diff options
Diffstat (limited to 'doc/install.html')
| -rw-r--r-- | doc/install.html | 286 |
1 files changed, 286 insertions, 0 deletions
diff --git a/doc/install.html b/doc/install.html new file mode 100644 index 000000000..6cd55535e --- /dev/null +++ b/doc/install.html @@ -0,0 +1,286 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> +<HTML> +<HEAD> +<TITLE>Introduction to FreeS/WAN</TITLE> +<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1"> +<STYLE TYPE="text/css"><!-- +BODY { font-family: serif } +H1 { font-family: sans-serif } +H2 { font-family: sans-serif } +H3 { font-family: sans-serif } +H4 { font-family: sans-serif } +H5 { font-family: sans-serif } +H6 { font-family: sans-serif } +SUB { font-size: smaller } +SUP { font-size: smaller } +PRE { font-family: monospace } +--></STYLE> +</HEAD> +<BODY> +<A HREF="toc.html">Contents</A> +<A HREF="adv_config.html">Previous</A> +<A HREF="config.html">Next</A> +<HR> +<H1><A name="install">Installing FreeS/WAN</A></H1> +<P>This document will teach you how to install Linux FreeS/WAN. If your + distribution comes with Linux FreeS/WAN, we offer tips to get you + started.</P> +<H2><A NAME="15_1">Requirements</A></H2> +<P>To install FreeS/WAN you must:</P> +<UL> +<LI>be running Linux with the 2.4 or 2.2 kernel series. See this<A HREF="http://www.freeswan.ca/download.php#contact"> + kernel compatibility table</A>. +<BR>We also have experimental support for 2.6 kernels. Here are two + basic approaches: +<UL> +<LI> install FreeS/WAN, including its<A HREF="ipsec.html#parts"> KLIPS</A> + kernel code. This will remove the native IPsec stack and replace it + with KLIPS.</LI> +<LI> install the FreeS/WAN<A HREF="ipsec.html#parts"> userland tools</A> + (keying daemon and supporting scripts) for use with<A HREF="http://lartc.org/howto/lartc.ipsec.html"> + 2.6 kernel native IPsec</A>,</LI> +</UL> + See also these<A HREF="2.6.known-issues"> known issues with 2.6</A>.</LI> +<LI>have root access to your Linux box</LI> +<LI>choose the version of FreeS/WAN you wish to install based on<A HREF="http://www.freeswan.org/mail.html"> + mailing list reports</A> +<!-- or +our updates page (coming soon)--> +</LI> +</UL> +<H2><A NAME="15_2">Choose your install method</A></H2> +<P>There are three basic ways to get FreeS/WAN onto your system:</P> +<UL> +<LI>activating and testing a FreeS/WAN that<A HREF="#distroinstall"> + shipped with your Linux distribution</A></LI> +<LI><A HREF="#rpminstall">RPM install</A></LI> +<LI><A HREF="#srcinstall">Install from source</A></LI> +</UL> +<A NAME="distroinstall"></A> +<H2><A NAME="15_3">FreeS/WAN ships with some Linuxes</A></H2> +<P>FreeS/WAN comes with<A HREF="intro.html#distwith"> these + distributions</A>.</P> +<P>If you're running one of these, include FreeS/WAN in the choices you + make during installation, or add it later using the distribution's + tools.</P> +<H3><A NAME="15_3_1">FreeS/WAN may be altered...</A></H3> +<P>Your distribution may have integrated extra features, such as Andreas + Steffen's X.509 patch, into FreeS/WAN. It may also use custom startup + script locations or directory names.</P> +<H3><A NAME="15_3_2">You might need to create an authentication keypair</A> +</H3> +<P>If your FreeS/WAN came with your distribution, you may wish to + generate a fresh RSA key pair. FreeS/WAN will use these keys for + authentication.</P> +<P> To do this, become root, and type:</P> +<PRE> ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com + chmod 600 /etc/ipsec.secrets</PRE> +<P>where you replace xy.example.com with your machine's fully-qualified + domain name. Generate some randomness, for example by wiggling your + mouse, to speed the process.</P> +<P>The resulting ipsec.secrets looks like:</P> +<PRE>: RSA { + # RSA 2192 bits xy.example.com Sun Jun 8 13:42:19 2003 + # for signatures only, UNSAFE FOR ENCRYPTION + #pubkey=0sAQOFppfeE3cC7wqJi... + Modulus: 0x85a697de137702ef0... + # everything after this point is secret + PrivateExponent: 0x16466ea5033e807... + Prime1: 0xdfb5003c8947b7cc88759065... + Prime2: 0x98f199b9149fde11ec956c814... + Exponent1: 0x9523557db0da7a885af90aee... + Exponent2: 0x65f6667b63153eb69db8f300dbb... + Coefficient: 0x90ad00415d3ca17bebff123413fc518... + } +# do not change the indenting of that "}"</PRE> +<P>In the actual file, the strings are much longer.</P> +<H3><A NAME="15_3_3">Start and test FreeS/WAN</A></H3> +<P>You can now<A HREF="install.html#starttest"> start FreeS/WAN and test + whether it's been successfully installed.</A>.</P> +<A NAME="rpminstall"></A> +<H2><A NAME="15_4">RPM install</A></H2> +<P>These instructions are for a recent Red Hat with a stock Red Hat + kernel. We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If + you're running either, install using your distribution's tools.</P> +<H3><A NAME="15_4_1">Download RPMs</A></H3> +<P>Decide which functionality you need:</P> +<UL> +<LI>standard FreeS/WAN RPMs. Use these shortcuts: +<BR> +<UL> +<LI>(for 2.6 kernels: userland only) +<BR> ncftpget + ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/\*userland* +</LI> +<LI>(for 2.4 kernels) +<BR> ncftpget + ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r + | tr -d 'a-wy-z'`/\*</LI> +<LI> or view all the offerings at our<A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs"> + FTP site</A>.</LI> +</UL> +</LI> +<LI>unofficial<A href="http://www.freeswan.ca/download.php"> Super + FreeS/WAN</A> RPMs, which include Andreas Steffen's X.509 patch and + more. Super FreeS/WAN RPMs do not currently include<A HREF="glossary.html#NAT.gloss"> + Network Address Translation</A> (NAT) traversal, but Super FreeS/WAN + source does.</LI> +</UL> +<A NAME="2.6.rpm"></A> +<P>For 2.6 kernels, get the latest FreeS/WAN userland RPM, for example:</P> +<PRE> freeswan-userland-2.04.9-0.i386.rpm</PRE> +<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please + see<A HREf="2.6.known-issues"> 2.6.known-issues</A>, and the latest<A HREF="http://www.freeswan.org/mail.html"> + mailing list reports</A>.</P> +<P>Change to your new FreeS/WAN directory, and make and install the</P> +<P>For 2.4 kernels, get both kernel and userland RPMs. Check your kernel + version with</P> +<PRE> uname -r</PRE> +<P>Get a kernel module which matches that version. For example:</P> +<PRE> freeswan-module-2.04_2.4.20_20.9-0.i386.rpm</PRE> +<P>Note: These modules<B> will only work on the Red Hat kernel they were + built for</B>, since they are very sensitive to small changes in the + kernel.</P> +<P>Get FreeS/WAN utilities to match. For example:</P> +<PRE> freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm</PRE> +<H3><A NAME="15_4_2">For freeswan.org RPMs: check signatures</A></H3> +<P>While you're at our ftp site, grab the RPM signing key</P> +<PRE> freeswan-rpmsign.asc</PRE> +<P>If you're running RedHat 8.x or later, import this key into the RPM + database:</P> +<PRE> rpm --import freeswan-rpmsign.asc</PRE> +<P>For RedHat 7.x systems, you'll need to add it to your<A HREF="glossary.html#PGP"> + PGP</A> keyring:</P> +<PRE> pgp -ka freeswan-rpmsign.asc</PRE> +<P>Check the digital signatures on both RPMs using:</P> +<PRE> rpm --checksig freeswan*.rpm </PRE> +<P>You should see that these signatures are good:</P> +<PRE> freeswan-module-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK + freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK</PRE> +<H3><A NAME="15_4_3">Install the RPMs</A></H3> +<P>Become root:</P> +<PRE> su</PRE> +<P>For a first time install, use:</P> +<PRE> rpm -ivh freeswan*.rpm</PRE> +<P>To upgrade existing RPMs (and keep all .conf files in place), use:</P> +<PRE> rpm -Uvh freeswan*.rpm</PRE> +<P>If you're upgrading from FreeS/WAN 1.x to 2.x RPMs, and encounter + problems, see<A HREF="upgrading.html#upgrading.rpms"> this note</A>.</P> +<H3><A NAME="15_4_4">Start and Test FreeS/WAN</A></H3> +<P>Now,<A HREF="install.html#starttest"> start FreeS/WAN and test your + install</A>.</P> +<A NAME="srcinstall"></A> +<H2><A NAME="15_5">Install from Source</A></H2> + +<!-- Most of this section, along with "Start and Test", can replace +INSTALL. --> +<H3><A NAME="15_5_1">Decide what functionality you need</A></H3> +<P>Your choices are:</P> +<UL> +<LI><A HREF="ftp://ftp.xs4all.nl/pub/crypto/freeswan">standard FreeS/WAN</A> +,</LI> +<LI>standard FreeS/WAN plus any of these<A HREF="web.html#patch"> + user-supported patches</A>, or</LI> +<LI><A HREF="http://www.freeswan.ca/download">Super FreeS/WAN</A>, an + unofficial FreeS/WAN pre-patched with many of the above. Provides + additional algorithms, X.509, SA deletion, dead peer detection, and<A HREF="glossary.html#NAT.gloss"> + Network Address Translation</A> (NAT) traversal.</LI> +</UL> +<H3><A NAME="15_5_2">Download FreeS/WAN</A></H3> +<P>Download the source tarball you've chosen, along with any patches.</P> +<H3><A NAME="15_5_3">For freeswan.org source: check its signature</A></H3> +<P>While you're at our ftp site, get our source signing key</P> +<PRE> freeswan-sigkey.asc</PRE> +<P>Add it to your PGP keyring:</P> +<PRE> pgp -ka freeswan-sigkey.asc</PRE> +<P>Check the signature using:</P> +<PRE> pgp freeswan-2.04.tar.gz.sig freeswan-2.04.tar.gz</PRE> +<P>You should see something like:</P> +<PRE> Good signature from user "Linux FreeS/WAN Software Team (build@freeswan.org)". + Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1</PRE> + +<!-- Note to self: build@freeswan.org has angled brackets in the original. + Changed because it conflicts with HTML tags. --> +<H3><A NAME="15_5_4">Untar, unzip</A></H3> +<P>As root, unpack your FreeS/WAN source into<VAR> /usr/src</VAR>.</P> +<PRE> su + mv freeswan-2.04.tar.gz /usr/src + cd /usr/src + tar -xzf freeswan-2.04.tar.gz +</PRE> +<H3><A NAME="15_5_5">Patch if desired</A></H3> +<P>Now's the time to add any patches. The contributor may have special + instructions, or you may simply use the patch command.</P> +<H3><A NAME="15_5_6">... and Make</A></H3> +<P>Choose one of the methods below.</P> +<H4>Userland-only Install for 2.6 kernels</H4> +<A NAME="2.6.src"></A> +<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please + see<A HREf="2.6.known-issues"> 2.6.known-issues</A>, and the latest<A HREF="http://www.freeswan.org/mail.html"> + mailing list reports</A>.</P> +<P>Change to your new FreeS/WAN directory, and make and install the + FreeS/WAN userland tools.</P> +<PRE> cd /usr/src/freeswan-2.04 + make programs + make install</PRE> +<P>Now,<A HREF="install.html#starttest"> start FreeS/WAN and test your + install</A>.</P> +<H4>KLIPS install for 2.2, 2.4, or 2.6 kernels</H4> +<A NAME="modinstall"></A> +<P>To make a modular version of KLIPS, along with other FreeS/WAN + programs you'll need, use the command sequence below. This will change + to your new FreeS/WAN directory, make the FreeS/WAN module (and other + stuff), and install it all.</P> +<PRE> cd /usr/src/freeswan-2.04 + make oldmod + make minstall</PRE> +<P><A HREF="install.html#starttest">Start FreeS/WAN and test your + install</A>.</P> +<P>To link KLIPS statically into your kernel (using your old kernel + settings), and install other FreeS/WAN components, do:</P> +<PRE> cd /usr/src/freeswan-2.04 + make oldmod + make minstall</PRE> +<P>Reboot your system and<A HREF="install.html#testonly"> test your + install</A>.</P> +<P>For other ways to compile KLIPS, see our Makefile.</P> +<A name="starttest"></A> +<H2><A NAME="15_6">Start FreeS/WAN and test your install</A></H2> +<P>Bring FreeS/WAN up with:</P> +<PRE> service ipsec start</PRE> +<P>This is not necessary if you've rebooted.</P> +<A name="testonly"></A> +<H2><A NAME="15_7">Test your install</A></H2> +<P>To check that you have a successful install, run:</P> +<PRE> ipsec verify</PRE> +<P>You should see at least:</P> +<PRE> + Checking your system to see if IPsec got installed and started correctly + Version check and ipsec on-path [OK] + Checking for KLIPS support in kernel [OK] + Checking for RSA private key (/etc/ipsec.secrets) [OK] + Checking that pluto is running [OK] +</PRE> +<P>If any of these first four checks fails, see our<A href="trouble.html#install.check"> + troubleshooting guide</A>.</P> +<H2><A NAME="15_8">Making FreeS/WAN play well with others</A></H2> +<P>There are at least a couple of things on your system that might + interfere with FreeS/WAN, and now's a good time to check these:</P> +<UL> +<LI>Firewalling. You need to allow UDP 500 through your firewall, plus + ESP (protocol 50) and AH (protocol 51). For more information, see our + updated firewalls document (coming soon).</LI> +<LI>Network address translation. Do not NAT the packets you will be + tunneling.</LI> +</UL> +<H2><A NAME="15_9">Configure for your needs</A></H2> +<P>You'll need to configure FreeS/WAN for your local site. Have a look + at our<A HREF="quickstart.html"> opportunism quickstart guide</A> to + see if that easy method is right for your needs. Or, see how to<A HREF="config.html"> + configure a network-to-network or Road Warrior style VPN</A>.</P> +<HR> +<A HREF="toc.html">Contents</A> +<A HREF="adv_config.html">Previous</A> +<A HREF="config.html">Next</A> +</BODY> +</HTML> |