pppd

The Point to Point Protocol Daemon decapsulates the ppp packets, and places them in the kernels IP stack. PPPD is also able to do authentication. This is what the Clients do. First they initiate a IPsec-connection. After a successful IPsec authentication, the CHAP process takes place, which authenticates against a password database. Luckily, PPPD is mature, and can authenticate against various databases - a plain text file with authentication data in it, the Linux passwd / shadow files, even ldap or radius would be supported.

The sample configuration for options.l2tpd^2.3 for me looks like this:

ipcp-accept-local

ipcp-accept-remote

ms-dns  192.168.0.9

ms-wins 192.168.0.9

auth

crtscts

idle 1800

mtu 1400

mru 1400

nodefaultroute

nodetach

debug

lock

proxyarp

connect-delay 5000

disconnect /etc/racoon/setup.sh

The man page of pppd describes all the details about these configuration directives. The last line with the disconnect statements flushes the SAD entries in the IPsec stack, and sets the policy up again.

At the moment I authenticate against a plain password file called chap-secrets:

# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

wogri           *       "mypassword"            192.168.0.0/24