Racoon PAM + google authenticator

basse

Hello.

It's quite easy, I wan't to use the google 2 factor authentication with IPSEC/VPN.
I have sucessfully compiled and used 1 line password+code auth with PAM for SSH on pfsense.

I found that you could configure racoon to use PAM by setting:
mode_cfg {
    auth_source pam;
..
..
}

This should then in theory go look for /etc/pam.d/racoon, and I would there be able to configure as I did with SSH, I hope.

The only smaaall problem is:

racoon: ERROR: /var/etc/racoon.conf:17: "pam" racoon not configured with –with-libpam

So, what to do?
1. Is what I'm trying to do even possible?
2. If so, do I need to build racoon myself, or is there some kind of package available to install?
3. Is there a better way to do the one-line-password+code google  authenticator auth over IPSEC/VPN? Radius or something like that?

Thanks!
/Basse

basse

Well, I did it (at least I think so :P).

1. Recompiled ipsec-tools with PAM support
2. Copied racoon & racoonctl from my compile-vm to the PFSense VM.
3. created  /etd/pam.d/racoon
4. changed auth_source to pam

And now it works, when I connect i provide my password as:
xauthpassword + googlecode, e.g  "supersecretpassword123456", and its great success!

Only problem is, I'm waay to bad at freebsd/compiling stuff to use this racoon-build live :/ No idea what I missed and how many security-holes I have opened up.

EDIT: Is it possible to get the PFSense-team to build the release with ipsec-tools configured with PAM?

kapara

this is great!!!

I hope this gets included as an option for ipsec clients!