Contents Previous Next

Installing FreeS/WAN from source

Not everyone needs to install from source

Some Linux distributions, listed in the introduction, ship with FreeS/WAN included. If you are using one of them, you need not perform a FreeS/WAN installation. That should all be done for you already. All you have to do is:

For other distributions, you may be able to find pre-packaged RPMs and use the simple installation we describe in our quickstart document.

If either of those methods works for you, we recommend you use it. Once that is done, continue at enabling FreeS/WAN in our quickstart document.

Some people do need to install from source

Unfortunately, due to export laws restricting distribution of strong cryptography, not all distributions include FreeS/WAN. Moreover, the standard kernel does not include the kernel parts of FreeS/WAN.

Also, if you need to add patches to the FreeS/WAN code (see this list), you need to do that and then install FreeS/WAN from the patched source.

Many people will need to install FreeS/WAN from source, including patching and rebuilding their kernel.

Information on re-installing or un-installing is provided near the end of this document.

Before starting the install

Configure, compile, install, and test a Linux kernel, without FreeS/WAN.

If you have not done this before, you will need to read the Kernel HowTo. You might also look at this magazine article.

Choosing a kernel

The general rule is choose a current release of a production kernel -- the latest 2.2 or 2.4.

For specific information on which kernels a FreeS/WAN release supports, see the README file in that release.

2.2.x for many users

Many users can continue to run kernels from the 2.2 series of Linux production kernels.

We recommend using the latest release in that series. At time of writing (Feb 2002), that is 2.2.20.

If you need to use an older 2.2.x kernel for some reason, be warned that recent versions of FreeS/WAN will not compile out-of-the-box on a kernel earlier than 2.2.19. A workaround is described in the FreeS/WAN 1.91 section of our CHANGES file. See the mailing list archives, around June 2001, for more details if needed.

2.4.x is possible

The 2.4 series of kernels are currently (Feb 2002) at 2.4.18.

2.4 has new firewalling code called nefilter. This may provide good reasons to move to 2.4, especially on for gateway machines.

Do not use 2.4.15; it has a bug that causes file system corruption.

2.0.x may still work

If you must use the older 2.0.x kernel series -- for example because you need some driver that has not been ported to later kernels -- you may be in luck. When last tested, FreeS/WAN worked fine on 2.0.39.

On the other hand, you may have problems in the future. Recent versions of FreeS/WAN are not heavily tested on 2.0 kernels -- most of both the development team and the user community are on 2.2, or even 2.4, by now -- and we are almost certain to drop 2.0 support whenever some problem crops up that would mean retaining it required significant work from our team.

Development kernels

Development kernels are a separate series, work-in-progress versions for use by kernel developers. By convention, production kernels have an even second digit in the version number (2.0, 2.2, 2.4) and development kernels have an odd digit there (2.1, 2.3, 2.5).

Development kernels are not intended for production use . They change often and include new code which has not yet been thoroughly tested. These changes often break things, including FreeS/WAN. The FreeS/WAN team does not have the resources to chase the moving target; our priority is developing FreeS/WAN on stable kernels. If you encounter a problem on a development kernel, please solve it (you are a developer, aren't you?) and send us a patch. Of course, we will happily discuss problems and solutions on the mailing list, but we are unlikely to do much work on actually implementing a solution.

Fortunately we have a user who regularly fixes problems with FreeS/WAN on development kernels (merci, Marc), and we do fix some ourselves. FreeS/WAN often works just fine on a development kernel; it's just that there's no guarantee.

If you are going to test FreeS/WAN with a development kernel, we recommend you use our latest snapshot. This is the FreeS/WAN version most likely to have the patches required to work on a recent development kernel. The released version of FreeS/WAN is likely to be out of date for your purposes.

Things you must have installed

If you have a CD distribution of Linux, it should include everything you need.

Tools and libraries

Use your distribution's tools to load:

There are some common slips worth avoiding here:

Kernel source code

You need the source code for the kernel because you must patch and re-compile it to install FreeS/WAN. There are several places you can get this:

Kernel from CD
You can install the kernel from your distribution CD. It may be in two packages. However, if your CD is not recent, it may have an older kernel, in which case we suggest getting more recent kernel source from the net.
Vendor kernels

All the major distribution vendors provide kernel source. See for example:

Using a kernel from your distribution vendor may save you some annoyance later.

Different distributions put the kernel in different places (/vmlinuz, /boot/vmlinuz, /boot/vmlinuz-2.2.15 ...) and set lilo (the Li nux loader) up differently. With a kernel from your distribution vendor, everything should work right. With other combinations, a newly compiled kernel may be installed in one place while lilo is looking in another. You can of course adjust the kernel Makefile and/or /etc/lilo.conf to solve this problem, but we suggest just avoiding it.

Also, distributions vendors may include patches or drivers which are not part of the standard kernel. If you install a standard kernel, you must either do without those features or download those patches and add them yourself.

Kernels from
For kernels direct from Linus, without any distribution vendor's modifications, see the mirror list, or go directly to ftp.<country>,with the appropriate two-letter country code inserted.

Once you've found a kernel

Once you have found suitable kernel source, choose a mirror that is close to you and bookmark it.

Kernel source normally resides in /usr/src/linux, whether you load it from a distribution CD or download a tar file into /usr/src and untar it there. Unless you both have unusual requirements and know exactly what you're doing, we recommend you put it there.

Note: Some recent distributions (certainly Redhat 7.2 and Mandrake 8.1, perhaps others) put kernel source code in a directory named linux-2.4 while FreeS/WAN expects to find it in linux, which is where all distributions used to put it and the kernels still do. If your distribution uses linux-2.4, then you must create a symbolic link to linux before proceeding with your FreeS/WAN install. See the man page for ln(1) for details of how to do this if required.

Getting FreeS/WAN

You can download FreeS/WAN from our primary site or one of our mirrors.

Put the tarfile under /usr/src and untar it there. The command to use is:

This will give you a directory /usr/src/freeswan<version>.

Note that these methods don't work:

Kernel configuration

The gateway kernel must be configured before FreeS/WAN is added because some of our utilities rely on the results of configuration.

Note for Redhat 7.1 users: If you are using the Redhat-supplied kernel, then you must do a make mrproper command before starting the kernel configuration. This prevents some unpleasant interactions between Redhat's config and our patches.

On some distributions, you can get the configuration files for the vendor's standard kernel(s) off the CD, and use that. This allows you to skip this step; you need not configure the kernel if the vendor has and you have the vendor's config file installed. Here is a mailing list message describing the procedure for Redhat:

Subject: Re: [Users] Do I need to recompile kernel 2.2.17-14?
   Date: Wed, 6 Jun 2001 08:38:38 -0500
   From: "Corey J. Steele" <>

if you install the corresponding kernel-source-*.rpm, you can actually find
the config file used to build that kernel in /usr/src/linux/Configs, just
copy the one you want to use (based solely on architecture) to
/usr/src/linux/.config, and proceed!  It should work.
If you have ever configured the kernel yourself on this machine, you can also skip this step.

If the kernel has not been configured, do that now. This is done by giving one of the following commands in /usr/src/linux:

make config
command-line interface
make menuconfig
text menus (requires curses(3) libraries)
make xconfig
using the X window system (requires X, not recommended for gateways)

Any of these wiil do the job. If you have no established preference, we suggest trying menuconfig.

For more information on configuring your kernel, see our section on that topic.

Install and test a kernel before adding FreeS/WAN

You should compile, install and test the kernels as you have configured them, so that you have a known stable starting point. The series of commands involved is usually something like:

make menuconfig
choose kernel options, set up a kernel for your machine
make dep
find dependencies between files
make bzImage
build a loadable kernel image, compressed with bzip(1)
make install
install it
make modules
build modules which can be added to a running kernel
make modules_install
install them
ensure that the boot loader sees your changes

Doing this first means that if there is a problem after you add FreeS/WAN, tracking it down is much simpler.

If you need advice on this process, or general Linux background information, try our Linux web references . The most directly relevant document is the Kernel HowTo.

Building and installing the software

There are several ways to build and install the software. All require that you have kernel source, correctly configured for your machine, as a starting point. If you don't have that yet, see the previous section

Whatever method you choose, it will do all of the following:

You can do the whole install with two commands (recommended in most cases) or get into as much of the detail as you like.

Building RPMs

As of version 1.93, we provide a facilty to build FreeS/WAN RPMs.

Go to the FreeS/WAN directory and do whichever of the following commands you prefer:

make orpm
uses command-line kernel configuration
make menurpm
uses menu kernel configuration (requires ncurses library)
make xrpm
use X Window kernel configuration (requires X)

After the Makefile does the software and kernel build, it will make some RPMs and leave them in the rpms directory. The RPMs are:

the userland utilities
the ipsec.o kernel module, built only if your kernel configuration sets klips as a module
the Linux kernel and its modules
all of the above

Once you have the RPMs, you can install FreeS/WAN from them with rpm -i commands. For a more detailed procedure, go to our quickstart document.

This makes it much easier to build FreeS/WAN on one system for installation on another.

This facility is based on work by Paul Lahaie at Steamballoon.

Building IPsec as a module

With the full procedure described in the next section, you can either build the kernel parts of FreeS/WAN into your kernel or build them as a kernel module, depending on how you set the kernel configuration options.

Since 1.91, we also provide an option to build only the FreeS/WAN module, without re-compiling the rest of your kernel.

Note, however, that this requires:

To do the module install, give two commands in the FreeS/WAN directory:

You can now start FreeS/WAN with

service ipsec start

then choose what to do next.

N.B.: This is relatively new code and not yet tested on a wide range of systems. If it does not work for you, please report the problem. In the meanwhile, fall back to the older procedure described next..

Installing directly from source

You can also install FreeS/WAN directly from the source, without building RPMs as an intermediate step.

There are two steps here. First you do everything else, then you install the new FreeS/WAN-enabled kernel.

Everything but kernel installation

To do everything except install the new kernel, cd into the freeswan directory and become root. Give any one of the following commands:

make oldgo
Uses FreeS/WAN's default settings for some kernel configuration options. Leaves all other options unchanged from your last kernel configuration.
make ogo
Invokes config so you can configure the kernel from the command line.
make menugo
Invokes menuconfig so you can configure the kernel with text-mode menus.
make xgo
Invokes xconfig so you can configure the kernel in an X window.

You must save the new configuration even if you make no changes. This ensures that the FreeS/WAN changes are actually seen by the system.

There are few options in the FreeS/WAN part of kernel configuration. For most of them, we recommend that you make no changes.

Our scripts save the output of make commands they call in files with names like out.kbuild or out.kinstall. The last command of each script checks the appropriate out.* file for error messages.

For the above commands, the error files are out.kpatch and out.kbuild.

These scripts automatically build an RSA authentication key pair (a public key and the matching private key) for you, and put the result in /etc/ipsec.secrets. For information on using RSA authentication, see our configuration section. Here, we need only note that generating the key uses random(4) quite heavily and if random(4) runs out of randomness, it will block until it has enough input. You may need to provide input by moving the mouse around a lot, or going to another window and typing random characters, or using some command such as du -s /usr to generate disk activity.

Installing the new kernel

To install the kernel the easy way, just give this command in the FreeS/WAN directory:

make kinstall
Installs the new kernel and, if required, the modules to go with it. Errors, if any, are reported in out.kinstall

Using make kinstall from the FreeS/WAN directory is equivalent to giving the following sequence of commands in /usr/src/linux:

If you prefer that sequence, use it instead.

Reboot to enable your new FreeS/WAN-enabled kernel.

If you have some unusual setup such that the above sequence of commands won't work on your system, then our make kinstall will not work either. Use whatever method does work on your system. See our implementation notes file for additional information that may help in such situations.

Where to go from here

At this point, you are finished the install. Go to the quickstart document section on testing your FreeS/WAN install and continue from there.

Alternately, you might want to look at background material on the protocols used before trying configuration.

Re-install or un-install

If you have FreeS/WAN installed from source on this machine, and need to install a newer version or un-install FreeS/WAN, this section is for you.

If you have FreeS/WAN installed from RPMs, use rpm -e or rpm -u to uninstall or upgrade.


The scripts are designed so that a re-install -- to upgrade to a later FreeS/WAN version or to a later kernel version -- can be done in exactly the same way as an original install.

The scripts know enough, for example, not to apply the same kernel patch twice and not to overwrite your ipsec.conf or ipsec.secrets files. However, they will overwrite the _updown script. If you have modified that, save your version under another name before doing the install.

Also, they may not always work exactly as designed. Check the BUGS file for any caveats in the current version.

to install a new version of FreeS/WAN, with your current kernel
Download and untar the new FreeS/WAN. Since kernel source has already been installed and configured, you can skip a few steps in the procedure below. Go to Building FreeS/WAN, and follow normal install-from-source procedures from there.
to install a new kernel, on a machine which already has FreeS/WAN installed
Download and untar the new kernel source. Since this kernel is not yet configured, that is the next thing to do.Go to Kernel configuration, and follow normal procedures from there.
to upgrade both kernel and FreeS/WAN
You need both new kernel source and new FreeS/WAN source. Follow the full FreeS/WAN install procedure. See above.


Disabling FreeS/WAN

In many Linux distributions, you can easily disable FreeS/WAN with the command:

    chkconfig --del ipsec

This removes the symlinks in /etc/rc.d/rc?.d which cause ipsec(8) to be called at boot time or when switching run levels. If the kernel part of IPsec, KLIPS, has been compiled as a module, then this also prevents loading that module, so IPsec is completely disabled.

Other distributions may use another version of init(8), or may not provide the chkconfig(8) command. For these, you will have to use other tools, or manually edit the init scripts, to achieve the same effect.

Removing FreeS/WAN files

If you installed FreeS/WAN from RPMs, then just use rpm -e to uninstall it. This section is for those who have installed from source.

To entirely remove the user-level FreeS/WAN components from your system, go to the FreeS/WAN install directory and give the command:

     make uninstall_freeswan

If that doesn't work for you -- for example, if FreeS/WAN was built on another system and copied here -- then you can do it manually. First disable FreeS/WAN as described above (to avoid problems with symlinks pointing to things you are about to remove), and then use these commands:

        rm -f /etc/ipsec.* /usr/local/sbin/ipsec /etc/rc.d/init.d/ipsec
        rm -rf /usr/local/lib/ipsec
        rm -f /usr/local/man/man?/ipsec[._]*

You may need to vary the commands slightly if you, or whoever packaged your distribution, changed the install directories when building FreeS/WAN.

Removing FreeS/WAN from the kernel

If you compiled KLIPS as a module, then just disabling FreeS/WAN as described above prevents loading the module.

If KLIPS is compiled into your kernel, then you can disable it by turning off IPsec in your kernel configuration (or by making it a module) and recompiling.

You can remove the FreeS/WAN patches from your kernel source by going to the FreeS/WAN install directory and giving the command:

     make unpatch

This does not remove all FreeS/WAN changes; some are not done with patch(1) and cannot be reversed in this way.

To remove all trace of IPsec in your kernel, you should revert to an unpatched version, or download fresh kernel source.

Contents Previous Next