Racoon PAM + google authenticator

  • Hello.

    It's quite easy, I wan't to use the google 2 factor authentication with IPSEC/VPN.
    I have sucessfully compiled and used 1 line password+code auth with PAM for SSH on pfsense.

    I found that you could configure racoon to use PAM by setting:
    mode_cfg {
        auth_source pam;

    This should then in theory go look for /etc/pam.d/racoon, and I would there be able to configure as I did with SSH, I hope.

    The only smaaall problem is:

    racoon: ERROR: /var/etc/racoon.conf:17: "pam" racoon not configured with –with-libpam

    So, what to do?
    1. Is what I'm trying to do even possible?
    2. If so, do I need to build racoon myself, or is there some kind of package available to install?
    3. Is there a better way to do the one-line-password+code google  authenticator auth over IPSEC/VPN? Radius or something like that?


  • Well, I did it (at least I think so :P).

    1. Recompiled ipsec-tools with PAM support
    2. Copied racoon & racoonctl from my compile-vm to the PFSense VM.
    3. created  /etd/pam.d/racoon
    4. changed auth_source to pam

    And now it works, when I connect i provide my password as:
    xauthpassword + googlecode, e.g  "supersecretpassword123456", and its great success!

    Only problem is, I'm waay to bad at freebsd/compiling stuff to use this racoon-build live :/ No idea what I missed and how many security-holes I have opened up.

    EDIT: Is it possible to get the PFSense-team to build the release with ipsec-tools configured with PAM?

  • this is great!!!

    I hope this gets included as an option for ipsec clients!

Log in to reply