Penguin
Recent Changes
Blame: IPSecInstallation
EditPageHistoryDiffInfoLikePages
Annotated edit history of IPSecInstallation version 27, including all changes. View license author blame.
Rev Author # Line
15 CraigBox 1 Prerequisites:
16 CraigBox 2
3 * A machine with Linux and a recent (preferably 2.4.22) kernel on it.
4 * The source for your kernel
5 * FreeS/WAN kernel patches
6 * The FreeS/WAN UserSpace tools
7 * [X509] patches [1]
8
15 CraigBox 9 ----
16 CraigBox 10 !!Kernel preparation
23 DanielLawson 11
12 !Linux 2.6.0 or later
13
26 DanielLawson 14 The 2.6.0 stable series of kernel has native IPSec support. This means you dont need to patch it - you do need to compile in IPSec support and any other required features, and you do still some UserSpace tools.
23 DanielLawson 15
16 2.6.0 is currently (6 Nov 2003) nearing its final test release, and should be deemed 'final' very soon. I am already running 2.6.0 quite happily, although not with IPSec.
27 DanielLawson 17
18 The [IPSec Howto|http://www.ipsec-howto.org/] covers 2.5/2.6 native IPSec using the linux port of [KAME|http://ipsec-tools.sourceforge.net], or using the linux port of OpendBSD's [isakmpd|http://bender.thinknerd.de/~thomas/IPsec/isakmpd-linux.html].
15 CraigBox 19
16 CraigBox 20 !Vanilla Kernel/FreeS/WAN from source
21
22 Get the latest FreeS/WAN source package - the FreeS/WAN homepage recommends typing
23 ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-\*
24
25 cd /usr/src/my-kernel-source-is-unpacked-here/
15 CraigBox 26 <configure your kernel here. this is important.>
27 <compile your kernel here. this is important.>
28
24 DanielLawson 29 If you're using the [FreeS/WAN kernel installation method|http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/kernel.html] it seems you actually need to compile a kernel here, which is a bit odd.
16 CraigBox 30
15 CraigBox 31 cd /usr/src/
24 DanielLawson 32 tar xzf ~/download/freeswan-2.03.tar.gz
15 CraigBox 33
16 CraigBox 34 The next stepinstalls the IPSec binaries in /usr/local/lib/ipsec. The "ipsec" command itself is put in /usr/local/sbin. If you later find you can't find "ipsec", check your path.
24 DanielLawson 35 cd /usr/src/freeswan-2.03/
16 CraigBox 36 make oldgo
15 CraigBox 37
16 CraigBox 38 'oldgo' is the target for compiling statically against the kernel source. Alternatives are 'menugo' and `xgo' to get a normal kernel config menu up respectively. For the menus, IPSec related options are under 'Networking Options'. Always save the config when you leave, whether or not you have changed anything!
24 DanielLawson 39
40 Note the the build process outlined above assumes your kernel is built in /usr/src/linux. If this isn't the case, you can "fix" it by setting the KERNELSRC environment variable on the command line as you run make, eg
41 make KERNELSRC=/path/to/kernel/src/ oldgo
15 CraigBox 42
17 CraigBox 43 You now have a newly compiled kernel in wherever your kernel normally lives (/usr/src/linux/arch/i386/boot/bzImage for me). You are probably going to want to copy it somewhere and either restart or rerun lilo and restart, depending on your preferences.
15 CraigBox 44
16 CraigBox 45 !Debian
46
22 MichaelBordignon 47 Note 1: Apparently the Debian backport below comes with X509 support compiled in.
48
49 Note 2: if you want to do all the cool new things like OpportunisticEncryption, you should be using FreeS/WAN 2.01+. If you're running [Debian] [Stable], you can get the a [backport|BackPorts] from [backports.org's FreeS/WAN directory|http://www.backports.org/debian/dists/woody/freeswan/], by adding the following line to /etc/apt/sources.list:
16 CraigBox 50
51 deb http://www.backports.org/debian woody freeswan
52
53 Now,
15 CraigBox 54
55 apt-get install kernel-source (or acquire the newest kernel source as you see fit)
56 apt-get install kernel-patch-freeswan
57
58 export PATCH_THE_KERNEL=YES
59 cd /usr/src/kernel-source-whatever
60 make-kpkg --config=menuconfig --revision=whatever kernel_image
61
16 CraigBox 62 When make-kpkg runs, if PATCH_THE_KERNEL is set YES (It has to be in uppercase!) then it will unpatch (clean) and patch the kernel with the contents of /usr/src/kernel-patches/ that are correct for your architecture. The --config=menuconfig step is designed to let you configure all the flash new options that FreeS/WAN provides. Make sure you don't forget any.
18 CraigBox 63
64 If you are running kernel 2.4.21+, THIS WILL NOT WORK! See this footnote[2] for the fix
15 CraigBox 65
17 CraigBox 66 Reboot into your new kernel and install the userspace tools with apt-get install freeswan.
15 CraigBox 67
16 CraigBox 68 !Gentoo
69
17 CraigBox 70 gentoo-sources comes with FreeS/WAN support. Enable IPSec in your kernel config, recompile, and reboot. For the userspace tools,
71
15 CraigBox 72 emerge -u freeswan
17 CraigBox 73
74 !!RedHat
75
76 See http://www.freeswan.org/freeswan_trees/freeswan-2.02/doc/install.html#install - there are some RPMs out there, but I think you will have to patch the Red Hat kernel.
15 CraigBox 77
16 CraigBox 78 ----
17 CraigBox 79 Congratulations! You now have an IPSec enabled kernel
16 CraigBox 80
81 You may now wish to go to [IPSecConfiguration] to find out how to actually do something useful with all this!
82
83 __IMPORTANT NOTE:__ FreeS/WAN 2.x ships with OpportunisticEncryption enabled out of the box. THIS WILL CAUSE YOU PROBLEMS IF YOU DON'T HAVE CORRECT DNS RECORDS! If you install FreeS/WAN (esp. on Debian) and want to set up tunnels, or learn about it, turn OE off quickly. If it's on, you'll have /1 routes and a default route out your ipsec0 interface, and __you will no longer have a default gateway__.
25 MichaelBordignon 84
85 To do this, the following is needed in your ipsec.conf:
86
87 conn block
88 auto=ignore
89
90 conn private
91 auto=ignore
92
93 conn private-or-clear
94 auto=ignore
95
96 conn clear-or-private
97 auto=ignore
98
99 conn clear
100 auto=ignore
101
102 conn packetdefault
103 auto=ignore
16 CraigBox 104
15 CraigBox 105 ----
16 CraigBox 106 [1]: [X509] certificate support is required if you want to interoperate with Windows. You can either get [X509 patch for vanilla FreeS/WAN|http://www.strongsec.com/freeswan/] or you can get [Super FreeS/WAN|http://www.freeswan.ca/], which has lots more patches, but tends to be a version or two behind the original FreeS/WAN release. If you don't know what you need, compile X509 in if you're going to interoperate with Windows, and don't bother otherwise.
18 CraigBox 107
108 [2]: The makefile has changed in the kernel source, so the patch needs to change as well. You might have to play with this to make it work (run a make-kpkg clean first perhaps) but I took the best part of a day getting a patch that would apply.
19 MichaelBordignon 109
21 MichaelBordignon 110 Or you could get the FreeS/WAN 2.02 patch (which works with kernel 2.4.21+) from ftp://ftp.xs4all.nl/pub/crypto/freeswan/old/freeswan-2.02.k2.4.patch.gz
18 CraigBox 111
112 dev:/usr/src/kernel-patches/all/freeswan/linux/net# less Makefile.fs2_4.ipsec_alg.patch
113 --- Makefile-orig Tue Oct 21 11:35:47 2003
114 +++ Makefile Tue Oct 21 11:35:57 2003
115 @@ -8,6 +8,7 @@
116 O_TARGET := network.o
117
118 mod-subdirs := ipv4/netfilter ipv6/netfilter ipx irda bluetooth atm netlink sched core
119 +mod-subdirs += ipsec
120 export-objs := netsyms.o
121
122 subdir-y := core ethernet

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 2 times)