If you are not using one of the Pre-Shared Key authentication modes, RSA
credentials will need to be generated for the VPN gateway and possibly the
Client as well. The only RSA authentication method that does not require Client
credentials to operate is the Hybrid Authentication Method.
To generate RSA credentials, use the openssl tool to create a certificate
authority, a private key and a signed certificate. Although the detailed use of the
openssl command line tool is beyond the scope of this document, here is an
example of how RSA server credentials might be created ...
mkdir certs
mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo "00" > demoCA/serial
umask 077
openssl genrsa > certs/ca.key
openssl genrsa > certs/vpngw.key
umask 022
openssl req -days 1825 -x509 -new -key certs/ca.key > certs/ca.crt
openssl req -new -key certs/vpngw.key > certs/vpngw.csr
openssl ca -in certs/vpngw.csr -keyfile certs/ca.key \
-cert certs/ca.crt -out certs/vpngw.crt
After the server credentials have been created, you will need to move the server
certificate and private key files to the certificate path specified in your racoon
configuration file. The certificate authority public certificate should be given to
each user that will be connecting to the gateway.