From aaa0331ecf95ced1e913ac9be50168cf0e7cbb82 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Tue, 30 Jan 2007 12:21:07 +0000 Subject: [svn-upgrade] Integrating new upstream version, strongswan (2.8.2) --- doc/install.html | 286 ------------------------------------------------------- 1 file changed, 286 deletions(-) delete mode 100644 doc/install.html (limited to 'doc/install.html') diff --git a/doc/install.html b/doc/install.html deleted file mode 100644 index 6cd55535e..000000000 --- a/doc/install.html +++ /dev/null @@ -1,286 +0,0 @@ - - - -Introduction to FreeS/WAN - - - - -Contents -Previous -Next -

Installing FreeS/WAN

This document will teach you how to install Linux FreeS/WAN. If your - distribution comes with Linux FreeS/WAN, we offer tips to get you - started.

Requirements

To install FreeS/WAN you must:

be running Linux with the 2.4 or 2.2 kernel series. See this - kernel compatibility table. -
We also have experimental support for 2.6 kernels. Here are two - basic approaches: -
- install FreeS/WAN, including its KLIPS - kernel code. This will remove the native IPsec stack and replace it - with KLIPS.
- install the FreeS/WAN userland tools - (keying daemon and supporting scripts) for use with - 2.6 kernel native IPsec,
- See also these known issues with 2.6.
have root access to your Linux box
choose the version of FreeS/WAN you wish to install based on - mailing list reports - -

Choose your install method

There are three basic ways to get FreeS/WAN onto your system:

activating and testing a FreeS/WAN that - shipped with your Linux distribution
RPM install
Install from source

- -

FreeS/WAN ships with some Linuxes

FreeS/WAN comes with these - distributions.

If you're running one of these, include FreeS/WAN in the choices you - make during installation, or add it later using the distribution's - tools.

FreeS/WAN may be altered...

Your distribution may have integrated extra features, such as Andreas - Steffen's X.509 patch, into FreeS/WAN. It may also use custom startup - script locations or directory names.

You might need to create an authentication keypair -

If your FreeS/WAN came with your distribution, you may wish to - generate a fresh RSA key pair. FreeS/WAN will use these keys for - authentication.

To do this, become root, and type:

    ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com
-    chmod 600 /etc/ipsec.secrets

where you replace xy.example.com with your machine's fully-qualified - domain name. Generate some randomness, for example by wiggling your - mouse, to speed the process.

The resulting ipsec.secrets looks like:

: RSA   {
-        # RSA 2192 bits   xy.example.com   Sun Jun 8 13:42:19 2003
-        # for signatures only, UNSAFE FOR ENCRYPTION
-        #pubkey=0sAQOFppfeE3cC7wqJi...
-        Modulus: 0x85a697de137702ef0...
-        # everything after this point is secret
-        PrivateExponent: 0x16466ea5033e807...
-        Prime1: 0xdfb5003c8947b7cc88759065...
-        Prime2: 0x98f199b9149fde11ec956c814...
-        Exponent1: 0x9523557db0da7a885af90aee...
-        Exponent2: 0x65f6667b63153eb69db8f300dbb...
-        Coefficient: 0x90ad00415d3ca17bebff123413fc518...
-        }
-# do not change the indenting of that "}"

In the actual file, the strings are much longer.

Start and test FreeS/WAN

You can now start FreeS/WAN and test - whether it's been successfully installed..

- -

RPM install

These instructions are for a recent Red Hat with a stock Red Hat - kernel. We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If - you're running either, install using your distribution's tools.

Download RPMs

Decide which functionality you need:

standard FreeS/WAN RPMs. Use these shortcuts: -
-
- (for 2.6 kernels: userland only) -
  ncftpget - ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/\*userland* -
- (for 2.4 kernels) -
  ncftpget - ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r - | tr -d 'a-wy-z'`/\*
- or view all the offerings at our - FTP site.
-
unofficial Super - FreeS/WAN RPMs, which include Andreas Steffen's X.509 patch and - more. Super FreeS/WAN RPMs do not currently include - Network Address Translation (NAT) traversal, but Super FreeS/WAN - source does.

- -

For 2.6 kernels, get the latest FreeS/WAN userland RPM, for example:

    freeswan-userland-2.04.9-0.i386.rpm

Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please - see 2.6.known-issues, and the latest - mailing list reports.

Change to your new FreeS/WAN directory, and make and install the

For 2.4 kernels, get both kernel and userland RPMs. Check your kernel - version with

    uname -r

Get a kernel module which matches that version. For example:

    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm

Note: These modules will only work on the Red Hat kernel they were - built for, since they are very sensitive to small changes in the - kernel.

Get FreeS/WAN utilities to match. For example:

    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm

For freeswan.org RPMs: check signatures

While you're at our ftp site, grab the RPM signing key

    freeswan-rpmsign.asc

If you're running RedHat 8.x or later, import this key into the RPM - database:

    rpm --import freeswan-rpmsign.asc

For RedHat 7.x systems, you'll need to add it to your - PGP keyring:

    pgp -ka freeswan-rpmsign.asc

Check the digital signatures on both RPMs using:

    rpm --checksig freeswan*.rpm

You should see that these signatures are good:

    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK
-    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK

Install the RPMs

Become root:

su

For a first time install, use:

    rpm -ivh freeswan*.rpm

To upgrade existing RPMs (and keep all .conf files in place), use:

    rpm -Uvh freeswan*.rpm

If you're upgrading from FreeS/WAN 1.x to 2.x RPMs, and encounter - problems, see this note.

Start and Test FreeS/WAN

Now, start FreeS/WAN and test your - install.

- -

Install from Source

- - -

Decide what functionality you need

Your choices are:

standard FreeS/WAN -,
standard FreeS/WAN plus any of these - user-supported patches, or
Super FreeS/WAN, an - unofficial FreeS/WAN pre-patched with many of the above. Provides - additional algorithms, X.509, SA deletion, dead peer detection, and - Network Address Translation (NAT) traversal.

Download FreeS/WAN

Download the source tarball you've chosen, along with any patches.

For freeswan.org source: check its signature

While you're at our ftp site, get our source signing key

    freeswan-sigkey.asc

Add it to your PGP keyring:

    pgp -ka freeswan-sigkey.asc

Check the signature using:

    pgp freeswan-2.04.tar.gz.sig freeswan-2.04.tar.gz

You should see something like:

    Good signature from user "Linux FreeS/WAN Software Team (build@freeswan.org)".
-    Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1

- - -

Untar, unzip

As root, unpack your FreeS/WAN source into /usr/src.

    su
-    mv freeswan-2.04.tar.gz /usr/src
-    cd /usr/src
-    tar -xzf freeswan-2.04.tar.gz
-

Patch if desired

Now's the time to add any patches. The contributor may have special - instructions, or you may simply use the patch command.

... and Make

Choose one of the methods below.

Userland-only Install for 2.6 kernels

- -

Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please - see 2.6.known-issues, and the latest - mailing list reports.

Change to your new FreeS/WAN directory, and make and install the - FreeS/WAN userland tools.

    cd /usr/src/freeswan-2.04
-    make programs
-    make install

Now, start FreeS/WAN and test your - install.

KLIPS install for 2.2, 2.4, or 2.6 kernels

- -

To make a modular version of KLIPS, along with other FreeS/WAN - programs you'll need, use the command sequence below. This will change - to your new FreeS/WAN directory, make the FreeS/WAN module (and other - stuff), and install it all.

    cd /usr/src/freeswan-2.04
-    make oldmod
-    make minstall

Start FreeS/WAN and test your - install.

To link KLIPS statically into your kernel (using your old kernel - settings), and install other FreeS/WAN components, do:

    cd /usr/src/freeswan-2.04
-    make oldmod
-    make minstall

Reboot your system and test your - install.

For other ways to compile KLIPS, see our Makefile.

- -

Start FreeS/WAN and test your install

Bring FreeS/WAN up with:

    service ipsec start

This is not necessary if you've rebooted.

- -

Test your install

To check that you have a successful install, run:

    ipsec verify

You should see at least:

-    Checking your system to see if IPsec got installed and started correctly
-    Version check and ipsec on-path                             [OK]
-    Checking for KLIPS support in kernel                        [OK]
-    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
-    Checking that pluto is running                              [OK]
-

If any of these first four checks fails, see our - troubleshooting guide.

Making FreeS/WAN play well with others

There are at least a couple of things on your system that might - interfere with FreeS/WAN, and now's a good time to check these:

Firewalling. You need to allow UDP 500 through your firewall, plus - ESP (protocol 50) and AH (protocol 51). For more information, see our - updated firewalls document (coming soon).
Network address translation. Do not NAT the packets you will be - tunneling.

Configure for your needs

You'll need to configure FreeS/WAN for your local site. Have a look - at our opportunism quickstart guide to - see if that easy method is right for your needs. Or, see how to - configure a network-to-network or Road Warrior style VPN.

-Contents -Previous -Next - - -- cgit v1.2.3