Differences between version 17 and predecessor to the previous major change of IPSecInstallation.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 17 | Last edited on Friday, October 3, 2003 4:40:21 pm | by CraigBox | Revert |
Older page: | version 15 | Last edited on Wednesday, April 23, 2003 1:48:17 pm | by CraigBox | Revert |
@@ -1,55 +1,71 @@
Prerequisites:
-* A machine with Linux and a recent (preferably 2.4.20) kernel on it.
-* The source for your kernel (http://www.mirror.ac.uk/sites/ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.bz2 is the one I am using).
-* A recent FreeS/WAN archive (the FreeS/WAN homepage recommends typing: ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-\*).
-* Some patience!
-----
-Note: This setup will NOT be able to handle interacting with IPSec implementations that require X.509 certificates for authentication. For that, you will need to patch your FreeS/WAN sources and figure it out for yourself... or wait until I Wiki it when I need to do it myself :)
-Also note: I assume you know how to configure
/compile
/install kernels.
+* A machine with Linux and a recent (preferably 2.4.22) kernel on it.
+* The source for your kernel
+* FreeS
/WAN kernel patches
+* The FreeS
/WAN UserSpace tools
+* [X509] patches [1]
+
----
-Step 1: Preparing kernel sources (not necessary if you already have them to hand)
- cd
/usr
/src
/
- tar xjf ~
/download
/linux-2
.4
.20.tar.bz2
+!!Kernel preparation
+
+!Vanilla Kernel
/FreeS
/WAN from source
+
+Get the latest FreeS
/WAN source package - the FreeS/WAN homepage recommends typing
+ ncftpget ftp:
//ftp
.xs4all
.nl/pub/crypto/freeswan/freeswan-\*
+
+ cd /usr/src/my-kernel-source-is-unpacked-here/
<configure your kernel here. this is important.>
<compile your kernel here. this is important.>
-Step 2: Preparing
FreeS/WAN sources
+If you're using the [
FreeS/WAN kernel installation method|http://www.freeswan.org/freeswan_trees/freeswan-2.02/doc/kernel.html] it seems you actually need to compile a kernel here, which is a bit odd.
+
cd /usr/src/
- tar xzf ~/download/freeswan-1
.99
.tar.gz
+ tar xzf ~/download/freeswan-2
.02
.tar.gz
-Step 3: Rebuild the kernel and make FreeS/WAN %%%
-Note that this step installs
the IPSec binaries in /usr/local/lib/ipsec. The "ipsec" command itself is put in /usr/local/sbin. If you later find you can't find "ipsec", check your path.
+The next stepinstalls
the IPSec binaries in /usr/local/lib/ipsec. The "ipsec" command itself is put in /usr/local/sbin. If you later find you can't find "ipsec", check your path.
cd /usr/src/freeswan-1.99/
- make oldgo[1]
+ make oldgo
-Step 4: Finishing touches
- <install your kernel>
- <reboot>
-----
-Congratulations! You now have an IPSec enabled kernel in
the directory where your newly compiled kernel normally lives (/usr/src/linux/arch/i386/boot/bzImage
for me)
. You
are probably going to want to copy it somewhere
and either restart or rerun lilo and restart
, depending on your preferences
.
+'oldgo' is
the target
for compiling statically against the kernel source
. Alternatives
are 'menugo'
and `xgo' to get a normal kernel config menu up respectively. For the menus
, IPSec related options are under 'Networking Options'
. Always save the config when you leave, whether or not you have changed anything!
-You may
now wish
to go
to [IPSecConfiguration] to find out how to actually do something useful with all this!
+You now have a newly compiled kernel in wherever your kernel normally lives (/usr/src/linux/arch/i386/boot/bzImage for me). You are probably going
to want
to copy it somewhere and either restart or rerun lilo and restart, depending on your preferences.
-----
-
!Or,
if you're running Debian:
+!Debian
+
+Note:
if you want to do all the cool new things like OpportunisticEncryption, you should be using FreeS/WAN 2.01+. If
you're running [
Debian] [Stable], you can get the a [backport|BackPorts] from [backports.org's FreeS/WAN directory|http
://www.backports.org/debian/dists/woody/freeswan/], by adding the following line to /etc/apt/sources.list:
+
+ deb http://www.backports.org/debian woody freeswan
+
+Now,
apt-get install kernel-source (or acquire the newest kernel source as you see fit)
apt-get install kernel-patch-freeswan
export PATCH_THE_KERNEL=YES
cd /usr/src/kernel-source-whatever
make-kpkg --config=menuconfig --revision=whatever kernel_image
-When make-kpkg runs, if PATCH_THE_KERNEL is set YES then it will unpatch (clean) and patch the kernel with the contents of /usr/src/kernel-patches/ that are correct for your architecture. The --config=menuconfig step is designed to let you configure all the flash new options that FreeS/WAN provides.
+When make-kpkg runs, if PATCH_THE_KERNEL is set YES (It has to be in uppercase!)
then it will unpatch (clean) and patch the kernel with the contents of /usr/src/kernel-patches/ that are correct for your architecture. The --config=menuconfig step is designed to let you configure all the flash new options that FreeS/WAN provides. Make sure you don't forget any
.
-----
-!Or, if you're running
Gentoo:
+Reboot into your new kernel and install the userspace tools with apt
-get install freeswan.
+
+!Gentoo
+
+gentoo-sources comes with FreeS/WAN support. Enable IPSec in your kernel config, recompile, and reboot. For the userspace tools,
-If you already are using gentoo-sources, simply ensure that IPSec is enabled in your kernel config. Then:
emerge -u freeswan
-You
are now
the proud owner of
an IPSec enabled machine
.
+!!RedHat
+
+See http://www.freeswan.org/freeswan_trees/freeswan-2.02/doc/install.html#install - there
are some RPMs out there, but I think you will have to patch
the Red Hat kernel.
+
+----
+Congratulations! You now have
an IPSec enabled kernel
+
+You may now wish to go to [IPSecConfiguration] to find out how to actually do something useful with all this!
+
+__IMPORTANT NOTE:__ FreeS/WAN 2.x ships with OpportunisticEncryption enabled out of the box. THIS WILL CAUSE YOU PROBLEMS IF YOU DON'T HAVE CORRECT DNS RECORDS! If you install FreeS/WAN (esp. on Debian) and want to set up tunnels, or learn about it, turn OE off quickly. If it's on, you'll have /1 routes and a default route out your ipsec0 interface, and __you will no longer have a default gateway__
.
----
-[1]: oldgo
is the target
for compiling statically against the kernel source
. Alternatives are `menugo' and `xgo' to
get a normal kernel config menu up respectively
. For the menus, IPSec related options are under `Networking Options'
. Always save
the config when
you leave
, whether or not
you have changed anything!
+[1]: [X509] certificate support
is required if you want to interoperate with Windows. You can either get [X509 patch
for vanilla FreeS/WAN|http://www
.strongsec.com/freeswan/] or you can
get [Super FreeS/WAN|http://www
.freeswan
.ca/], which has lots more patches, but tends to be a version or two behind
the original FreeS/WAN release. If you don't know what
you need
, compile X509 in if
you're going to interoperate with Windows, and don't bother otherwise.