Installing FreeS/WAN

This document will teach you how to install Linux FreeS/WAN. If your distribution comes with Linux FreeS/WAN, we offer tips to get you started.

Requirements

To install FreeS/WAN you must:

Choose your install method

There are three basic ways to get FreeS/WAN onto your system:

FreeS/WAN ships with some Linuxes

FreeS/WAN comes with these distributions.

If you're running one of these, include FreeS/WAN in the choices you make during installation, or add it later using the distribution's tools.

FreeS/WAN may be altered...

Your distribution may have integrated extra features, such as Andreas Steffen's X.509 patch, into FreeS/WAN. It may also use custom startup script locations or directory names.

You might need to create an authentication keypair

If your FreeS/WAN came with your distribution, you may wish to generate a fresh RSA key pair. FreeS/WAN will use these keys for authentication.

To do this, become root, and type:

    ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com
    chmod 600 /etc/ipsec.secrets

where you replace xy.example.com with your machine's fully-qualified domain name. Generate some randomness, for example by wiggling your mouse, to speed the process.

The resulting ipsec.secrets looks like:

: RSA   {
        # RSA 2192 bits   xy.example.com   Sun Jun 8 13:42:19 2003
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=0sAQOFppfeE3cC7wqJi...
        Modulus: 0x85a697de137702ef0...
        # everything after this point is secret
        PrivateExponent: 0x16466ea5033e807...
        Prime1: 0xdfb5003c8947b7cc88759065...
        Prime2: 0x98f199b9149fde11ec956c814...
        Exponent1: 0x9523557db0da7a885af90aee...
        Exponent2: 0x65f6667b63153eb69db8f300dbb...
        Coefficient: 0x90ad00415d3ca17bebff123413fc518...
        }
# do not change the indenting of that "}"

In the actual file, the strings are much longer.

Start and test FreeS/WAN

You can now start FreeS/WAN and test whether it's been successfully installed..

RPM install

These instructions are for a recent Red Hat with a stock Red Hat kernel. We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If you're running either, install using your distribution's tools.

Download RPMs

Decide which functionality you need:

For 2.6 kernels, get the latest FreeS/WAN userland RPM, for example:

    freeswan-userland-2.04.9-0.i386.rpm

Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see 2.6.known-issues, and the latest mailing list reports.

Change to your new FreeS/WAN directory, and make and install the

For 2.4 kernels, get both kernel and userland RPMs. Check your kernel version with

    uname -r

Get a kernel module which matches that version. For example:

    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm

Note: These modules will only work on the Red Hat kernel they were built for, since they are very sensitive to small changes in the kernel.

Get FreeS/WAN utilities to match. For example:

    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm

For freeswan.org RPMs: check signatures

While you're at our ftp site, grab the RPM signing key

    freeswan-rpmsign.asc

If you're running RedHat 8.x or later, import this key into the RPM database:

    rpm --import freeswan-rpmsign.asc

For RedHat 7.x systems, you'll need to add it to your PGP keyring:

    pgp -ka freeswan-rpmsign.asc

Check the digital signatures on both RPMs using:

    rpm --checksig freeswan*.rpm 

You should see that these signatures are good:

    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK
    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK

Install the RPMs

Become root:

    su

For a first time install, use:

    rpm -ivh freeswan*.rpm

To upgrade existing RPMs (and keep all .conf files in place), use:

    rpm -Uvh freeswan*.rpm

If you're upgrading from FreeS/WAN 1.x to 2.x RPMs, and encounter problems, see this note.

Start and Test FreeS/WAN

Now, start FreeS/WAN and test your install.

Install from Source

Decide what functionality you need

Your choices are:

Download FreeS/WAN

Download the source tarball you've chosen, along with any patches.

For freeswan.org source: check its signature

While you're at our ftp site, get our source signing key

    freeswan-sigkey.asc

Add it to your PGP keyring:

    pgp -ka freeswan-sigkey.asc

Check the signature using:

    pgp freeswan-2.04.tar.gz.sig freeswan-2.04.tar.gz

You should see something like:

    Good signature from user "Linux FreeS/WAN Software Team (build@freeswan.org)".
    Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1

Untar, unzip

As root, unpack your FreeS/WAN source into /usr/src.

    su
    mv freeswan-2.04.tar.gz /usr/src
    cd /usr/src
    tar -xzf freeswan-2.04.tar.gz

Patch if desired

Now's the time to add any patches. The contributor may have special instructions, or you may simply use the patch command.

... and Make

Choose one of the methods below.

Userland-only Install for 2.6 kernels

Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see 2.6.known-issues, and the latest mailing list reports.

Change to your new FreeS/WAN directory, and make and install the FreeS/WAN userland tools.

    cd /usr/src/freeswan-2.04
    make programs
    make install

Now, start FreeS/WAN and test your install.

KLIPS install for 2.2, 2.4, or 2.6 kernels

To make a modular version of KLIPS, along with other FreeS/WAN programs you'll need, use the command sequence below. This will change to your new FreeS/WAN directory, make the FreeS/WAN module (and other stuff), and install it all.

    cd /usr/src/freeswan-2.04
    make oldmod
    make minstall

Start FreeS/WAN and test your install.

To link KLIPS statically into your kernel (using your old kernel settings), and install other FreeS/WAN components, do:

    cd /usr/src/freeswan-2.04
    make oldmod
    make minstall

Reboot your system and test your install.

For other ways to compile KLIPS, see our Makefile.

Start FreeS/WAN and test your install

Bring FreeS/WAN up with:

    service ipsec start

This is not necessary if you've rebooted.

Test your install

To check that you have a successful install, run:

    ipsec verify

You should see at least:

    Checking your system to see if IPsec got installed and started correctly
    Version check and ipsec on-path                             [OK]
    Checking for KLIPS support in kernel                        [OK]
    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
    Checking that pluto is running                              [OK]

If any of these first four checks fails, see our troubleshooting guide.

Making FreeS/WAN play well with others

There are at least a couple of things on your system that might interfere with FreeS/WAN, and now's a good time to check these:

Configure for your needs

You'll need to configure FreeS/WAN for your local site. Have a look at our opportunism quickstart guide to see if that easy method is right for your needs. Or, see how to configure a network-to-network or Road Warrior style VPN.