Differences between version 18 and revision by previous author of IPSecInstallation.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
| Newer page: | version 18 | Last edited on Wednesday, November 5, 2003 10:13:10 am | by CraigBox | Revert |
| Older page: | version 12 | Last edited on Wednesday, April 23, 2003 11:08:34 am | by JeeKay | Revert |
@@ -1,52 +1,87 @@
Prerequisites:
-* A machine with Linux and a recent (preferably 2.4.20) kernel on it.
-* The source for your kernel (http://www.mirror.ac.uk/sites/ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.bz2 is the one I am using).
-* A recent FreeS/WAN archive (the FreeS/WAN homepage recommends typing: ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-\*).
-* Some patience!
-----
-Note: This setup will NOT be able to handle interacting with IPSec implementations that require X.509 certificates for authentication. For that, you will need to patch your FreeS/WAN sources and figure it out for yourself... or wait until I Wiki it when I need to do it myself :)
-Also note: I assume you know how to configure
/compile
/install kernels.
+* A machine with Linux and a recent (preferably 2.4.22) kernel on it.
+* The source for your kernel
+* FreeS
/WAN kernel patches
+* The FreeS
/WAN UserSpace tools
+* [X509] patches [1]
+
----
-Step 1: Preparing kernel sources (not necessary if you already have them to hand)
- cd
/usr
/src
/
- tar xjf ~
/download
/linux-2
.4
.20.tar.bz2
+!!Kernel preparation
+
+!Vanilla Kernel
/FreeS
/WAN from source
+
+Get the latest FreeS
/WAN source package - the FreeS/WAN homepage recommends typing
+ ncftpget ftp:
//ftp
.xs4all
.nl/pub/crypto/freeswan/freeswan-\*
+
+ cd /usr/src/my-kernel-source-is-unpacked-here/
<configure your kernel here. this is important.>
<compile your kernel here. this is important.>
-Step 2: Preparing
FreeS/WAN sources
+If you're using the [
FreeS/WAN kernel installation method|http://www.freeswan.org/freeswan_trees/freeswan-2.02/doc/kernel.html] it seems you actually need to compile a kernel here, which is a bit odd.
+
cd /usr/src/
- tar xzf ~/download/freeswan-1
.99
.tar.gz
+ tar xzf ~/download/freeswan-2
.02
.tar.gz
-Step 3: Start making FreeS/WAN %%%
-Note that this step installs
the IPSec binaries in /usr/local/lib/ipsec. The "ipsec" command itself is put in /usr/local/sbin. If you later find you can't find "ipsec", check your path.
+The next stepinstalls
the IPSec binaries in /usr/local/lib/ipsec. The "ipsec" command itself is put in /usr/local/sbin. If you later find you can't find "ipsec", check your path.
cd /usr/src/freeswan-1.99/
- make oldgo[1]
+ make oldgo
-Step 4
: Rebuild
the kernel
- cd /usr/src/freeswan
-1
.99
/
- make kinstall
[2]
+'oldgo' is the target for compiling statically against the kernel source. Alternatives are 'menugo' and `xgo' to get a normal kernel config menu up respectively. For the menus, IPSec related options are under 'Networking Options'. Always save the config when you leave, whether or not you have changed anything!
+
+You now have a newly compiled kernel in wherever your kernel normally lives (/usr/src/linux/arch/i386/boot/bzImage for me). You are probably going to want to copy it somewhere and either restart or rerun lilo and restart, depending on your preferences.
+
+!Debian
+
+Note
: if you want to do all
the cool new things like OpportunisticEncryption, you should be using FreeS/WAN 2.01+. If you're running [Debian] [Stable], you can get the a [backport|BackPorts] from [backports.org's FreeS/WAN directory|http://www.backports.org/debian/dists/woody/freeswan/], by adding the following line to /etc/apt/sources.list:
+
+ deb http://www.backports.org/debian woody freeswan
+
+Now,
+
+ apt-get install kernel-source (or acquire the newest
kernel source as you see fit)
+ apt-get install kernel-patch-freeswan
+
+ export PATCH_THE_KERNEL=YES
+ cd /usr/src/kernel
-source-whatever
+ make-kpkg --config=menuconfig --revision=whatever kernel_image
+
+When make-kpkg runs, if PATCH_THE_KERNEL is set YES (It has to be in uppercase!) then it will unpatch (clean) and patch the kernel with the contents of /usr/src/kernel-patches/ that are correct for your architecture
. The --config=menuconfig step is designed to let you configure all the flash new options that FreeS
/WAN provides. Make sure you don't forget any.
+
+If you are running kernel 2.4.21+, THIS WILL NOT WORK! See this footnote
[2] for the fix
+
+Reboot into your new kernel and install the userspace tools with apt-get install freeswan.
+
+!Gentoo
+
+gentoo-sources comes with FreeS/WAN support. Enable IPSec in your kernel config, recompile, and reboot. For the userspace tools,
+
+ emerge -u freeswan
+
+!!RedHat
+
+See http://www.freeswan.org/freeswan_trees/freeswan-2.02/doc/install.html#install - there are some RPMs out there, but I think you will have to patch the Red Hat kernel.
-Step 5: Finishing touches
- <install your kernel>
- <reboot>
----
-Congratulations! You now have an IPSec enabled kernel in the directory where your newly compiled kernel normally lives (/usr/src/linux/arch/i386/boot/bzImage for me). You are probably going to want to copy it somewhere and either restart or rerun lilo and restart, depending on your preferences.
+Congratulations! You now have an IPSec enabled kernel
You may now wish to go to [IPSecConfiguration] to find out how to actually do something useful with all this!
+
+__IMPORTANT NOTE:__ FreeS/WAN 2.x ships with OpportunisticEncryption enabled out of the box. THIS WILL CAUSE YOU PROBLEMS IF YOU DON'T HAVE CORRECT DNS RECORDS! If you install FreeS/WAN (esp. on Debian) and want to set up tunnels, or learn about it, turn OE off quickly. If it's on, you'll have /1 routes and a default route out your ipsec0 interface, and __you will no longer have a default gateway__.
----
-!Or
, if you're running Debian:
+[1]: [X509] certificate support is required if you want to interoperate with Windows. You can either get [X509 patch for vanilla FreeS/WAN|http://www.strongsec.com/freeswan/] or you can get [Super FreeS/WAN|http://www.freeswan.ca/]
, which has lots more patches, but tends to be a version or two behind the original FreeS/WAN release. If you don't know what you need, compile X509 in
if you're going to interoperate with Windows, and don't bother otherwise.
-apt-get install
kernel-
source (or acquire
the newest kernel source
as you see fit
)
-apt-get install kernel-
patch-freeswan
+[2]: The makefile has changed in the
kernel source, so
the patch needs to change
as well. You might have to play with this to make it work (run a make-kpkg clean first perhaps
) but I took the best part of a day getting a
patch that would apply.
-export PATCH_THE_KERNEL=YES
-cd
/usr/src/kernel-source-whatever
-make
-kpkg
--config=menuconfig
--revision=whatever kernel
_image
+ dev:
/usr/src/kernel-patches/all/freeswan/linux/net# less Makefile.fs2_4.ipsec_alg.patch
+ --- Makefile
-orig Tue Oct 21 11:35:47 2003
+ +++ Makefile Tue Oct 21 11:35:57 2003
+ @@
-8,6 +8,7 @@
+ O
_TARGET := network.o
-When make
-kpkg runs, if PATCH_THE_KERNEL is set YES then it will unpatch (clean) and patch the kernel with the contents of
/usr
/src/kernel
-patches/ that are correct for your architecture.
The
--config
=menuconfig step is designed to let you configure all the flash new options that FreeS/WAN provides
.
+ mod
-subdirs := ipv4
/netfilter ipv6
/netfilter ipx irda bluetooth atm netlink sched core
+ +mod
-subdirs +=
ipsec
+ export
-objs :
= netsyms
.o
-----
-[1]
: oldgo is the target for compiling statically against the kernel source. Alternatives are `menugo' and `xgo' to get a normal kernel config menu up respectively. For the menus, IPSec related options are under `Networking Options'. Always save the config when you leave, whether or not you have changed anything!
-[2]: kinstall is the target for installing statically against the kernel source. The alternative (for a module) is minstall. Note that this step seems to attempt to auto-install the new kernel if you are running lilo.. I don't so it didn't do anything but beware.
+ subdir
-y
:= core ethernet
