Introduction to FreeS/WAN

http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/install.html

Contents Previous Next

Installing FreeS/WAN
This document will teach you how to install Linux FreeS/WAN. If your distribution comes with Linux FreeS/WAN, we offer tips to get you started.

Requirements
To install FreeS/WAN you must: be running Linux with the 2.4 or 2.2 kernel series. See this kernel compatibility table. We also have experimental support for 2.6 kernels. There are two basic approaches, and this document covers both: install FreeS/WAN, including its KLIPS kernel code. You'll be using KLIPS in place of the existing 2.6 IPsec kernel support. install the FreeS/WAN userland tools (keying daemon and supporting scripts) for use with 2.6 kernel native IPsec, See also these known issues with 2.6. have root access to your Linux box choose the version of FreeS/WAN you wish to install based on mailing list reports

Choose your install method

There are three basic ways to get FreeS/WAN onto your system: activating and testing a FreeS/WAN that shipped with your Linux distribution RPM install Install from source

FreeS/WAN ships with some Linuxes

FreeS/WAN comes with these distributions. If you're running one of these, include FreeS/WAN in the choices you make during installation, or add it later using the distribution's tools.

FreeS/WAN may be altered...

Your distribution may have integrated extra features, such as Andreas Steffen's X.509 patch, into FreeS/WAN. It may also use custom startup script locations or directory names.

You might need to create an authentication keypair

If your FreeS/WAN came with your distribution, you may wish to generate a fresh RSA key pair. FreeS/WAN will use these keys for authentication. To do this, become root, and type:

1 of 6

11/2/2011 10:54 AM

Introduction to FreeS/WAN

http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/install.html

ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com chmod 600 /etc/ipsec.secrets

where you replace xy.example.com with your machine's fully-qualified domain name. Generate some randomness, for example by wiggling your mouse, to speed the process. The resulting ipsec.secrets looks like:
: RSA { # RSA 2192 bits xy.example.com Sun Jun 8 13:42:19 2003 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQOFppfeE3cC7wqJi... Modulus: 0x85a697de137702ef0... # everything after this point is secret PrivateExponent: 0x16466ea5033e807... Prime1: 0xdfb5003c8947b7cc88759065... Prime2: 0x98f199b9149fde11ec956c814... Exponent1: 0x9523557db0da7a885af90aee... Exponent2: 0x65f6667b63153eb69db8f300dbb... Coefficient: 0x90ad00415d3ca17bebff123413fc518... } # do not change the indenting of that "}"

In the actual file, the strings are much longer.

Start and test FreeS/WAN

You can now start FreeS/WAN and test whether it's been successfully installed..

RPM install
These instructions are for a recent Red Hat or Fedora Core with a stock Red Hat or Fedora Core kernel. We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If you're running either, install using your distribution's tools.

Download RPMs
Decide which functionality you need: standard FreeS/WAN RPMs. Use these shortcuts: (for 2.6 kernels: userland only) ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/\*userland* (for 2.4 kernels) ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r | tr -d 'a-wy-z'`/\* or view all the offerings at our FTP site. Openswan (a FreeS/WAN code fork) RPMs, which include Andreas Steffen's X.509 patch and more. For 2.6 kernels, get the latest FreeS/WAN userland RPM, for example:
freeswan-userland-2.06.9-0.i386.rpm

Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see 2.6.known-issues, and the latest mailing list reports.

2 of 6

11/2/2011 10:54 AM

Introduction to FreeS/WAN

http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/install.html

Change to your new FreeS/WAN directory, and make and install the For 2.4 kernels, get both kernel and userland RPMs. Check your kernel version with
uname -r

Get a kernel module which matches that version. For example:

freeswan-module-2.06_2.4.20_20.9-0.i386.rpm

Note: These modules will only work on the Red Hat or Fedora Core kernel they were built for, since they are very sensitive to small changes in the kernel. Get FreeS/WAN utilities to match. For example:
freeswan-userland-2.06_2.4.20_20.9-0.i386.rpm

For freeswan.org RPMs: check signatures

While you're at our ftp site, grab the RPM signing key
freeswan-rpmsign.asc

If you're running RedHat 8.x or later, import this key into the RPM database:
rpm --import freeswan-rpmsign.asc

For RedHat 7.x systems, you'll need to add it to your PGP keyring:
pgp -ka freeswan-rpmsign.asc

Check the digital signatures on both RPMs using:

rpm --checksig freeswan*.rpm

You should see that these signatures are good:

freeswan-module-2.06_2.4.20_20.9-0.i386.rpm: pgp md5 OK freeswan-userland-2.06_2.4.20_20.9-0.i386.rpm: pgp md5 OK

Install the RPMs

Become root:
su

For a first time install, use:

rpm -ivh freeswan*.rpm

To upgrade existing RPMs (and keep all .conf files in place), use:
rpm -Uvh freeswan*.rpm

If you're upgrading from FreeS/WAN 1.x to 2.x RPMs, and encounter problems, see this note.

Start and Test FreeS/WAN

3 of 6

11/2/2011 10:54 AM

Introduction to FreeS/WAN

http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/install.html

Now, start FreeS/WAN and test your install.

Install from Source

Decide what functionality you need
Your choices are: standard FreeS/WAN , standard FreeS/WAN plus any of these user-supported patches, or Openswan, a FreeS/WAN code fork which additionally provides additional algorithms, X.509, SA deletion, dead peer detection, and Network Address Translation (NAT) traversal. Andreas Steffen, author of the X.509 patch, has started his own fork of FreeS/WAN, Strongswan, a FreeS/WAN code fork which includes advanced X.509 support, Delete SA/notifications, Network Address Translation support and AES.

Download FreeS/WAN
Download the source tarball you've chosen, along with any patches.

For freeswan.org source: check its signature

While you're at our ftp site, get our source signing key
freeswan-sigkey.asc

Add it to your PGP keyring:

pgp -ka freeswan-sigkey.asc

Check the signature using:

pgp freeswan-2.06.tar.gz.sig freeswan-2.06.tar.gz

You should see something like:

Good signature from user "Linux FreeS/WAN Software Team ([email protected])". Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1

Untar, unzip
As root, unpack your FreeS/WAN source into /usr/src.
su mv freeswan-2.06.tar.gz /usr/src cd /usr/src tar -xzf freeswan-2.06.tar.gz

Patch if desired
Now's the time to add any patches. The contributor may have special instructions, or you may simply use the patch command.

... and Make

4 of 6

11/2/2011 10:54 AM

Introduction to FreeS/WAN

http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/install.html

Choose one of the methods below. Userland-only Install for 2.6 kernels Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see 2.6.known-issues, and the latest mailing list reports. Change to your new FreeS/WAN directory, and make and install the FreeS/WAN userland tools.
cd /usr/src/freeswan-2.06 make programs make install

Now, start FreeS/WAN and test your install. KLIPS install for 2.2, 2.4 and 2.6 kernels To make a modular version of KLIPS for 2.2 and 2.4 kernels, along with other FreeS/WAN programs you'll need, use a command sequence like the one below. This will change to your new FreeS/WAN directory, make the FreeS/WAN module (and other stuff), and install it all.
cd /usr/src/freeswan-2.06 make menumod # just save and exit make minstall

Start FreeS/WAN and test your install. To link KLIPS statically into your kernel on 2.2, 2.4 or 2.6 (using your old kernel settings), or to build a KLIPS module for 2.6, you'll need to patch the kernel itself. The following will change to your new FreeS/WAN directory, compile KLIPS into your kernel (and other stuff), and install it all.
cd /usr/src/freeswan-2.06 make [KERNELSRC=/usr/src/linux-2.6.1-1.47] menugo make minstall # just save and exit

The KERNELSRC argument is necessary for 2.6 kernels, as it defaults to /usr/src/linux-2.4. Reboot your system and test your install. For other ways to compile KLIPS, see our Makefile.

Start FreeS/WAN and test your install

Bring FreeS/WAN up with:
service ipsec start

This is not necessary if you've rebooted.

Test your install

To check that you have a successful install, run:
ipsec verify

5 of 6

11/2/2011 10:54 AM

Introduction to FreeS/WAN

http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/install.html

You should see at least:

Checking your system to see if IPsec got installed and started correctly Version check and ipsec on-path [OK] Checking for KLIPS support in kernel [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK]

If any of these first four checks fails, see our troubleshooting guide.

Making FreeS/WAN play well with others

There are at least a couple of things on your system that might interfere with FreeS/WAN, and now's a good time to check these: Firewalling. You need to allow UDP 500 and ESP (protocol 50) through your firewall. For more information, see our firewalling document. Network address translation. Do not NAT the packets you will be tunneling.

Configure for your needs

You'll need to configure FreeS/WAN for your local site. Have a look at our opportunism quickstart guide to see if that easy method is right for your needs. Or, see how to configure a network-to-network or Road Warrior style VPN. Contents Previous Next

6 of 6

11/2/2011 10:54 AM