We are testing a VPN server for DR. We have a rackspace cloud instance, with a pure IPSEC VPN server running in racoon, serving "road warrior" clients. We have some NAT going on on the server to route externally:
-A POSTROUTING -s 172.31.31.0/24 -o eth0 -j SNAT --to-source w.x.y.z
It works very well, with windows, apple-ios and android clients connecting perfectly.
What we want to do is set the server to host a few web pages on the VPN only, i.e. for the server to have an IP on the VPN. We could do this using vpnc, to connect to the public IP, but that seems like overkill.
Is there a way we can do this using racoon, or a loopback interface perhaps?
our (test) racoon conf:
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
ph1id 1;
exchange_mode aggressive,main;
my_identifier user_fqdn "redacted";
peers_identifier keyid tag "blah";
dpd_delay 20;
ike_frag on;
nat_traversal on;
passive on;
initial_contact off;
generate_policy unique;
proposal_check claim;
lifetime time 24 hour;
mode_cfg on;
verify_cert off;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
#hash_algorithm md5;
authentication_method xauth_psk_server;
dh_group 2;
}
}
sainfo anonymous {
remoteid 1;
lifetime time 12 hour;
encryption_algorithm aes,3des,blowfish;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
mode_cfg {
network4 172.31.31.1;
pool_size 100;
netmask4 255.255.255.0;
dns4 8.8.8.8;
auth_source pam;
save_passwd on;
}
