Contents Previous Next

Installing FreeS/WAN

This document will teach you how to install Linux FreeS/WAN. If your distribution comes with Linux FreeS/WAN, we offer tips to get you started.

Requirements

To install FreeS/WAN you must:

Choose your install method

There are three basic ways to get FreeS/WAN onto your system:

FreeS/WAN ships with some Linuxes

FreeS/WAN comes with these distributions.

If you're running one of these, include FreeS/WAN in the choices you make during installation, or add it later using the distribution's tools.

FreeS/WAN may be altered...

Your distribution may have integrated extra features, such as Andreas Steffen's X.509 patch, into FreeS/WAN. They may also use their own startup script locations or directory names.

You might need to create an authentication keypair

If your FreeS/WAN came with your distribution, and it is pre-1.98, generate an RSA key pair for authentication.

As root type:

    ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com
    chmod 600 /etc/ipsec.secrets

where you replace xy.example.com with your machine's fully-qualified domain name. Generate some randomness, for example by wiggling your mouse, to speed the process.

The resulting ipsec.secrets looks like:

: RSA   {
        # RSA 2192 bits   xy.example.com   Tue Aug 20 17:42:19 2002
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=0sAQOFppfeE3cC7wqJi...
        #IN KEY 0x4200 4 1 AQOFppfeE3cC7wqJ...
        # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
        Modulus: 0x85a697de137702ef0...
        # everything after this point is secret
        PrivateExponent: 0x16466ea5033e807...
        Prime1: 0xdfb5003c8947b7cc88759065...
        Prime2: 0x98f199b9149fde11ec956c814...
        Exponent1: 0x9523557db0da7a885af90aee...
        Exponent2: 0x65f6667b63153eb69db8f300dbb...
        Coefficient: 0x90ad00415d3ca17bebff123413fc518...
        }
# do not change the indenting of that "}"

In the actual file, the strings are much longer.

Start and test FreeS/WAN

You can now start FreeS/WAN and test whether it's been successfully installed..

RPM install

These instructions are for a recent Red Hat with a stock Red Hat kernel. We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If you're running either, install using your distribution's tools.

Download RPMs

Decide which functionality you need:

Check your kernel version with

    uname -a

Get a kernel module which matches that version. For example:

    freeswan-module-2.00_2.4.18_3-0.i386.rpm

Note: These modules will only work on the Red Hat kernel they were built for, since they are very sensitive to small changes in the kernel.

Get FreeS/WAN utilities to match. For example:

    freeswan-userland-2.00_2.4.18_3-0.i386.rpm

For freeswan.org RPMs: check signatures

While you're at our ftp site, grab the RPM signing key

    freeswan-rpmsign.asc

If you're running RedHat 8.x, import this key into the RPM database:

    rpm --import freeswan-rpmsign.asc

For RedHat 7.x systems, you'll need to add it to your PGP keyring:

    pgp -ka freeswan-rpmsign.asc

Check the signatures on both RPMs using:

    rpm --checksig freeswan-module-2.00_2.4.18_3-0.i386.rpm
    rpm --checksig freeswan-userland-2.00_2.4.18_3-0.i386.rpm

You should see:

    freeswan-module-2.00_2.4.18_3-0.i386.rpm: pgp md5 OK
    freeswan-userland-2.00_2.4.18_3-0.i386.rpm: pgp md5 OK

Install the RPMs

Become root:

    su

Install your RPMs with:

    rpm -ivh freeswan*

Start and Test FreeS/WAN

Now, start FreeS/WAN and test your install.

Install from Source

Decide what functionality you need

Your choices are:

Download FreeS/WAN

Download the source tarball you've chosen, along with any patches.

For freeswan.org source: check its signature

While you're at our ftp site, get our RPM signing key

    freeswan-sigkey.asc

If you're running RedHat 8.x, import this key into the RPM database:

    rpm --import freeswan-rpmsign.asc

For RedHat 7.x systems, you'll need to add it to your PGP keyring:

    pgp -ka freeswan-rpmsign.asc

Check the signature using:

    pgp freeswan-2.00.tar.gz.sig freeswan-2.00.tar.gz

You should see something like:

    Good signature from user "Linux FreeS/WAN Software Team (build@freeswan.org)".
    Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1

Untar, unzip

As root, unpack your FreeS/WAN source into /usr/src.

    su
    mv freeswan-2.00.tar.gz /usr/src
    cd /usr/src
    tar -xzf freeswan-2.00.tar.gz

Patch if desired

Now's the time to add any patches. The contributor may have special instructions, or you may simply use the patch command.

... and Make

Either make FreeS/WAN as a module...

Change to your new FreeS/WAN directory:

    cd /usr/src/freeswan-2.00

Make the FreeS/WAN module:

    make oldmod

Install it:

    make minstall

You can directly start FreeS/WAN and test your install.

...or statically linked

Make FreeS/WAN using your old kernel settings:

    make oldgo

Install it:

    make kinstall

Reboot your system and test your install.

Start FreeS/WAN and test your install

Bring FreeS/WAN up with:

    service ipsec start

This is not necessary if you've rebooted.

Test your install

To check that you have a successful install, run:

    ipsec verify

You should see at least:

    Checking your system to see if IPsec got installed and started correctly
    Version check and ipsec on-path                             [OK]
    Checking for KLIPS support in kernel                        [OK]
    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
    Checking that pluto is running                              [OK]

If any of these first four checks fails, see our troubleshooting guide.

Making FreeS/WAN play well with others

There are several things on your system that might interfere with FreeS/WAN, and now's a good time to check these:

Configure for your needs

You'll need to configure FreeS/WAN for your local site. Have a look at our opportunism quickstart guide to see if that easy method is right for your needs. Or, see how to configure a network-to-network or Road Warrior style VPN.


Contents Previous Next