Penguin
Recent Changes
Diff: IPSecInstallation
EditPageHistoryDiffInfoLikePages

Differences between version 16 and revision by previous author of IPSecInstallation.

Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History

Newer page: version 16 Last edited on Friday, October 3, 2003 4:32:56 pm by CraigBox Revert
Older page: version 12 Last edited on Wednesday, April 23, 2003 11:08:34 am by JeeKay Revert
@@ -1,52 +1,69 @@
 Prerequisites: 
-* A machine with Linux and a recent (preferably 2.4.20 ) kernel on it.  
-* The source for your kernel (http: //www.mirror.ac.uk/sites/ftp. kernel.org /pub/linux/kernel/v2.4/linux-2.4.20.tar.bz2 is the one I am using).  
+  
+ * A machine with Linux and a recent (preferably 2.4.22 ) kernel on it.  
+* The source for your kernel  
+* FreeS /WAN kernel patches  
+* The FreeS /WAN UserSpace tools  
+* [X509] patches [1]  
+  
 * A recent FreeS/WAN archive (the FreeS/WAN homepage recommends typing: ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-\*). 
 * Some patience! 
 ---- 
-Note: This setup will NOT be able to handle interacting with IPSec implementations that require X.509 certificates for authentication. For that, you will need to patch your FreeS/WAN sources and figure it out for yourself... or wait until I Wiki it when I need to do it myself :)  
+!!Kernel preparation  
  
-Also note: I assume you know how to configure /compile /install kernels.  
-----  
-Step 1 : Preparing kernel sources (not necessary if you already have them to hand)  
- cd /usr/src/  
- tar xjf ~/download/linux -2.4.20.tar.bz2  
+!Vanilla Kernel /FreeS /WAN from source  
+  
+Get the latest FreeS/WAN source package - the FreeS/WAN homepage recommends typing  
+ ncftpget ftp ://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-\*  
+  
+ cd /usr/src/my -kernel-source-is-unpacked-here/  
  <configure your kernel here. this is important.> 
  <compile your kernel here. this is important.> 
  
-Step 2: Preparing FreeS/WAN sources  
+If you're using the [ FreeS/WAN kernel installation method|http://www.freeswan.org/freeswan_trees/freeswan-2.02/doc/kernel.html] it seems you actually need to compile a kernel here, which is a bit odd.  
+  
  cd /usr/src/ 
- tar xzf ~/download/freeswan-1 .99 .tar.gz 
+ tar xzf ~/download/freeswan-2 .02 .tar.gz 
  
-Step 3: Start making FreeS/WAN %%%  
-Note that this step installs the IPSec binaries in /usr/local/lib/ipsec. The "ipsec" command itself is put in /usr/local/sbin. If you later find you can't find "ipsec", check your path. 
+The next stepinstalls the IPSec binaries in /usr/local/lib/ipsec. The "ipsec" command itself is put in /usr/local/sbin. If you later find you can't find "ipsec", check your path. 
  cd /usr/src/freeswan-1.99/ 
- make oldgo[1]  
+ make oldgo 
  
-Step 4: Rebuild the kernel  
- cd /usr/src/freeswan-1 .99/  
- make kinstall[2]  
+'oldgo' is the target for compiling statically against the kernel source . Alternatives are 'menugo' and `xgo' to get a normal kernel config menu up respectively. For the menus, IPSec related options are under 'Networking Options'. Always save the config when you leave, whether or not you have changed anything!  
  
-Step 5: Finishing touches  
- < install your kernel>  
- < reboot>  
-----  
-Congratulations! You now have an IPSec enabled kernel in the directory where your newly compiled kernel normally lives (/usr/src/linux/arch/i386/boot/bzImage for me). You are probably going to want to copy it somewhere and either restart or rerun lilo and restart, depending on your preferences
+Now, install your kernel and reboot. 
  
-You may now wish to go to [IPSecConfiguration ] to find out how to actually do something useful with all this
+!Debian  
+  
+Note: if you want to do all the cool new things like OpportunisticEncryption, you should be using FreeS/WAN 2.01+. If you're running [Debian ] [Stable], you can get the a [backport|BackPorts] from [backports.org's FreeS/WAN directory|http://www.backports.org/debian/dists/woody/freeswan/], by adding the following line to /etc/apt/sources.list:  
+  
+ deb http://www.backports.org/debian woody freeswan  
+  
+Now,  
+  
+ apt-get install kernel-source (or acquire the newest kernel source as you see fit)  
+ apt-get install kernel-patch-freeswan  
+  
+ export PATCH_THE_KERNEL=YES  
+ cd /usr/src/kernel-source-whatever  
+ make-kpkg --config=menuconfig --revision=whatever kernel_image  
+  
+When make-kpkg runs, if PATCH_THE_KERNEL is set YES (It has to be in uppercase!) then it will unpatch (clean) and patch the kernel with the contents of /usr/src/kernel-patches/ that are correct for your architecture. The --config=menuconfig step is designed to let you configure all the flash new options that FreeS/WAN provides. Make sure you don't forget any.  
+  
+The userspace tools can be installed with apt-get install freeswan.  
+  
+ !Gentoo  
+  
+gentoo-sources comes with FreeS/WAN support. Enable IPSec in your kernel config, recompile, and  
+ emerge -u freeswan  
  
 ---- 
-!Or , if you're running Debian:  
+Congratulations ! You now have an IPSec enabled kernel in the directory where your newly compiled kernel normally lives (/usr/src/linux/arch/i386/boot/bzImage for me). You are probably going to want to copy it somewhere and either restart or rerun lilo and restart , depending on your preferences.  
  
-apt-get install kernel-source (or acquire the newest kernel source as you see fit)  
-apt-get install kernel-patch-freeswan  
+You may now wish to go to [IPSecConfiguration] to find out how to actually do something useful with all this!  
  
-export PATCH _THE _KERNEL=YES  
-cd /usr /src /kernel-source-whatever  
-make-kpkg --config=menuconfig --revision=whatever kernel _image  
+__IMPORTANT NOTE:__ FreeS /WAN 2.x ships with OpportunisticEncryption enabled out of the box. THIS WILL CAUSE YOU PROBLEMS IF YOU DON'T HAVE CORRECT DNS RECORDS! If you install FreeS /WAN (esp. on Debian) and want to set up tunnels, or learn about it, turn OE off quickly. If it's on, you'll have /1 routes and a default route out your ipsec0 interface, and __you will no longer have a default gateway_ _.  
  
-When make-kpkg runs, if PATCH_THE_KERNEL is set YES then it will unpatch (clean) and patch the kernel with the contents of /usr/src/kernel-patches/ that are correct for your architecture. The --config=menuconfig step is designed to let you configure all the flash new options that FreeS/WAN provides.  
  
 ---- 
-[1]: oldgo is the target for compiling statically against the kernel source . Alternatives are `menugo' and `xgo' to get a normal kernel config menu up respectively . For the menus, IPSec related options are under `Networking Options' . Always save the config when you leave, whether or not you have changed anything!  
- [2] : kinstall is the target for installing statically against the kernel source . The alternative (for a module) is minstall . Note that this step seems to attempt to auto-install the new kernel if you are running lilo.. I don't so it didn 't do anything but beware
+[1]: [X509] certificate support is required if you want to interoperate with Windows . You can either get [X509 patch for vanilla FreeS/WAN|http://www .strongsec .com/freeswan/] or you can get [Super FreeS/WAN|http ://www .freeswan .ca/], which has lots more patches, but tends to be a version or two behind the original FreeS/WAN release. If you don't know what you need, compile X509 in if you're going to interoperate with Windows, and don 't bother otherwise