From aa0f5b38aec14428b4b80e06f90ff781f8bca5f1 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Mon, 22 May 2006 05:12:18 +0000
Subject: Import initial strongswan 2.7.0 version into SVN.

---
 doc/src/install.html | 378 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 378 insertions(+)
 create mode 100644 doc/src/install.html

(limited to 'doc/src/install.html')

diff --git a/doc/src/install.html b/doc/src/install.html
new file mode 100644
index 000000000..09d7c5a67
--- /dev/null
+++ b/doc/src/install.html
@@ -0,0 +1,378 @@
+<html>
+<head>
+  <meta http-equiv="Content-Type" content="text/html">
+  <title>Installing FreeS/WAN</title>
+  <meta name="keywords"
+  content="Linux, IPsec, VPN, security, FreeSWAN, installation, quickstart">
+  <!--
+
+  Written by Claudia Schmeing for the Linux FreeS/WAN project
+  Freely distributable under the GNU General Public License
+
+  More information at www.freeswan.org
+  Feedback to users@lists.freeswan.org
+
+  CVS information:
+  RCS ID:          $Id: install.html,v 1.1 2004/03/15 20:35:24 as Exp $
+  Last changed:    $Date: 2004/03/15 20:35:24 $
+  Revision number: $Revision: 1.1 $
+
+  CVS revision numbers do not correspond to FreeS/WAN release numbers.
+  -->
+</head>
+<BODY>
+<H1><A name="install">Installing FreeS/WAN</A></H1>
+
+<P>This document will teach you how to install Linux FreeS/WAN. 
+If your distribution comes with Linux FreeS/WAN, we offer
+ tips to get you started.</P>
+
+<H2>Requirements</H2>
+
+<P>To install FreeS/WAN you must:</P>
+<UL>
+<LI>be running Linux with the 2.4 or 2.2 kernel series. See 
+this <A HREF="http://www.freeswan.ca/download.php#contact">kernel 
+compatibility table</A>.<BR>We also have experimental support for 
+2.6 kernels. Here are two basic approaches:
+<UL><LI>
+install FreeS/WAN, including its <A HREF="ipsec.html#parts">KLIPS</A>
+kernel code. This will remove the native IPsec stack and replace it
+with KLIPS.</LI>
+<LI>
+install the FreeS/WAN <A HREF="ipsec.html#parts">userland tools</A> 
+(keying daemon and supporting 
+scripts) for use with 
+<A HREF="http://lartc.org/howto/lartc.ipsec.html">2.6 kernel native IPsec</A>,
+</LI>
+</UL>
+See also these <A HREF="2.6.known-issues">known issues with 2.6</A>.
+<LI>have root access to your Linux box</LI>
+<LI>choose the version of FreeS/WAN you wish to install based on
+<A HREF="http://www.freeswan.org/mail.html">mailing list reports</A> <!-- or 
+our updates page (coming soon)--></LI>
+</UL>
+
+<H2>Choose your install method</H2>
+
+<P>There are three basic ways to get FreeS/WAN onto your system:</P>
+<UL>
+<LI>activating and testing a FreeS/WAN that <A HREF="#distroinstall">shipped 
+with your Linux distribution</A></LI>
+<LI><A HREF="#rpminstall">RPM install</A></LI>
+<LI><A HREF="#srcinstall">Install from source</A></LI>
+</UL>
+
+<A NAME="distroinstall"></A><H2>FreeS/WAN ships with some Linuxes</H2>
+
+<P>FreeS/WAN comes with <A HREF="intro.html#distwith">these distributions</A>.
+
+<P>If you're running one of these, include FreeS/WAN in the choices you 
+make during installation, or add it later using the distribution's tools.
+</P>
+
+<H3>FreeS/WAN may be altered...</H3>
+<P>Your distribution may have integrated extra features, such as Andreas
+Steffen's X.509 patch, into FreeS/WAN. It may also use custom
+startup script locations or directory names.</P>
+
+<H3>You might need to create an authentication keypair</H3>
+
+<P>If your FreeS/WAN came with your distribution, you may wish to
+ generate a fresh RSA key pair. FreeS/WAN will use these keys
+ for authentication.
+
+<P>
+To do this, become root, and type:
+</P>
+
+<PRE>    ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com
+    chmod 600 /etc/ipsec.secrets</PRE>
+
+<P>where you replace xy.example.com with your machine's fully-qualified 
+domain name. Generate some randomness, for example by wiggling your mouse, 
+to speed the process.
+</P>
+
+<P>The resulting ipsec.secrets looks like:</P>
+<PRE>: RSA   {
+        # RSA 2192 bits   xy.example.com   Sun Jun 8 13:42:19 2003
+        # for signatures only, UNSAFE FOR ENCRYPTION
+        #pubkey=0sAQOFppfeE3cC7wqJi...
+        Modulus: 0x85a697de137702ef0...
+        # everything after this point is secret
+        PrivateExponent: 0x16466ea5033e807...
+        Prime1: 0xdfb5003c8947b7cc88759065...
+        Prime2: 0x98f199b9149fde11ec956c814...
+        Exponent1: 0x9523557db0da7a885af90aee...
+        Exponent2: 0x65f6667b63153eb69db8f300dbb...
+        Coefficient: 0x90ad00415d3ca17bebff123413fc518...
+        }
+# do not change the indenting of that "}"</PRE>
+
+<P>In the actual file, the strings are much longer.</P>
+
+
+<H3>Start and test FreeS/WAN</H3>
+
+<P>You can now <A HREF="install.html#starttest">start FreeS/WAN and 
+test whether it's been successfully installed.</A>.</P>
+
+
+<A NAME="rpminstall"></A><H2>RPM install</H2>
+
+<P>These instructions are for a recent Red Hat with a stock Red Hat kernel.
+We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If you're 
+running either, install using your distribution's tools.</P>
+ 
+<H3>Download RPMs</H3>
+
+<P>Decide which functionality you need:</P>
+<UL>
+<LI>standard FreeS/WAN RPMs. Use these shortcuts:<BR>
+<UL>
+<LI>(for 2.6 kernels: userland only)<BR>
+ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/\*userland*</LI>
+
+<LI>(for 2.4 kernels)<BR>
+ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r | tr -d 'a-wy-z'`/\*</LI>
+<LI>
+or view all the offerings at our
+<A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs">FTP site</A>.
+</LI></UL>
+</LI>
+<LI>unofficial
+<A href="http://www.freeswan.ca/download.php">Super FreeS/WAN</A> 
+RPMs, which include Andreas Steffen's X.509 patch and more. 
+Super FreeS/WAN RPMs do not currently include 
+<A HREF="glossary.html#NAT.gloss">Network Address Translation</A>
+(NAT) traversal, but Super FreeS/WAN source does.</LI>
+</UL>
+
+<A NAME="2.6.rpm"></A>
+<P>For 2.6 kernels, get the latest FreeS/WAN userland RPM, for example:</P>
+<PRE>    freeswan-userland-2.04.9-0.i386.rpm</PRE>
+
+<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see 
+<A HREf="2.6.known-issues">2.6.known-issues</A>, and the latest
+<A HREF="http://www.freeswan.org/mail.html">mailing list reports</A>.</P>                                                                                
+<P>Change to your new FreeS/WAN directory, and make and install the 
+
+<P>For 2.4 kernels, get both kernel and userland RPMs.
+Check your kernel version with</P>
+<PRE>    uname -r</PRE>
+
+<P>Get a kernel module which matches that version. For example:</P>
+<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm</PRE>
+<P>Note: These modules 
+<B>will only work on the Red Hat kernel they were built for</B>,
+since they are very sensitive to small changes in the kernel.</P>
+
+
+<P>Get FreeS/WAN utilities to match. For example:</P>
+<PRE>    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm</PRE>
+
+
+<H3>For freeswan.org RPMs: check signatures</H3>
+
+<P>While you're at our ftp site, grab the RPM signing key</P>
+<PRE>    freeswan-rpmsign.asc</PRE>
+
+<P>If you're running RedHat 8.x or later, import this key into the RPM 
+database:</P>
+<PRE>    rpm --import freeswan-rpmsign.asc</PRE>
+ 
+<P>For RedHat 7.x systems, you'll need to add it to your 
+<A HREF="glossary.html#PGP">PGP</A> keyring:</P>
+<PRE>    pgp -ka freeswan-rpmsign.asc</PRE>
+
+
+<P>Check the digital signatures on both RPMs using:</P>
+<PRE>    rpm --checksig freeswan*.rpm </PRE>
+
+<P>You should see that these signatures are good:</P>
+<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK
+    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK</PRE>
+
+
+<H3>Install the RPMs</H3>
+
+<P>Become root:</P>
+<PRE>    su</PRE>
+
+<P>For a first time install, use:</P>
+<PRE>    rpm -ivh freeswan*.rpm</PRE>
+
+<P>To upgrade existing RPMs (and keep all .conf files in place), use:</P>
+<PRE>    rpm -Uvh freeswan*.rpm</PRE>
+
+<P>If you're upgrading from FreeS/WAN 1.x to 2.x RPMs, and encounter problems,
+see <A HREF="upgrading.html#upgrading.rpms">this note</A>.</P>
+
+
+<H3>Start and Test FreeS/WAN</H3>
+
+<P>Now, <A HREF="install.html#starttest">start FreeS/WAN and test your 
+install</A>.</P>
+
+
+<A NAME="srcinstall"></A><H2>Install from Source</H2>
+<!-- Most of this section, along with "Start and Test", can replace 
+INSTALL. -->
+
+<H3>Decide what functionality you need</H3>
+
+<P>Your choices are:</P>
+<UL>
+<LI><A HREF="ftp://ftp.xs4all.nl/pub/crypto/freeswan">standard 
+FreeS/WAN</A>,</LI>
+<LI>standard FreeS/WAN plus any of these
+ <A HREF="web.html#patch">user-supported patches</A>, or</LI>
+<LI><A HREF="http://www.freeswan.ca/download">Super FreeS/WAN</A>,
+an unofficial FreeS/WAN pre-patched with many of the above. Provides 
+additional algorithms, X.509, SA deletion, dead peer detection, and 
+<A HREF="glossary.html#NAT.gloss">Network Address Translation</A>
+(NAT) traversal.</LI>
+</UL>
+
+<H3>Download FreeS/WAN</H3>
+
+<P>Download the source tarball you've chosen, along with any patches.</P>
+
+<H3>For freeswan.org source: check its signature</H3>
+
+<P>While you're at our ftp site, get our source signing key</P>
+<PRE>    freeswan-sigkey.asc</PRE>
+
+<P>Add it to your PGP keyring:</P>
+<PRE>    pgp -ka freeswan-sigkey.asc</PRE>
+
+
+<P>Check the signature using:</P>
+<PRE>    pgp freeswan-2.04.tar.gz.sig freeswan-2.04.tar.gz</PRE>
+<P>You should see something like:</P>
+<PRE>    Good signature from user "Linux FreeS/WAN Software Team (build@freeswan.org)".
+    Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1</PRE>
+<!-- Note to self: build@freeswan.org has angled brackets in the original.
+     Changed because it conflicts with HTML tags. -->
+
+<H3>Untar, unzip</H3>
+
+<P>As root, unpack your FreeS/WAN source into <VAR>/usr/src</VAR>.</P>
+<PRE>    su
+    mv freeswan-2.04.tar.gz /usr/src
+    cd /usr/src
+    tar -xzf freeswan-2.04.tar.gz
+</PRE>
+
+<H3>Patch if desired</H3>
+
+<P>Now's the time to add any patches. The contributor may have special 
+instructions, or you may simply use the patch command.</P>
+
+<H3>... and Make</H3>
+
+<P>Choose one of the methods below.</P>
+
+<H4>Userland-only Install for 2.6 kernels</H4>
+<A NAME="2.6.src"></A>
+
+<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see 
+<A HREf="2.6.known-issues">2.6.known-issues</A>, and the latest
+<A HREF="http://www.freeswan.org/mail.html">mailing list reports</A>.</P>                                                                                
+<P>Change to your new FreeS/WAN directory, and make and install the 
+FreeS/WAN userland tools.</P>
+<PRE>    cd /usr/src/freeswan-2.04
+    make programs
+    make install</PRE>
+                                                                                
+<P>Now, <A HREF="install.html#starttest">start FreeS/WAN and
+test your install</A>.</P>
+
+
+
+<H4>KLIPS install for 2.2, 2.4, or 2.6 kernels</H4>
+
+<A NAME="modinstall"></A>
+
+<P>To make a modular version of KLIPS, along with other FreeS/WAN programs 
+you'll need, use the command sequence below. This will
+change to your new FreeS/WAN directory, make the FreeS/WAN module (and other
+stuff), and install it all.</P>
+<PRE>    cd /usr/src/freeswan-2.04
+    make oldmod
+    make minstall</PRE>
+ 
+<P><A HREF="install.html#starttest">Start FreeS/WAN and 
+test your install</A>.</P>
+
+
+
+<P>To link KLIPS statically into your kernel (using your old kernel settings), 
+and install other FreeS/WAN components, do:
+</P>
+<PRE>    cd /usr/src/freeswan-2.04
+    make oldmod
+    make minstall</PRE>
+
+
+<P>Reboot your system and <A HREF="install.html#testonly">test your 
+install</A>.</P>
+
+<P>For other ways to compile KLIPS, see our Makefile.</P>
+
+
+
+<A name="starttest"></A><H2>Start FreeS/WAN and test your install</H2>
+
+<P>Bring FreeS/WAN up with:</P>
+<PRE>    service ipsec start</PRE>
+
+<P>This is not necessary if you've rebooted.</P>
+
+<A name="testonly"></A><H2>Test your install</H2>
+
+<P>To check that you have a successful install, run:</P>
+<PRE>    ipsec verify</PRE>
+
+<P>You should see at least:</P>
+<PRE>
+    Checking your system to see if IPsec got installed and started correctly
+    Version check and ipsec on-path                             [OK]
+    Checking for KLIPS support in kernel                        [OK]
+    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
+    Checking that pluto is running                              [OK]
+</PRE>
+
+<P>If any of these first four checks fails, see our 
+<A href="trouble.html#install.check">troubleshooting guide</A>.
+</P>
+
+
+<H2>Making FreeS/WAN play well with others</H2>
+
+<P>There are at least a couple of things on your system that might 
+interfere with FreeS/WAN, and now's a good time to check these:</P>
+<UL>
+  <LI>Firewalling. You need to allow UDP 500 through your firewall, plus 
+ ESP (protocol 50) and AH (protocol 51). For more information, see our
+  updated firewalls document (coming soon).
+ </LI>
+  <LI>Network address translation. 
+Do not NAT the packets you will be tunneling.</LI>
+</UL>
+
+
+<H2>Configure for your needs</H2>
+
+<P>You'll need to configure FreeS/WAN for your local site. Have a look at our 
+<A HREF="quickstart.html">opportunism quickstart guide</A> to see if that
+easy method is right for your needs. Or, see how to <A HREF="config.html">
+configure a network-to-network or Road Warrior style VPN</A>.
+</P>
+
+
+
+
+</BODY>
+</HTML>
-- 
cgit v1.2.3