6.2. Server Configuration

The server will allow Windows/XP clients with a dynamic IP address (the so called road warriors) to establish a VPN with the SISO router.

6.2.1. Import Certificates

This authentication process uses X.509 computer certificates, to verify that the source and destination computers trust each other. Note that both the server and client's certificate need to be signed by the same Certifying Authority (CA).

Generate X.509 CA and a certificate for SISO as described in in Section 6.1, “ Certificates ”. Then copy the certificate and unencrypted key to the rootfs, and create the 8-byte hash for the CA certificate, so that OpenSSL will recognize it.

mkdir -p $ROOTFS_DIR/etc/sysconfig/racoon
pushd $ROOTFS_DIR/etc/sysconfig/racoon/
  install -m 600 $SSL_DIR/certs/siso.vonk-cert.pem .
  install -m 600 $SSL_DIR/certs/siso.vonk-key.pem .
  install -m 600 $SSL_DIR/ca/CAcert.pem .
  install -m 600 $SSL_DIR/ca/CRL.pem .
  HASH=`openssl x509 -noout -hash -in CAcert.pem`
  ln -s CAcert.pem $HASH.0
  ln -s CRL.pem $HASH.r0

6.2.2. IPsec

The IPsec Internet Key Exchange (IKE) daemon negotiates security; exchanges randomly generated keys; and generates a policy for clients with dynamic IP addresses. The package ipsec-tools contains the KAME "racoon" IKE daemon implementation. For installation instructions refer to Section 4.7, “IP Security (IPsec)”.

An example configuration file for racoon can be found in Example E.3, “/etc/sysconfig/racoon.conf”. Racoon will generate the policies required.

6.2.3. L2TP (for Windows/XP clients)

All that is needed for most clients is pure IPsec. Windows/XP however insists on having PPP/L2TP on top of IPsec. Once IPsec transport security is established, PPP/L2TP negotiates the tunnel (including compression and user authentication options) and performs access control based on the user identity.

L2TP encapsulates original packets inside a PPP frame (performing compression when supported) and inside a UDP packet assigned to port 1701. Because the UDP packet format is an IP packet, L2TP automatically uses IPsec to secure the tunnel.

The package l2tpd contains one of the first open source implementations of the L2TP daemon. For installation instructions refer to Section 4.8, “Layer 2 Tunneling Protocol (L2TP)”. An example of the L2TP configuration file can be found at Example E.4, “/etc/sysconfig/l2tpd.conf”. For documentation refer to the end of file file.c.

6.2.4. PPP (for Windows/XP clients)

PPP is only needed when supporting VPNs from Windows/XP clients. When L2TP establishes, it start the PPP daemon with a special option file. An example of this file can be found at Example E.5, “/etc/sysconfig/ppp/options.l2tp”.

The package pppd contains an implementation of the PPP daemon. For installation instructions for pppd refer to Section 4.9, “Point-to-Point Protocol (PPP)”.

PPP takes care of the user authentication, based on the username and passwords specified in /etc/sysconfig/ppp/chap-secrets. An example of this file can be found at Example E.6, “/etc/sysconfig/ppp/chap-secrets”. Remember to limit access to this file to user root (chmod 600 chap-secrets).

6.2.5. MPPC (for Windows/XP clients)

Windows/XP tries to do PPP Compression using an algorithm patented by HiFn. The protocol is called Microsoft Point-to-Point Compression (MPPC). If you reside in a country that does not recognize software patents, you can enable MPPC using the following patches:

  • Linux-2.6.11 kernel patch[39].

  • ppp-2.4.3 patch[40].


wget -P $DL_DIR
zcat $DL_DIR/linux-2.6.11-mppe-mppc-1.3.patch.gz | patch -p1
Run make xconfig to ensure that CONFIG_CRYPTO_ARC4, CONFIG_CRYPTO_SHA1 and CONFIG_PPP_MPPE_MPPCare set, then recompile the kernel as described in Section 3.1, “Kernel - linux”.


wget -P $DL_DIR
cd $PRJ_DIR/apps/ppp-2.4.3
zcat $DL_DIR/ppp-2.4.3-mppe-mppc-1.1.patch.gz | patch -p1
Recompile PPPd as described in Section 4.9, “Point-to-Point Protocol (PPP)”.