<html>
<head>
<meta http-equiv="Content-Type" content="text/html">
<title>Installing FreeS/WAN</title>
<meta name="keywords"
content="Linux, IPsec, VPN, security, FreeSWAN, installation, quickstart">
<!--
Written by Claudia Schmeing for the Linux FreeS/WAN project
Freely distributable under the GNU General Public License
More information at www.freeswan.org
Feedback to users@lists.freeswan.org
CVS information:
RCS ID: $Id: install.html,v 1.57 2003/11/04 16:42:32 claudia Exp $
Last changed: $Date: 2003/11/04 16:42:32 $
Revision number: $Revision: 1.57 $
CVS revision numbers do not correspond to FreeS/WAN release numbers.
-->
</head>
<BODY>
<H1><A name="install">Installing FreeS/WAN</A></H1>
<P>This document will teach you how to install Linux FreeS/WAN.
If your distribution comes with Linux FreeS/WAN, we offer
tips to get you started.</P>
<H2>Requirements</H2>
<P>To install FreeS/WAN you must:</P>
<UL>
<LI>be running Linux with the 2.4 or 2.2 kernel series. See
this <A HREF="http://www.freeswan.ca/download.php#contact">kernel
compatibility table</A>.<BR>We also have experimental support for
2.6 kernels. Here are two basic approaches:
<UL><LI>
install FreeS/WAN, including its <A HREF="ipsec.html#parts">KLIPS</A>
kernel code. This will remove the native IPsec stack and replace it
with KLIPS.</LI>
<LI>
install the FreeS/WAN <A HREF="ipsec.html#parts">userland tools</A>
(keying daemon and supporting
scripts) for use with
<A HREF="http://lartc.org/howto/lartc.ipsec.html">2.6 kernel native IPsec</A>,
</LI>
</UL>
See also these <A HREF="2.6.known-issues">known issues with 2.6</A>.
<LI>have root access to your Linux box</LI>
<LI>choose the version of FreeS/WAN you wish to install based on
<A HREF="http://www.freeswan.org/mail.html">mailing list reports</A> <!-- or
our updates page (coming soon)--></LI>
</UL>
<H2>Choose your install method</H2>
<P>There are three basic ways to get FreeS/WAN onto your system:</P>
<UL>
<LI>activating and testing a FreeS/WAN that <A HREF="#distroinstall">shipped
with your Linux distribution</A></LI>
<LI><A HREF="#rpminstall">RPM install</A></LI>
<LI><A HREF="#srcinstall">Install from source</A></LI>
</UL>
<A NAME="distroinstall"></A><H2>FreeS/WAN ships with some Linuxes</H2>
<P>FreeS/WAN comes with <A HREF="intro.html#distwith">these distributions</A>.
<P>If you're running one of these, include FreeS/WAN in the choices you
make during installation, or add it later using the distribution's tools.
</P>
<H3>FreeS/WAN may be altered...</H3>
<P>Your distribution may have integrated extra features, such as Andreas
Steffen's X.509 patch, into FreeS/WAN. It may also use custom
startup script locations or directory names.</P>
<H3>You might need to create an authentication keypair</H3>
<P>If your FreeS/WAN came with your distribution, you may wish to
generate a fresh RSA key pair. FreeS/WAN will use these keys
for authentication.
<P>
To do this, become root, and type:
</P>
<PRE> ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com
chmod 600 /etc/ipsec.secrets</PRE>
<P>where you replace xy.example.com with your machine's fully-qualified
domain name. Generate some randomness, for example by wiggling your mouse,
to speed the process.
</P>
<P>The resulting ipsec.secrets looks like:</P>
<PRE>: RSA {
# RSA 2192 bits xy.example.com Sun Jun 8 13:42:19 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQOFppfeE3cC7wqJi...
Modulus: 0x85a697de137702ef0...
# everything after this point is secret
PrivateExponent: 0x16466ea5033e807...
Prime1: 0xdfb5003c8947b7cc88759065...
Prime2: 0x98f199b9149fde11ec956c814...
Exponent1: 0x9523557db0da7a885af90aee...
Exponent2: 0x65f6667b63153eb69db8f300dbb...
Coefficient: 0x90ad00415d3ca17bebff123413fc518...
}
# do not change the indenting of that "}"</PRE>
<P>In the actual file, the strings are much longer.</P>
<H3>Start and test FreeS/WAN</H3>
<P>You can now <A HREF="install.html#starttest">start FreeS/WAN and
test whether it's been successfully installed.</A>.</P>
<A NAME="rpminstall"></A><H2>RPM install</H2>
<P>These instructions are for a recent Red Hat with a stock Red Hat kernel.
We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If you're
running either, install using your distribution's tools.</P>
<H3>Download RPMs</H3>
<P>Decide which functionality you need:</P>
<UL>
<LI>standard FreeS/WAN RPMs. Use these shortcuts:<BR>
<UL>
<LI>(for 2.6 kernels: userland only)<BR>
ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/\*userland*</LI>
<LI>(for 2.4 kernels)<BR>
ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r | tr -d 'a-wy-z'`/\*</LI>
<LI>
or view all the offerings at our
<A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs">FTP site</A>.
</LI></UL>
</LI>
<LI>unofficial
<A href="http://www.freeswan.ca/download.php">Super FreeS/WAN</A>
RPMs, which include Andreas Steffen's X.509 patch and more.
Super FreeS/WAN RPMs do not currently include
<A HREF="glossary.html#NAT.gloss">Network Address Translation</A>
(NAT) traversal, but Super FreeS/WAN source does.</LI>
</UL>
<A NAME="2.6.rpm"></A>
<P>For 2.6 kernels, get the latest FreeS/WAN userland RPM, for example:</P>
<PRE> freeswan-userland-2.03.9-0.i386.rpm</PRE>
<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see
<A HREf="2.6.known-issues">2.6.known-issues</A>, and the latest
<A HREF="http://www.freeswan.org/mail.html">mailing list reports</A>.</P>
<P>Change to your new FreeS/WAN directory, and make and install the
<P>For 2.4 kernels, get both kernel and userland RPMs.
Check your kernel version with</P>
<PRE> uname -r</PRE>
<P>Get a kernel module which matches that version. For example:</P>
<PRE> freeswan-module-2.03_2.4.20_20.9-0.i386.rpm</PRE>
<P>Note: These modules
<B>will only work on the Red Hat kernel they were built for</B>,
since they are very sensitive to small changes in the kernel.</P>
<P>Get FreeS/WAN utilities to match. For example:</P>
<PRE> freeswan-userland-2.03_2.4.20_20.9-0.i386.rpm</PRE>
<H3>For freeswan.org RPMs: check signatures</H3>
<P>While you're at our ftp site, grab the RPM signing key</P>
<PRE> freeswan-rpmsign.asc</PRE>
<P>If you're running RedHat 8.x or later, import this key into the RPM
database:</P>
<PRE> rpm --import freeswan-rpmsign.asc</PRE>
<P>For RedHat 7.x systems, you'll need to add it to your
<A HREF="glossary.html#PGP">PGP</A> keyring:</P>
<PRE> pgp -ka freeswan-rpmsign.asc</PRE>
<P>Check the digital signatures on both RPMs using:</P>
<PRE> rpm --checksig freeswan*.rpm </PRE>
<P>You should see that these signatures are good:</P>
<PRE> freeswan-module-2.03_2.4.20_20.9-0.i386.rpm: pgp md5 OK
freeswan-userland-2.03_2.4.20_20.9-0.i386.rpm: pgp md5 OK</PRE>
<H3>Install the RPMs</H3>
<P>Become root:</P>
<PRE> su</PRE>
<P>For a first time install, use:</P>
<PRE> rpm -ivh freeswan*.rpm</PRE>
<P>To upgrade existing RPMs (and keep all .conf files in place), use:</P>
<PRE> rpm -Uvh freeswan*.rpm</PRE>
<P>If you're upgrading from FreeS/WAN 1.x to 2.x RPMs, and encounter problems,
see <A HREF="upgrading.html#upgrading.rpms">this note</A>.</P>
<H3>Start and Test FreeS/WAN</H3>
<P>Now, <A HREF="install.html#starttest">start FreeS/WAN and test your
install</A>.</P>
<A NAME="srcinstall"></A><H2>Install from Source</H2>
<!-- Most of this section, along with "Start and Test", can replace
INSTALL. -->
<H3>Decide what functionality you need</H3>
<P>Your choices are:</P>
<UL>
<LI><A HREF="ftp://ftp.xs4all.nl/pub/crypto/freeswan">standard
FreeS/WAN</A>,</LI>
<LI>standard FreeS/WAN plus any of these
<A HREF="web.html#patch">user-supported patches</A>, or</LI>
<LI><A HREF="http://www.freeswan.ca/download">Super FreeS/WAN</A>,
an unofficial FreeS/WAN pre-patched with many of the above. Provides
additional algorithms, X.509, SA deletion, dead peer detection, and
<A HREF="glossary.html#NAT.gloss">Network Address Translation</A>
(NAT) traversal.</LI>
</UL>
<H3>Download FreeS/WAN</H3>
<P>Download the source tarball you've chosen, along with any patches.</P>
<H3>For freeswan.org source: check its signature</H3>
<P>While you're at our ftp site, get our source signing key</P>
<PRE> freeswan-sigkey.asc</PRE>
<P>Add it to your PGP keyring:</P>
<PRE> pgp -ka freeswan-sigkey.asc</PRE>
<P>Check the signature using:</P>
<PRE> pgp freeswan-2.03.tar.gz.sig freeswan-2.03.tar.gz</PRE>
<P>You should see something like:</P>
<PRE> Good signature from user "Linux FreeS/WAN Software Team (build@freeswan.org)".
Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1</PRE>
<!-- Note to self: build@freeswan.org has angled brackets in the original.
Changed because it conflicts with HTML tags. -->
<H3>Untar, unzip</H3>
<P>As root, unpack your FreeS/WAN source into <VAR>/usr/src</VAR>.</P>
<PRE> su
mv freeswan-2.03.tar.gz /usr/src
cd /usr/src
tar -xzf freeswan-2.03.tar.gz
</PRE>
<H3>Patch if desired</H3>
<P>Now's the time to add any patches. The contributor may have special
instructions, or you may simply use the patch command.</P>
<H3>... and Make</H3>
<P>Choose one of the methods below.</P>
<H4>Userland-only Install for 2.6 kernels</H4>
<A NAME="2.6.src"></A>
<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see
<A HREf="2.6.known-issues">2.6.known-issues</A>, and the latest
<A HREF="http://www.freeswan.org/mail.html">mailing list reports</A>.</P>
<P>Change to your new FreeS/WAN directory, and make and install the
FreeS/WAN userland tools.</P>
<PRE> cd /usr/src/freeswan-2.03
make programs
make install</PRE>
<P>Now, <A HREF="install.html#starttest">start FreeS/WAN and
test your install</A>.</P>
<H4>KLIPS install for 2.2, 2.4, or 2.6 kernels</H4>
<A NAME="modinstall"></A>
<P>To make a modular version of KLIPS, along with other FreeS/WAN programs
you'll need, use the command sequence below. This will
change to your new FreeS/WAN directory, make the FreeS/WAN module (and other
stuff), and install it all.</P>
<PRE> cd /usr/src/freeswan-2.03
make oldmod
make minstall</PRE>
<P><A HREF="install.html#starttest">Start FreeS/WAN and
test your install</A>.</P>
<P>To link KLIPS statically into your kernel (using your old kernel settings),
and install other FreeS/WAN components, do:
</P>
<PRE> cd /usr/src/freeswan-2.03
make oldmod
make minstall</PRE>
<P>Reboot your system and <A HREF="install.html#testonly">test your
install</A>.</P>
<P>For other ways to compile KLIPS, see our Makefile.</P>
<A name="starttest"></A><H2>Start FreeS/WAN and test your install</H2>
<P>Bring FreeS/WAN up with:</P>
<PRE> service ipsec start</PRE>
<P>This is not necessary if you've rebooted.</P>
<A name="testonly"></A><H2>Test your install</H2>
<P>To check that you have a successful install, run:</P>
<PRE> ipsec verify</PRE>
<P>You should see at least:</P>
<PRE>
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
</PRE>
<P>If any of these first four checks fails, see our
<A href="trouble.html#install.check">troubleshooting guide</A>.
</P>
<H2>Making FreeS/WAN play well with others</H2>
<P>There are at least a couple of things on your system that might
interfere with FreeS/WAN, and now's a good time to check these:</P>
<UL>
<LI>Firewalling. You need to allow UDP 500 through your firewall, plus
ESP (protocol 50) and AH (protocol 51). For more information, see our
updated firewalls document (coming soon).
</LI>
<LI>Network address translation.
Do not NAT the packets you will be tunneling.</LI>
</UL>
<H2>Configure for your needs</H2>
<P>You'll need to configure FreeS/WAN for your local site. Have a look at our
<A HREF="quickstart.html">opportunism quickstart guide</A> to see if that
easy method is right for your needs. Or, see how to <A HREF="config.html">
configure a network-to-network or Road Warrior style VPN</A>.
</P>
</BODY>
</HTML>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
cb04c52ccedb52ab907eaca84d718eba
>
files
>
94
