption through the tunnel beetween (LAPTOPO)192.168.100.2 and (GW INTERFACE TO AP)192.168.100.1. and vice-versa-

The same ipsec.conf on the VPN GW but with "in" and "out" reversed.

then the raccon.conf on the client (laptop)

```

path include "/usr/local/etc/racoon" ;

#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,

# if the certificate/certificate request payload is received.

path certificate "/usr/local/etc/racoon/certs" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"

# or "debug2".

#log debug;

# "padding" defines some parameter of padding.  You should not touch these.

padding

{

        maximum_length 20;      # maximum padding length.

        randomize off;          # enable randomize length.

        strict_check off;       # enable strict check.

        exclusive_tail off;     # extract last one octet.

}

# if no listen directive is specified, racoon will listen to all

# available interface addresses.

listen

{

        #isakmp ::1 [7000];

        #isakmp 202.249.11.124 [500];

        #admin [7002];          # administrative's port by kmpstat.

        #strict_address;        # required all addresses must be bound.

}

# Specification of default various timer.

timer

{

        # These value can be changed per remote node.

        counter 5;              # maximum trying count to send.

        interval 20 sec;        # maximum interval to resend.

        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.

        phase1 30 sec;

        phase2 15 sec;

}

remote 192.168.100.1

{

        #exchange_mode main,aggressive;

        exchange_mode aggressive,main;

        doi ipsec_doi;

        situation identity_only;

        #my_identifier address;

        my_identifier asn1dn;

        peers_identifier asn1dn;

        certificate_type x509 "Zapata.public" "Zapata.private";

        peers_certfile "Shadow.public";

        #nonce_size 16;

        lifetime time 1 hour;   # sec,min,hour

        initial_contact on;

        #support_mip6 on;

        proposal_check obey;    # obey, strict or claim

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method rsasig ;

                dh_group 2 ;

        }

}

sainfo anonymous

{

        pfs_group 1;

        lifetime time 1 hour;

        encryption_algorithm twofish 256;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate ;

}

```

The first one set of configuration is about Phase1 = Authentication of both users. You have so switch the Certificate options to match the local and remote certificate. Obviously you need in your cert path etither your public and private key and also the public key of the other host.

The second one is about the IPSEC phase 2 = Session Key creation.

I'm mot gone to much in depth with ipsec-tools since i reached what i need and had other to do , so my suggest is to document yourself as much as you can... i don't know about "sainfo" section not ANONYMOUS... this way you get an authentication section for each of your client based on x509 certificate and a shared Phase 2 section for all of them.

Hope to have helped you  :Smile: 

bye

----------

## stream

thanks

can you post your racoon.conf from the server?   :Wink: 

----------

## primero.gentoo

Yep  :Smile: 

I'm not able to get to the server right now, but on it the conf is almost the same of the client one except for the IP address of "Remote" section and for the Certificates section that need to be inverted putting the Server Certs in "certificate_type" and the client pub certificate in "peers_certfile"

Try it out.

Cheers  :Wink: 

----------

## stream

ok... 

server and client racoon starts, but I have a problem with the certificate.

I used this howto http://www.ipsec-howto.org/x507.html

But it does not work

client log:

phase1 negotiation failed, failed to get private key

I found this post http://www.kame.net/racoon/racoon-ml/msg00475.html

openssl rsa -in rechts.key -out rechts.decrypted.key

But then the server log:

unable to get local issuer certificate.

----------

