This document will teach you how to install Linux FreeS/WAN. If your distribution comes with Linux FreeS/WAN, we offer tips to get you started.
To install FreeS/WAN you must:
There are three basic ways to get FreeS/WAN onto your system:
FreeS/WAN comes with these distributions.
If you're running one of these, include FreeS/WAN in the choices you make during installation, or add it later using the distribution's tools.
Your distribution may have integrated extra features, such as Andreas Steffen's X.509 patch, into FreeS/WAN. They may also use their own startup script locations or directory names.
If your FreeS/WAN came with your distribution, and it is pre-1.98, generate an RSA key pair for authentication.
As root type:
ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com chmod 600 /etc/ipsec.secrets
where you replace xy.example.com with your machine's fully-qualified domain name. Generate some randomness, for example by wiggling your mouse, to speed the process.
The resulting ipsec.secrets looks like:
: RSA { # RSA 2192 bits xy.example.com Tue Aug 20 17:42:19 2002 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQOFppfeE3cC7wqJi... #IN KEY 0x4200 4 1 AQOFppfeE3cC7wqJ... # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA) Modulus: 0x85a697de137702ef0... # everything after this point is secret PrivateExponent: 0x16466ea5033e807... Prime1: 0xdfb5003c8947b7cc88759065... Prime2: 0x98f199b9149fde11ec956c814... Exponent1: 0x9523557db0da7a885af90aee... Exponent2: 0x65f6667b63153eb69db8f300dbb... Coefficient: 0x90ad00415d3ca17bebff123413fc518... } # do not change the indenting of that "}"
In the actual file, the strings are much longer.
You can now start FreeS/WAN and test whether it's been successfully installed..
These instructions are for a recent Red Hat with a stock Red Hat kernel. We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If you're running either, install using your distribution's tools.
Decide which functionality you need:
Check your kernel version with
uname -a
Get a kernel module which matches that version. For example:
freeswan-module-2.00_2.4.18_3-0.i386.rpm
Note: These modules will only work on the Red Hat kernel they were built for, since they are very sensitive to small changes in the kernel.
Get FreeS/WAN utilities to match. For example:
freeswan-userland-2.00_2.4.18_3-0.i386.rpm
While you're at our ftp site, grab the RPM signing key
freeswan-rpmsign.asc
If you're running RedHat 8.x, import this key into the RPM database:
rpm --import freeswan-rpmsign.asc
For RedHat 7.x systems, you'll need to add it to your PGP keyring:
pgp -ka freeswan-rpmsign.asc
Check the signatures on both RPMs using:
rpm --checksig freeswan-module-2.00_2.4.18_3-0.i386.rpm rpm --checksig freeswan-userland-2.00_2.4.18_3-0.i386.rpm
You should see:
freeswan-module-2.00_2.4.18_3-0.i386.rpm: pgp md5 OK freeswan-userland-2.00_2.4.18_3-0.i386.rpm: pgp md5 OK
Become root:
su
Install your RPMs with:
rpm -ivh freeswan*
Now, start FreeS/WAN and test your install.
Your choices are:
Download the source tarball you've chosen, along with any patches.
While you're at our ftp site, get our RPM signing key
freeswan-sigkey.asc
If you're running RedHat 8.x, import this key into the RPM database:
rpm --import freeswan-rpmsign.asc
For RedHat 7.x systems, you'll need to add it to your PGP keyring:
pgp -ka freeswan-rpmsign.asc
Check the signature using:
pgp freeswan-2.00.tar.gz.sig freeswan-2.00.tar.gz
You should see something like:
Good signature from user "Linux FreeS/WAN Software Team (build@freeswan.org)". Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1
As root, unpack your FreeS/WAN source into /usr/src.
su mv freeswan-2.00.tar.gz /usr/src cd /usr/src tar -xzf freeswan-2.00.tar.gz
Now's the time to add any patches. The contributor may have special instructions, or you may simply use the patch command.
Change to your new FreeS/WAN directory:
cd /usr/src/freeswan-2.00
Make the FreeS/WAN module:
make oldmod
Install it:
make minstall
You can directly start FreeS/WAN and test your install.
Make FreeS/WAN using your old kernel settings:
make oldgo
Install it:
make kinstall
Reboot your system and test your install.
Bring FreeS/WAN up with:
service ipsec start
This is not necessary if you've rebooted.
To check that you have a successful install, run:
ipsec verify
You should see at least:
Checking your system to see if IPsec got installed and started correctly Version check and ipsec on-path [OK] Checking for KLIPS support in kernel [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK]
If any of these first four checks fails, see our troubleshooting guide.
There are several things on your system that might interfere with FreeS/WAN, and now's a good time to check these:
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filtermay be necessary.
You'll need to configure FreeS/WAN for your local site. Have a look at our opportunism quickstart guide to see if that easy method is right for your needs. Or, see how to configure a network-to-network or Road Warrior style VPN.