The server will allow Windows/XP clients with a dynamic IP address (the so called road warriors) to establish a VPN with the SISO router.
This authentication process uses X.509 computer certificates, to verify that the source and destination computers trust each other. Note that both the server and client's certificate need to be signed by the same Certifying Authority (CA).
Generate X.509 CA and a certificate for SISO as described in in Section 6.1, “ Certificates ”. Then copy the certificate and unencrypted key to the rootfs, and create the 8-byte hash for the CA certificate, so that OpenSSL will recognize it.
mkdir -p $ROOTFS_DIR/etc/sysconfig/racoon pushd $ROOTFS_DIR/etc/sysconfig/racoon/ SSL_DIR=$PRJ_DIR/openssl install -m 600 $SSL_DIR/certs/siso.vonk-cert.pem . install -m 600 $SSL_DIR/certs/siso.vonk-key.pem . install -m 600 $SSL_DIR/ca/CAcert.pem . install -m 600 $SSL_DIR/ca/CRL.pem . HASH=`openssl x509 -noout -hash -in CAcert.pem` ln -s CAcert.pem $HASH.0 ln -s CRL.pem $HASH.r0 popd
The IPsec Internet Key Exchange (IKE) daemon negotiates security;
exchanges randomly generated keys; and generates a policy for
clients with dynamic IP addresses.
ipsec-tools contains the KAME
"racoon" IKE daemon implementation. For installation
instructions refer to Section 4.7, “IP Security (IPsec)”.
An example configuration file for
be found in Example E.3, “/etc/sysconfig/racoon.conf”.
Racoon will generate the policies required.
All that is needed for most clients is pure IPsec. Windows/XP however insists on having PPP/L2TP on top of IPsec. Once IPsec transport security is established, PPP/L2TP negotiates the tunnel (including compression and user authentication options) and performs access control based on the user identity.
L2TP encapsulates original packets inside a PPP frame (performing compression when supported) and inside a UDP packet assigned to port 1701. Because the UDP packet format is an IP packet, L2TP automatically uses IPsec to secure the tunnel.
l2tpd contains one of the
first open source implementations of the L2TP daemon. For
installation instructions refer to
Section 4.8, “Layer 2 Tunneling Protocol (L2TP)”.
An example of the L2TP configuration file can be found at
Example E.4, “/etc/sysconfig/l2tpd.conf”. For documentation
refer to the end of file
PPP is only needed when supporting VPNs from Windows/XP clients. When L2TP establishes, it start the PPP daemon with a special option file. An example of this file can be found at Example E.5, “/etc/sysconfig/ppp/options.l2tp”.
pppd contains an implementation
of the PPP daemon. For installation instructions for
pppd refer to
Section 4.9, “Point-to-Point Protocol (PPP)”.
PPP takes care of the user authentication, based on the username
and passwords specified in
example of this file can be found at
Example E.6, “/etc/sysconfig/ppp/chap-secrets”. Remember
to limit access to this file to user
chmod 600 chap-secrets).
Windows/XP tries to do PPP Compression using an algorithm patented by HiFn. The protocol is called Microsoft Point-to-Point Compression (MPPC). If you reside in a country that does not recognize software patents, you can enable MPPC using the following patches:
wget -P $DL_DIR http://mppe-mppc.alphacron.de/linux-2.6.11-mppe-mppc-1.3.patch.gz cd $LINUX_DIR zcat $DL_DIR/linux-2.6.11-mppe-mppc-1.3.patch.gz | patch -p1Run
make xconfigto ensure that
CONFIG_PPP_MPPE_MPPCare set, then recompile the kernel as described in Section 3.1, “Kernel - linux”.