• A machine with Linux and a recent (preferably 2.4.22) kernel on it.
  • The source for your kernel
  • FreeS/WAN kernel patches
  • The FreeS/WAN UserSpace tools
  • X509 patches 1?

Kernel preparation

Linux 2.6.0 or later

The 2.6.0 stable series of kernel has native IPSec support. This means you dont need to patch it - you do need to compile in IPSec support and any other required features, and you do still some UserSpace tools.

2.6.0 is currently (6 Nov 2003) nearing its final test release, and should be deemed 'final' very soon. I am already running 2.6.0 quite happily, although not with IPSec.

The IPSec Howto covers 2.5/2.6 native IPSec using the linux port of KAME, or using the linux port of OpendBSD's isakmpd.

Vanilla Kernel/FreeS/WAN from source

Get the latest FreeS/WAN source package - the FreeS/WAN homepage recommends typing


cd /usr/src/my-kernel-source-is-unpacked-here/ <configure your kernel here. this is important.> <compile your kernel here. this is important.>

If you're using the FreeS/WAN kernel installation method it seems you actually need to compile a kernel here, which is a bit odd.

cd /usr/src/ tar xzf /download/freeswan-2.03.tar.gz

The next stepinstalls the IPSec binaries in /usr/local/lib/ipsec. The "ipsec" command itself is put in /usr/local/sbin. If you later find you can't find "ipsec", check your path.

cd /usr/src/freeswan-2.03/ make oldgo

'oldgo' is the target for compiling statically against the kernel source. Alternatives are 'menugo' and `xgo' to get a normal kernel config menu up respectively. For the menus, IPSec related options are under 'Networking Options'. Always save the config when you leave, whether or not you have changed anything!

Note the the build process outlined above assumes your kernel is built in /usr/src/linux. If this isn't the case, you can "fix" it by setting the KERNELSRC environment variable on the command line as you run make, eg

make KERNELSRC=/path/to/kernel/src/ oldgo

You now have a newly compiled kernel in wherever your kernel normally lives (/usr/src/linux/arch/i386/boot/bzImage for me). You are probably going to want to copy it somewhere and either restart or rerun lilo and restart, depending on your preferences.


Note 1: Apparently the Debian backport below comes with X509 support compiled in.

Note 2: if you want to do all the cool new things like OpportunisticEncryption, you should be using FreeS/WAN 2.01+. If you're running Debian Stable, you can get the a backport from's FreeS/WAN directory, by adding the following line to /etc/apt/sources.list
deb woody freeswan


apt-get install kernel-source (or acquire the newest kernel source as you see fit) apt-get install kernel-patch-freeswan

export PATCH_THE_KERNEL=YES cd /usr/src/kernel-source-whatever make-kpkg --config=menuconfig --revision=whatever kernel_image

When make-kpkg runs, if PATCH_THE_KERNEL is set YES (It has to be in uppercase!) then it will unpatch (clean) and patch the kernel with the contents of /usr/src/kernel-patches/ that are correct for your architecture. The --config=menuconfig step is designed to let you configure all the flash new options that FreeS/WAN provides. Make sure you don't forget any.

If you are running kernel 2.4.21+, THIS WILL NOT WORK! See this footnote2? for the fix

Reboot into your new kernel and install the userspace tools with apt-get install freeswan.


gentoo-sources comes with FreeS/WAN support. Enable IPSec in your kernel config, recompile, and reboot. For the userspace tools,

emerge -u freeswan


See - there are some RPMs out there, but I think you will have to patch the Red Hat kernel.

Congratulations! You now have an IPSec enabled kernel

You may now wish to go to IPSecConfiguration to find out how to actually do something useful with all this!

IMPORTANT NOTE: FreeS/WAN 2.x ships with OpportunisticEncryption enabled out of the box. THIS WILL CAUSE YOU PROBLEMS IF YOU DON'T HAVE CORRECT DNS RECORDS! If you install FreeS/WAN (esp. on Debian) and want to set up tunnels, or learn about it, turn OE off quickly. If it's on, you'll have /1 routes and a default route out your ipsec0 interface, and you will no longer have a default gateway.

To do this, the following is needed in your ipsec.conf

conn block


conn private


conn private-or-clear


conn clear-or-private


conn clear


conn packetdefault


1?: X509 certificate support is required if you want to interoperate with Windows. You can either get X509 patch for vanilla FreeS/WAN or you can get Super FreeS/WAN, which has lots more patches, but tends to be a version or two behind the original FreeS/WAN release. If you don't know what you need, compile X509 in if you're going to interoperate with Windows, and don't bother otherwise.

2?: The makefile has changed in the kernel source, so the patch needs to change as well. You might have to play with this to make it work (run a make-kpkg clean first perhaps) but I took the best part of a day getting a patch that would apply.

Or you could get the FreeS/WAN 2.02 patch (which works with kernel 2.4.21+) from

dev:/usr/src/kernel-patches/all/freeswan/linux/net# less Makefile.fs2_4.ipsec_alg.patch --- Makefile-orig Tue Oct 21 11:35:47 2003

  • ++ Makefile Tue Oct 21 11:35:57 2003

@@ -8,6 +8,7 @@

O_TARGET := network.o

mod-subdirs := ipv4/netfilter ipv6/netfilter ipx irda bluetooth atm netlink sched core

  • mod-subdirs += ipsec export-objs := netsyms.o

    subdir-y := core ethernet