Next
Previous
Contents
In this chapter I describe how to install the FreeSWAN patch. It is required that you know how to compile a
kernel to implement this patch. If you dont know or if you would like to refresh your memory a bit, check out
the Kernel HOWTO.
=)
First of all we have to download the following sources
- - Kernel source (
ftp://ftp.kernel.org)
- - FreeSWAN source (
ftp://ftp.xs4all.nl/pub/crypto/freeswan)
- - X.509 patch (
http://www.strongsec.com/freeswan)
Put all the downloaded sources in the /usr/src directory.
Unpack the kernel source:
tar zxvvf linux-2.2.20.tar.gz
Unpack the FreeSWAN source:
tar zxvvf freeswan-1.96.tar.gz
Unpack the X.509 patch:
tar zxvvf x509patch-0.9.9-freeswan-1.96.tar.gz
Once this is done, copy the freeswan.diff file from the x.509 patch directory to the freeswan directory.
matrix:/usr/src# cp x509patch-0.9.9-freeswan-1.96/freeswan.diff freeswan-1.96/
Time to install the patch.
matrix:/usr/src# cd freeswan-1.96 ; patch -p1 < freeswan.diff
When it is finished we can configure the kernel. From the freeswan-1.96 directory we can use the following
command:
matrix:/usr/src/freeswan-1.96# make menugo
All the FreeSWAN options will be automatically enabled by default. These are listed in the section Networking Options.
When the kernel config has finished, save it and it will compile the kernel for you straight away.
Keep in mind that make menugo will not install the new kernel yet!
When it is finished compiling, we can install the new kernel. Make sure your lilo setup is correct.
matrix:/usr/src/linux# make install
Reboot the machine.
Testing the kernel
When your machine has come up again you can test if the installation succeeded by executing dmesg |grep KLIPS
then it should
return the version of FreeSWAN you patched your kernel with. If it does not, something has gone wrong. You might want
to reread the kernel HOWTO or check if you forgot something else.
Now we can make up a configuration file for FreeSWAN. This configuration file is located in /etc/ipsec.conf
in this file you can setup your connections and how the connections should be treated. For more information man
ipsec.conf =).
Below is the configuration needed to accept road warrior connections using dynamic IP adresses. They will authenticate
using their X.509 certificates which we will create later on.
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
conn %default
#RSA based authentication
authby=rsasig
#freeswan gateway
keyingtries=0
pfs=yes
conn roadwarrior1-wouter
auto=add
#dynamic ip and certificate roadwarrior
left=%any
leftcert=client-cert.pem
#freeswan gateway cert
rightupdown="/usr/lib/ipsec/_updown"
right=[your gateway IP address]
rightsubnet=192.168.0.0/24
rightnexthop=[your gateways nexthop]
rightcert=freeswan-cert.pem
Next
Previous
Contents