openswan for Debian ---------------------- 1) General Remarks This package has been created from scratch with some ideas from the freeswan 1.3 package by Tommi Virtanen and the freeswan 1.5 package by Aaron Johnson merged in. Most of the code in debian/rules for creating the linux-patch-openswan package has been initially taken from Tommi Virtanen's package, but has been mostly rewritten to fit the needs of newer kernel versions (since version 1.9-1). After the decision of the FreeS/WAN project to cease the development of FreeS/WAN, we decided to switch over to the Openswan fork. This code base includes all the patches that had to be applied manually before, which makes packaging simple. Alexander List prepared the first preliminary openswan package based on my freeswan packaging, which I updated to the relevant parts of the current freeswan package. 2) Kernel Support Note: This package can make use of the in-kernel IPSec stack, which is available in the stock Debian kernel images (>=2.4.24 and 2.6.x). If you want to use the openswan utilities, you will need the appropriate kernel modules. The Debian default kernel native IPSec stack (which is included in Linux 2.6 kernels and has been backported to Debian's 2.4 kernels) can be used out-of-the-box with opeswan pluto, the key management daemon. This native Linux IPSec stack is of high quality, has all of the features of the latest Debian freeswan and openswan packages (i.e. support for other ciphers like AES and NAT Traversal support) and is well integrated into the kernel networking subsystem (which is not true for the freeswan kernel modules). However, it is not as well tested as the freeswan kernel modules simply because the code base is younger. But nonetheless, the easiest way to get IPSec support in Debian is to use the default kernels (or recompile from the Debian kernel sources) and install the mature freeswan pluto key management daemon. If you do not want to use the in-kernel IPSec stack of newer 2.6 kernels or are building a custom 2.4 kernel, then the KLIPS kernel part is available in two forms: the kernel tree can be patched using the linux-patch-openswan package, which will be applied automatically by make-kpkg, or stand-alone modules can be built using the openswan-modules-source package. Please note that, for building the modules, you need the _complete_, built kernel tree for invoking "make-kpkg modules_install", only having the kernel headers is not enough. NAT Traversal can not be used at the moment with the stand-alone modules, it still needs a small kernel patch applied to the kernel tree. If you need NAT Traversal, please use either the in-kernel IPSec stack (which is preferred), the linux-patch-openswan package, or patch the kernel tree with the (small) NAT Traversal patch before compiling it. Attention: Please note that KLIPS will not compile cleanly with newer GCC versiobs that are stricter with their syntax checks. It is known to compile with GCC 3.4, so I recommend to use this version for building it. If you build KLIPS modules without patching the kernel source, please note that the kernel needs to be compiled with the same GCC version, or the modules will not load! When using make-kpkg, the GCC version can be set with the environment variable MAKEFLAGS, e.g. with MAKEFLAGS="CC=gcc-3.4" make-kpkg ... This should be necessary for 2.4 kernels, while KLIPS for 2.6 kernels might compile with newer GCC versions as well. For using the openswan (KLIPS) kernel modules, there are now two different methods: 2.1) openswan-modules-source: When you install the openswan-modules-source package and use make-kpkg to build your kernel, make-kpkg modules_image will automatically create a kernel module package. However, since the openswan-modules-source package follows other modules source packages, you will first have to extract the source tree: $ cd /usr/src $ tar xvzf openswan-modules.tar.gz Again, please note that only the kernel headers are not enough to build these modules! You really need to have the kernel source tree, configured for your running kernel (or the one you will run the openswan module with). If you did not build your own kernel, the following trick might help (thanks to Olaf Lundqvist for documenting this in the BTS): a) unpack the kernel source: $ apt-get install kernel-source- $ cd /usr/src $ tar xvfj kernel-source-.tar.bz2 $ cd kernel-source- b) copy kernel-headers information to that directory: $ apt-get install kernel-headers- $ cp -r ../kernel-headers-/* . c) build the openswan kernel modules: $ cd /usr/src/modules/openswan $ debian/rules binary-modules \ KVERS="" \ KSRC="/usr/src/kernel-source-" 2>&1 Where upstream version is e.g. 2.4.20 and debian-version is e.g. 2.4.20-2 (it should match the Debian package version). If you want to use NAT Traversal but still want to use openswan-modules-source (since you need to patch the kernel anyway, using linux-patch-openswan is easier), you can find the necessary patch under /usr/src/modules/openswan/debian/nat-t-.diff It should apply cleanly to newer vanilla 2.4 and 2.6 series kernels. Debian kernels usually have that patch already applied, so you will not need to patch a Debian kernel to use openswan. 2) linux-patch-openswan: By installing the linux-patch-openswan package and using make-kpkg to build your kernel, it automatically gets patched to include the freeswan IPSec kernel support in the kernel tree. This allows to enable NAT Traversal (which is not possible with building the openswan modules outside the kernel tree with the openswan-modules-source package without the additional patch). Please note that the environment variable PATCH_THE_KERNEL=YES has to be set for make-kpkg to apply the kernel patches. 3) Miscellaneous Warning: Due to an upstream bug, pluto from this version will dump core on certain CRLs. If you are hit by this bug, please report it directly to upstream, they are still tracking the issue down. For support, please use the mailing list debian-openswan@gibraltar.at, which is now the official support address for the Debian package of openswan. You can subscribe to the list and view its archives at https://www.gibraltar.at/mailman/listinfo/debian-openswan -- Rene Mayrhofer , Mon, Sep 19 14:58:00 2005