Chapter 6. Virtual Private Network Server


This chapter gives examples of connecting external clients (road warriors) to the SISO router using an IPsec tunnel. Certificates will be used to verify the identity of the client. The chapter first explains the process of generating certificates. It then continues by describing the matching server and client configurations. Examples for Linux and Windows/XP clients will be presented.

This chapter is a part of the "Secure Internet Appliance for Small Office / Home Office HOWTO". It relies on the environment variables listed in Section 2.1, “Environment Variables”.

6.1.  Certificates

Buying certificates from the official Root Certificate Authorities (CA) for all the hosts in a network is expensive, and not necessary. This section shows how to create your own Root CA, and generate and certify X.509 certificates.

The examples presented in this chapter uses the gencert to generate the certificates. The script and its support files can be found at:

The gencert script requires the following environment variables to be set:

export PASSWD=yourpassword
export SSL_DIR=$PRJ_DIR/openssl
export OPENSSL_CONF=$SSL_DIR/openssl.conf

6.1.1. Root CA certificate

Create a Root CA certificate; and make a Windows/XP importable PCKS#12 copy of it.

$SSL_DIR/gencert --ca "Coert Vonk CA"

6.1.2. Create the certificates

Create a certificate for each host; sign it; and make a Windows readable PKCS#12 copy of it. The Extended Key Usage (EKU) parameters are not needed for IPsec, but are needed for other usages such as secure wireless.

$SSL_DIR/gencert --server siso.vonk
$SSL_DIR/gencert --client bor.vonk
$SSL_DIR/gencert --client crox.vonk
$SSL_DIR/gencert --client truus.vonk