Next Previous Contents

2. FreeSWAN

In this chapter I describe how to install the FreeSWAN patch. It is required that you know how to compile a kernel to implement this patch. If you dont know or if you would like to refresh your memory a bit, check out the Kernel HOWTO. =)

2.1 Installation


First of all we have to download the following sources

  1. - Kernel source ( ftp://ftp.kernel.org)
  2. - FreeSWAN source ( ftp://ftp.xs4all.nl/pub/crypto/freeswan)
  3. - X.509 patch ( http://www.strongsec.com/freeswan)

Put all the downloaded sources in the /usr/src directory.

Unpack the kernel source:

tar zxvvf linux-2.2.20.tar.gz

Unpack the FreeSWAN source:

tar zxvvf freeswan-1.96.tar.gz

Unpack the X.509 patch:

tar zxvvf x509patch-0.9.9-freeswan-1.96.tar.gz

Once this is done, copy the freeswan.diff file from the x.509 patch directory to the freeswan directory.

matrix:/usr/src# cp x509patch-0.9.9-freeswan-1.96/freeswan.diff freeswan-1.96/

Time to install the patch.

matrix:/usr/src# cd freeswan-1.96 ; patch -p1 < freeswan.diff

When it is finished we can configure the kernel. From the freeswan-1.96 directory we can use the following command:

matrix:/usr/src/freeswan-1.96# make menugo

All the FreeSWAN options will be automatically enabled by default. These are listed in the section Networking Options. When the kernel config has finished, save it and it will compile the kernel for you straight away. Keep in mind that make menugo will not install the new kernel yet! When it is finished compiling, we can install the new kernel. Make sure your lilo setup is correct.

matrix:/usr/src/linux# make install

Reboot the machine.

Testing the kernel
When your machine has come up again you can test if the installation succeeded by executing dmesg |grep KLIPS then it should return the version of FreeSWAN you patched your kernel with. If it does not, something has gone wrong. You might want to reread the kernel HOWTO or check if you forgot something else.

2.2 Configuration

Now we can make up a configuration file for FreeSWAN. This configuration file is located in /etc/ipsec.conf in this file you can setup your connections and how the connections should be treated. For more information man ipsec.conf =). Below is the configuration needed to accept road warrior connections using dynamic IP adresses. They will authenticate using their X.509 certificates which we will create later on.

config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
conn %default
#RSA based authentication
authby=rsasig
#freeswan gateway
keyingtries=0
pfs=yes
conn roadwarrior1-wouter
auto=add
#dynamic ip and certificate roadwarrior
left=%any
leftcert=client-cert.pem
#freeswan gateway cert
rightupdown="/usr/lib/ipsec/_updown"
right=[your gateway IP address]
rightsubnet=192.168.0.0/24
rightnexthop=[your gateways nexthop]
rightcert=freeswan-cert.pem


Next Previous Contents