The 2.6.0 stable series of kernel has native IPSec support. This means you dont need to patch it - you do need to compile in IPSec support and any other required features, and you do still some UserSpace tools.
2.6.0 is currently (6 Nov 2003) nearing its final test release, and should be deemed 'final' very soon. I am already running 2.6.0 quite happily, although not with IPSec.
If you're using the FreeS/WAN kernel installation method it seems you actually need to compile a kernel here, which is a bit odd.
'oldgo' is the target for compiling statically against the kernel source. Alternatives are 'menugo' and `xgo' to get a normal kernel config menu up respectively. For the menus, IPSec related options are under 'Networking Options'. Always save the config when you leave, whether or not you have changed anything!
You now have a newly compiled kernel in wherever your kernel normally lives (/usr/src/linux/arch/i386/boot/bzImage for me). You are probably going to want to copy it somewhere and either restart or rerun lilo and restart, depending on your preferences.
Note 1: Apparently the Debian backport below comes with X509 support compiled in.
apt-get install kernel-source (or acquire the newest kernel source as you see fit) apt-get install kernel-patch-freeswan
When make-kpkg runs, if PATCH_THE_KERNEL is set YES (It has to be in uppercase!) then it will unpatch (clean) and patch the kernel with the contents of /usr/src/kernel-patches/ that are correct for your architecture. The --config=menuconfig step is designed to let you configure all the flash new options that FreeS/WAN provides. Make sure you don't forget any.
If you are running kernel 2.4.21+, THIS WILL NOT WORK! See this footnote2? for the fix
Reboot into your new kernel and install the userspace tools with apt-get install freeswan.
gentoo-sources comes with FreeS/WAN support. Enable IPSec in your kernel config, recompile, and reboot. For the userspace tools,
See http://www.freeswan.org/freeswan_trees/freeswan-2.02/doc/install.html#install - there are some RPMs out there, but I think you will have to patch the Red Hat kernel.
Congratulations! You now have an IPSec enabled kernel
You may now wish to go to IPSecConfiguration to find out how to actually do something useful with all this!
IMPORTANT NOTE: FreeS/WAN 2.x ships with OpportunisticEncryption enabled out of the box. THIS WILL CAUSE YOU PROBLEMS IF YOU DON'T HAVE CORRECT DNS RECORDS! If you install FreeS/WAN (esp. on Debian) and want to set up tunnels, or learn about it, turn OE off quickly. If it's on, you'll have /1 routes and a default route out your ipsec0 interface, and you will no longer have a default gateway.
1?: X509 certificate support is required if you want to interoperate with Windows. You can either get X509 patch for vanilla FreeS/WAN or you can get Super FreeS/WAN, which has lots more patches, but tends to be a version or two behind the original FreeS/WAN release. If you don't know what you need, compile X509 in if you're going to interoperate with Windows, and don't bother otherwise.
2?: The makefile has changed in the kernel source, so the patch needs to change as well. You might have to play with this to make it work (run a make-kpkg clean first perhaps) but I took the best part of a day getting a patch that would apply.
Or you could get the FreeS/WAN 2.02 patch (which works with kernel 2.4.21+) from ftp://ftp.xs4all.nl/pub/crypto/freeswan/old/freeswan-2.02.k2.4.patch.gz
O_TARGET := network.o