:: Setting up VPN using Yavipin ::
HOME

Click Here for Comparison Chart for different VPN solutions


TO SET UP A VPN USING Yavipin
  1. Yavipin development has been stopped (I think). Hence I could not get much support for this software, and I had to hack into the source code to get a look at what is happening. This was vert easy though. The documentation that comes with yavipin is very terse, and not updated. Hence many options that are provided in the supporting document are either wrong or incomplete. It will be great if someone could include a patch for yavipin to read its configuration options from a file, rather than the command line. (Hint: Read flex (Gnu implementation for LEX) and Bison (Gnu implementation for YACC))
  2. You can install yavipin by:
    1. downloading the latest tarball and compile it using ./configure; make ; make install. NOTE: You may need to add -I/usr/kerberos/include to the CFLAGS or CPPFLAGS variable for RedHat 9.0 (or systems that contain OpenSSL 0.9.7). Check the configure.in file for this. You might have to run aclocal; autoconf also.
    2. Since the above step did not work for me, I decided to try my luck with rpms. I luckily did find an rpm (yavipin-0.9.5-1.i386.rpm) which you can download from here. Use rpm -ivh to install this.
  3. I am asssuming that we are using the following setup with mia as the client and zidler as the server .

  4. In Yavipin parlace, the server is the responder and the client is the initiator. Hence in our case, we have mia as the initiator and zidler as the responder
  5. yavind gets installed in /usr/sbin/yavipind. A help message can be displayed using the command yavipind -h. However this has some errors. I am listing below the help, that I think should have been there. Updated messages are marked with ***. 
    shashank@zidler:/etc/yavipin# yavipind -h
yavipind version 0.9.5
Usage: yavipind [--help] (--responder|--initiator) --passwd=pwfile [--src=[addr][:port]] --dst=addr[:port] [--ifup script] [--ifdown script] [--comp] [--nodeamon]
  --src=[addr][:port] : specify the source addr and port
  --dst= addr[:port]  : specify the destination addr and port
  --responder     : be the tunnel responder
  --initiator     : be the tunnel initiator
  --p pwfile      : give the file's name containing the authentication password ***
  --ifup=script   : give the script's filename to run when the tunnel goes UP
  --ifdown=script : give the script's filename to run when the tunnel goes DOWN
  --comp=DEFAULT  : (DEFAULT | ZLIB) There is error in code. Hence this must be provided on cmdline ***
  --nodaemon      : do not daemonize (usefull to debug) (Cannot use -f switch for this) ***
  --enc=algo      : set a given algorithm for the packet encryption (DES-CBC(default) | BF-SBC) ***
  --mac=algo      : set a given algorithm for the packet authentication (HMAC_MD5_96) ***
  --help          : display this short inlined help
  --version       : display the software version
  6. Before starting the yavipin daemon, we need to configure some files. I have made a directory /etc/yavipin on both mia and zidler. In this directory, i keep the password file, ip-up and ip-down scripts as listed below:
    1. ON ZIDLER: Yavipin daemon passes the tunnel name tun0 (say) as the first command-line argument to the ip-up and ip-down scripts. 
      shashank@zidler:/etc/yavipin# cat password 
abcd1234
-------------------------------------------------------------
shashank@zidler:/etc/yavipin# cat ip-up
#!/bin/sh
echo "[Yavipn].. ip-up script is run"
ifconfig $1 192.168.254.201 netmask 255.255.255.255
route add -net 192.168.254.200 netmask 255.255.255.255 dev $1
route add -net 192.168.0.0 netmask 255.255.255.0 dev $1
-------------------------------------------------------------
shashank@zidler:/etc/yavipin# cat ip-down
#!/bin/sh
echo "[Yavipn].. ip-down script is run"
route del -net 192.168.254.200 netmask 255.255.255.255 dev $1
route del -net 192.168.0.0 netmask 255.255.255.0 dev $1
ifconfig $1 down
    2. ON MIA: Yavipin daemon passes the tunnel name tun0 (say) as the first command-line argument to the ip-up and ip-down scripts. 
      [shashank@mia yavipin]# cat password 
abcd1234
-------------------------------------------------------------
[shashank@mia yavipin]# cat ip-up
#!/bin/sh
echo "[Yavipn].. ip-up script is run"
ifconfig $1 192.168.254.200 netmask 255.255.255.255
route add -net 192.168.254.201 netmask 255.255.255.255 dev $1
route add -net 192.168.2.0 netmask 255.255.255.0 dev $1
-------------------------------------------------------------
[shashank@mia yavipin]# cat ip-down
#!/bin/sh
echo "[Yavipn].. ip-down script is run"
route del -net 192.168.254.201 netmask 255.255.255.255 dev $1
route del -net 192.168.2.0 netmask 255.255.255.0 dev $1
ifconfig $1 down
  7. After having all this in place, one can have start the daemons on both the responder and initiator as follows:
    1. ON RESPONDER: (ZIDLER) 
      shashank@zidler:/etc/yavipin# yavipind --nodaemon --responder --src 131.193.50.184:6656 \
-p /etc/yavipin/password --ifup=/etc/yavipin/ip-up --ifdown=/etc/yavipin/ip-down --comp=ZLIB \
--enc=BF-SBC --mac=HMAC_MD5_96
    2. ON INITIATOR: (MIA) 
      [shashank@mia yavipin]# yavipind --nodaemon --initiator --dst 131.193.50.184:6656 \
-p /etc/yavipin/password --ifup=/etc/yavipin/ip-up --ifdown=/etc/yavipin/ip-down --comp=ZLIB \
--enc=BF-SBC --mac=HMAC_MD5_96
  8. Use ifconfig to verify that the tunnel is up. 
    zidler#> ifconfig
--SNIP--
tun0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.254.201  P-t-P:192.168.254.201  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1449  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

-----------------------------------------------------------------------------------
mia#> ifconfig
--SNIP--
tun0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.254.200  P-t-P:192.168.254.200  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1449  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
  9. Use netstat -rn and ping to verify that the networks are reachable.
  10. Kill the yavipind process to bring down the interface.
Comments and corrections are appreciated and can be sent to papers@mia.ece.uic.edu. Click here for ©opyright information.