Rev | Author | # | Line |
---|---|---|---|
15 | CraigBox | 1 | Prerequisites: |
16 | CraigBox | 2 | |
3 | * A machine with Linux and a recent (preferably 2.4.22) kernel on it. | ||
4 | * The source for your kernel | ||
5 | * FreeS/WAN kernel patches | ||
6 | * The FreeS/WAN UserSpace tools | ||
7 | * [X509] patches [1] | ||
8 | |||
15 | CraigBox | 9 | ---- |
16 | CraigBox | 10 | !!Kernel preparation |
23 | DanielLawson | 11 | |
12 | !Linux 2.6.0 or later | ||
13 | |||
26 | DanielLawson | 14 | The 2.6.0 stable series of kernel has native IPSec support. This means you dont need to patch it - you do need to compile in IPSec support and any other required features, and you do still some UserSpace tools. |
23 | DanielLawson | 15 | |
16 | 2.6.0 is currently (6 Nov 2003) nearing its final test release, and should be deemed 'final' very soon. I am already running 2.6.0 quite happily, although not with IPSec. | ||
27 | DanielLawson | 17 | |
18 | The [IPSec Howto|http://www.ipsec-howto.org/] covers 2.5/2.6 native IPSec using the linux port of [KAME|http://ipsec-tools.sourceforge.net], or using the linux port of OpendBSD's [isakmpd|http://bender.thinknerd.de/~thomas/IPsec/isakmpd-linux.html]. | ||
15 | CraigBox | 19 | |
16 | CraigBox | 20 | !Vanilla Kernel/FreeS/WAN from source |
21 | |||
22 | Get the latest FreeS/WAN source package - the FreeS/WAN homepage recommends typing | ||
23 | ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-\* | ||
24 | |||
25 | cd /usr/src/my-kernel-source-is-unpacked-here/ | ||
15 | CraigBox | 26 | <configure your kernel here. this is important.> |
27 | <compile your kernel here. this is important.> | ||
28 | |||
24 | DanielLawson | 29 | If you're using the [FreeS/WAN kernel installation method|http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/kernel.html] it seems you actually need to compile a kernel here, which is a bit odd. |
16 | CraigBox | 30 | |
15 | CraigBox | 31 | cd /usr/src/ |
24 | DanielLawson | 32 | tar xzf ~/download/freeswan-2.03.tar.gz |
15 | CraigBox | 33 | |
16 | CraigBox | 34 | The next stepinstalls the IPSec binaries in /usr/local/lib/ipsec. The "ipsec" command itself is put in /usr/local/sbin. If you later find you can't find "ipsec", check your path. |
24 | DanielLawson | 35 | cd /usr/src/freeswan-2.03/ |
16 | CraigBox | 36 | make oldgo |
15 | CraigBox | 37 | |
16 | CraigBox | 38 | 'oldgo' is the target for compiling statically against the kernel source. Alternatives are 'menugo' and `xgo' to get a normal kernel config menu up respectively. For the menus, IPSec related options are under 'Networking Options'. Always save the config when you leave, whether or not you have changed anything! |
24 | DanielLawson | 39 | |
40 | Note the the build process outlined above assumes your kernel is built in /usr/src/linux. If this isn't the case, you can "fix" it by setting the KERNELSRC environment variable on the command line as you run make, eg | ||
41 | make KERNELSRC=/path/to/kernel/src/ oldgo | ||
15 | CraigBox | 42 | |
17 | CraigBox | 43 | You now have a newly compiled kernel in wherever your kernel normally lives (/usr/src/linux/arch/i386/boot/bzImage for me). You are probably going to want to copy it somewhere and either restart or rerun lilo and restart, depending on your preferences. |
15 | CraigBox | 44 | |
16 | CraigBox | 45 | !Debian |
46 | |||
22 | MichaelBordignon | 47 | Note 1: Apparently the Debian backport below comes with X509 support compiled in. |
48 | |||
49 | Note 2: if you want to do all the cool new things like OpportunisticEncryption, you should be using FreeS/WAN 2.01+. If you're running [Debian] [Stable], you can get the a [backport|BackPorts] from [backports.org's FreeS/WAN directory|http://www.backports.org/debian/dists/woody/freeswan/], by adding the following line to /etc/apt/sources.list: | ||
16 | CraigBox | 50 | |
51 | deb http://www.backports.org/debian woody freeswan | ||
52 | |||
53 | Now, | ||
15 | CraigBox | 54 | |
55 | apt-get install kernel-source (or acquire the newest kernel source as you see fit) | ||
56 | apt-get install kernel-patch-freeswan | ||
57 | |||
58 | export PATCH_THE_KERNEL=YES | ||
59 | cd /usr/src/kernel-source-whatever | ||
60 | make-kpkg --config=menuconfig --revision=whatever kernel_image | ||
61 | |||
16 | CraigBox | 62 | When make-kpkg runs, if PATCH_THE_KERNEL is set YES (It has to be in uppercase!) then it will unpatch (clean) and patch the kernel with the contents of /usr/src/kernel-patches/ that are correct for your architecture. The --config=menuconfig step is designed to let you configure all the flash new options that FreeS/WAN provides. Make sure you don't forget any. |
18 | CraigBox | 63 | |
64 | If you are running kernel 2.4.21+, THIS WILL NOT WORK! See this footnote[2] for the fix | ||
15 | CraigBox | 65 | |
17 | CraigBox | 66 | Reboot into your new kernel and install the userspace tools with apt-get install freeswan. |
15 | CraigBox | 67 | |
16 | CraigBox | 68 | !Gentoo |
69 | |||
17 | CraigBox | 70 | gentoo-sources comes with FreeS/WAN support. Enable IPSec in your kernel config, recompile, and reboot. For the userspace tools, |
71 | |||
15 | CraigBox | 72 | emerge -u freeswan |
17 | CraigBox | 73 | |
74 | !!RedHat | ||
75 | |||
76 | See http://www.freeswan.org/freeswan_trees/freeswan-2.02/doc/install.html#install - there are some RPMs out there, but I think you will have to patch the Red Hat kernel. | ||
15 | CraigBox | 77 | |
16 | CraigBox | 78 | ---- |
17 | CraigBox | 79 | Congratulations! You now have an IPSec enabled kernel |
16 | CraigBox | 80 | |
81 | You may now wish to go to [IPSecConfiguration] to find out how to actually do something useful with all this! | ||
82 | |||
83 | __IMPORTANT NOTE:__ FreeS/WAN 2.x ships with OpportunisticEncryption enabled out of the box. THIS WILL CAUSE YOU PROBLEMS IF YOU DON'T HAVE CORRECT DNS RECORDS! If you install FreeS/WAN (esp. on Debian) and want to set up tunnels, or learn about it, turn OE off quickly. If it's on, you'll have /1 routes and a default route out your ipsec0 interface, and __you will no longer have a default gateway__. | ||
25 | MichaelBordignon | 84 | |
85 | To do this, the following is needed in your ipsec.conf: | ||
86 | |||
87 | conn block | ||
88 | auto=ignore | ||
89 | |||
90 | conn private | ||
91 | auto=ignore | ||
92 | |||
93 | conn private-or-clear | ||
94 | auto=ignore | ||
95 | |||
96 | conn clear-or-private | ||
97 | auto=ignore | ||
98 | |||
99 | conn clear | ||
100 | auto=ignore | ||
101 | |||
102 | conn packetdefault | ||
103 | auto=ignore | ||
16 | CraigBox | 104 | |
15 | CraigBox | 105 | ---- |
16 | CraigBox | 106 | [1]: [X509] certificate support is required if you want to interoperate with Windows. You can either get [X509 patch for vanilla FreeS/WAN|http://www.strongsec.com/freeswan/] or you can get [Super FreeS/WAN|http://www.freeswan.ca/], which has lots more patches, but tends to be a version or two behind the original FreeS/WAN release. If you don't know what you need, compile X509 in if you're going to interoperate with Windows, and don't bother otherwise. |
18 | CraigBox | 107 | |
108 | [2]: The makefile has changed in the kernel source, so the patch needs to change as well. You might have to play with this to make it work (run a make-kpkg clean first perhaps) but I took the best part of a day getting a patch that would apply. | ||
19 | MichaelBordignon | 109 | |
21 | MichaelBordignon | 110 | Or you could get the FreeS/WAN 2.02 patch (which works with kernel 2.4.21+) from ftp://ftp.xs4all.nl/pub/crypto/freeswan/old/freeswan-2.02.k2.4.patch.gz |
18 | CraigBox | 111 | |
112 | dev:/usr/src/kernel-patches/all/freeswan/linux/net# less Makefile.fs2_4.ipsec_alg.patch | ||
113 | --- Makefile-orig Tue Oct 21 11:35:47 2003 | ||
114 | +++ Makefile Tue Oct 21 11:35:57 2003 | ||
115 | @@ -8,6 +8,7 @@ | ||
116 | O_TARGET := network.o | ||
117 | |||
118 | mod-subdirs := ipv4/netfilter ipv6/netfilter ipx irda bluetooth atm netlink sched core | ||
119 | +mod-subdirs += ipsec | ||
120 | export-objs := netsyms.o | ||
121 | |||
122 | subdir-y := core ethernet |
lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 2 times)