1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
openswan for Debian
----------------------
1) General Remarks
This package has been created from scratch with some ideas from the
freeswan 1.3 package by Tommi Virtanen and the freeswan 1.5 package by
Aaron Johnson merged in. Most of the code in debian/rules for creating the
linux-patch-openswan package has been initially taken from Tommi Virtanen's
package, but has been mostly rewritten to fit the needs of newer kernel
versions (since version 1.9-1).
After the decision of the FreeS/WAN project to cease the development of
FreeS/WAN, we decided to switch over to the Openswan fork. This code base
includes all the patches that had to be applied manually before, which makes
packaging simple. Alexander List prepared the first preliminary openswan
package based on my freeswan packaging, which I updated to the relevant parts
of the current freeswan package.
2) Kernel Support
Note: This package can make use of the in-kernel IPSec stack, which is
available in the stock Debian kernel images (>=2.4.24 and 2.6.x).
If you want to use the openswan utilities, you will need the appropriate
kernel modules. The Debian default kernel native IPSec stack (which is
included in Linux 2.6 kernels and has been backported to Debian's 2.4 kernels)
can be used out-of-the-box with opeswan pluto, the key management daemon.
This native Linux IPSec stack is of high quality, has all of the features of
the latest Debian freeswan and openswan packages (i.e. support for other
ciphers like AES and NAT Traversal support) and is well integrated into the
kernel networking subsystem (which is not true for the freeswan kernel
modules). However, it is not as well tested as the freeswan kernel modules
simply because the code base is younger. But nonetheless, the easiest way to
get IPSec support in Debian is to use the default kernels (or recompile from
the Debian kernel sources) and install the mature freeswan pluto key management
daemon.
If you do not want to use the in-kernel IPSec stack of newer 2.6 kernels or
are building a custom 2.4 kernel, then the KLIPS kernel part is available in
two forms: the kernel tree can be patched using the linux-patch-openswan
package, which will be applied automatically by make-kpkg, or stand-alone
modules can be built using the openswan-modules-source package. Please note
that, for building the modules, you need the _complete_, built kernel tree
for invoking "make-kpkg modules_install", only having the kernel headers is
not enough. NAT Traversal can not be used at the moment with the stand-alone
modules, it still needs a small kernel patch applied to the kernel tree. If
you need NAT Traversal, please use either the in-kernel IPSec stack (which is
preferred), the linux-patch-openswan package, or patch the kernel tree with
the (small) NAT Traversal patch before compiling it.
Attention: Please note that KLIPS will not compile cleanly with newer GCC
versiobs that are stricter with their syntax checks. It is known to compile
with GCC 3.4, so I recommend to use this version for building it. If you build
KLIPS modules without patching the kernel source, please note that the kernel
needs to be compiled with the same GCC version, or the modules will not load!
When using make-kpkg, the GCC version can be set with the environment variable
MAKEFLAGS, e.g. with
MAKEFLAGS="CC=gcc-3.4" make-kpkg ...
This should be necessary for 2.4 kernels, while KLIPS for 2.6 kernels might
compile with newer GCC versions as well.
For using the openswan (KLIPS) kernel modules, there are now two different
methods:
2.1) openswan-modules-source:
When you install the openswan-modules-source package and use
make-kpkg to build your kernel, make-kpkg modules_image will automatically
create a kernel module package. However, since the openswan-modules-source
package follows other modules source packages, you will first have to extract
the source tree:
$ cd /usr/src
$ tar xvzf openswan-modules.tar.gz
Again, please note that only the kernel headers are not enough to build these
modules! You really need to have the kernel source tree, configured for your
running kernel (or the one you will run the openswan module with). If you did
not build your own kernel, the following trick might help (thanks to Olaf
Lundqvist for documenting this in the BTS):
a) unpack the kernel source:
$ apt-get install kernel-source-<debian version>
$ cd /usr/src
$ tar xvfj kernel-source-<debian version>.tar.bz2
$ cd kernel-source-<upstream version>
b) copy kernel-headers information to that directory:
$ apt-get install kernel-headers-<debian version>
$ cp -r ../kernel-headers-<debian-version>/* .
c) build the openswan kernel modules:
$ cd /usr/src/modules/openswan
$ debian/rules binary-modules \
KVERS="<debian version>" \
KSRC="/usr/src/kernel-source-<debian version>" 2>&1
Where upstream version is e.g. 2.4.20 and debian-version is e.g. 2.4.20-2 (it
should match the Debian package version).
If you want to use NAT Traversal but still want to use openswan-modules-source
(since you need to patch the kernel anyway, using linux-patch-openswan is
easier), you can find the necessary patch under
/usr/src/modules/openswan/debian/nat-t-<major version>.diff
It should apply cleanly to newer vanilla 2.4 and 2.6 series kernels. Debian
kernels usually have that patch already applied, so you will not need to patch
a Debian kernel to use openswan.
2) linux-patch-openswan:
By installing the linux-patch-openswan package and using make-kpkg to build
your kernel, it automatically gets patched to include the freeswan IPSec kernel
support in the kernel tree. This allows to enable NAT Traversal (which is not
possible with building the openswan modules outside the kernel tree with the
openswan-modules-source package without the additional patch). Please note
that the environment variable PATCH_THE_KERNEL=YES has to be set for make-kpkg
to apply the kernel patches.
3) Miscellaneous
Warning: Due to an upstream bug, pluto from this version will dump core on
certain CRLs. If you are hit by this bug, please report it directly to
upstream, they are still tracking the issue down.
For support, please use the mailing list debian-openswan@gibraltar.at, which
is now the official support address for the Debian package of openswan. You
can subscribe to the list and view its archives at
https://www.gibraltar.at/mailman/listinfo/debian-openswan
-- Rene Mayrhofer <rmayr@debian.org>, Mon, Sep 19 14:58:00 2005
|
