FreeS/WAN & Debian

Distribution:

	Clean installation of Debian "potato" 2.2r5.
	Linux kernel 2.2.19.
	FreeS/WAN 1.96

Recommended reading:

	Creating custom kernels with Debian's kernel-packaging system Jesse Goerz's tutorial on how to create custom kernels with make-kpkg.
	FreeS/WAN documentation

Why did I write this?

	I think that I have found a few tricks that have been missed by others -- at least I had trouble finding them.
	I wasn't able to find anything specific to configuring the kernel for Debian for use with FreeSwan. It seems that most information out there assumes that you know how to compile a kernel.
	I was in the process of installing Debian and FreeS/WAN on a few machines and wanted a reference for myself so I could replicate theinstallation.

Stuff to get:

FreeS/WAN

Kernel source, kernel-package and the related utilities. The easiest way to do this is with:

# apt-get install kernel-package dpkg-dev debianutils binutils gcc \
libc6-dev make kernel-source-2.2.19 task-tcltk-dev bin86 gmp patch

On my installation, I only needed kernel-package, kernel-source-2.2.19, and gmp. apt-get will only get the packages which aren't already installed.

As of 2002-05-01 under Woody, there is no gmp package. Instead I got libgmp3-dev which seems to do the trick.

Configure the kernel
It is a good idea to install a "custom" kernel without installing FreeS/WAN in order to get familiar with the build process and to test the kernel. If a custom kernel without the FreeS/WAN patches doesn't work, it isn't going to work any better with the patches :)

	Unpack the kernel source and make a symbolic link to it. If you already have a linux directory in /usr/src, then you should use mv to rename it. Then start xconfig to configure the kernel. # cd /usr/src # bunzip2 kernel-source-2.2.19.tar.bz2 # tar xf kernel-source-2.2.19.tar # ln -s kernel-source-2.2.19 linux # make xconfig
	Once xconfig has launched its GUI, click on the "Load Configuration from file" button. Enter "/boot/config-2.2.19" for the filename. This will load the configuration used in building the kernel installed on your system by Debian. This makes configuration much easier!
	Optionally, you can trim the size of the kernel by going through and deselecting options that you don't need in the kernel (for instance network cards not in your system). You can also optimize the kernel to your processor type.

Building and installing the test kernel:

Build the kernel with:

# make-kpkg clean
# make-kpkg --revision=custom.1.0 --flavour=prefreeswan.1.0 kernel_image

The build script may stop and ask you a configuration question or two. I got a question about a new low-level sound driver. I just pressed enter as I didn't need that particular driver.

Note: In 2.4.18, --flavour has been replaced with --append_to_version.

Install the kernel with:

# cd ..
# dpkg -i kernel-image-2.2.19-prefreeswan.1.0_custom.1.0_i386.deb

Answer NO to "Would you like to create a boot floppy now? [No]"
Answer NO to "Install a boot block using the existing /etc/lilo.conf? [Yes]"
Answer NO to "Wipe out your old LILO configuration and make a new one? [No]"

Edit /etc/lilo.conf

	Comment out (add a '#') to the line delay=20: # Specifies the number of deciseconds (0.1) LILO should # wait before booting the first image. # #delay=20
	Uncomment (remove the '#'s) the custom boot message portion and increase the amount of time LILO waits: (I like at least 30 seconds so that if I get distracted I don't mess the boot prompt.) message=/boot/bootmess.txt prompt single-key delay=300 timeout=300
	Change the Linux boot block to look like: image=/boot/vmlinuz-2.2.19 label=Linux read-only # restricted alias=1
	Replace the LinuxOLD boot block with: image=/boot/vmlinuz-2.2.19-prefreeswan.1.0 label=PreFreeSwan read-only alias=2

Create /boot/bootmess.txt

* 1 Linux -- base Debian installation
  2 PreFreeSwan

Run lilo to update the configuration:

# lilo -v

You should not see any error or warning messages. If you do, look over lilo.conf and fix any problems that lilo complains about. You should see messages indicating that two boot images are installed with the correct alias keys.

Remove the Debian CD from your CD drive and reboot the system:

# shutdown -r now

At the boot prompt, press 2. This will load your new kernel. Take a look at /var/log/syslog and /var/log/messages and look for any error messages. Make sure that the system behaves normally before proceeding.

Building FreeS/WAN

	Unpack the FreeS/WAN source into a directory in /usr/src and then build the new kernel and FreeS/WAN. # cd /usr/src # tar xfz freeswan.gz # cd freeswan-1.96 # make oldgo NOTE: The documentation for the installation of FreeS/WAN specifies that you can do all of the steps individually, but at the time of this writing does not specify what those steps are. If someone would give me the individual steps, I would appreciate it. I would like to be able to do this without building the kernel twice*.
	Rebuild the kernel using make-kpkg with revision and flavour switches: # cd ../linux # make-kpkg clean # make-kpkg --revision=custom.1.1 --flavour=freeswan.1.1 kernel_image
	Install the kernel with: # cd .. # dpkg -i kernel-image-2.2.19-prefreeswan.1.1_custom.1.1_i386.deb Answer NO to "Would you like to create a boot floppy now? [No]" Answer NO to "Install a boot block using the existing /etc/lilo.conf? [Yes]" Answer NO to "Wipe out your old LILO configuration and make a new one? [No]"
	Add a new boot block to /etc/lilo.conf image=/boot/vmlinuz-2.2.19-freeswan.1.1 label=FreeSwan read-only alias=3
	Edit /boot/bootmess.txt * 1 Linux -- base Debian installation 2 PreFreeSwan 3 FreeSwan
	Run lilo to update the configuration: # lilo -v You should not see any error or warning messages. If you do, look over lilo.conf and fix any problems that lilo complains about. You should see messages indicating that three boot images are installed with the correct alias keys.
	Reboot the system # shutdown -r now
	At the boot prompt, press 3 to load the new kernel with FreeS/WAN IPSEC.

Check to see if FreeS/WAN installed properly:

Look at /var/log/messages. There should be some lines looking like:

Mar 13 12:37:23 starbase kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.96
Mar 13 12:37:23 starbase kernel: early initialization of device ipsec0 is deferred
Mar 13 12:37:23 starbase kernel: early initialization of device ipsec1 is deferred
Mar 13 12:37:23 starbase kernel: early initialization of device ipsec2 is deferred
Mar 13 12:37:23 starbase kernel: early initialization of device ipsec3 is deferred

/var/log/syslog should have some lines like:

Mar 13 12:37:23 starbase ipsec_setup: Starting FreeS/WAN IPsec 1.96...
Mar 13 12:37:23 starbase ipsec_setup: KLIPS debug `none'
Mar 13 12:37:23 starbase ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work
Mar 13 12:37:23 starbase ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0)
Mar 13 12:37:23 starbase ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
Mar 13 12:37:23 starbase ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)
Mar 13 12:37:23 starbase ipsec_setup: ...FreeS/WAN IPsec started

Fix the rp_filter settings:

Edit /etc/network/options and make the following change (bold)

ip_forward=no
spoofprotect=no
syncookies=no

NOTE: this requires adding "forwardcontrol=yes" to the ipsec.conf file in the config setup section. The alternative is to set ip_forward=yes here.

Configuring FreeS/WAN:
Configuring FreeS/WAN is beyond the scope of this document. Instead, I have provided some links to sites which do cover the configuration.

	http://jixen.tripod.com/ Ipsec practical configurations for Linux Freeswan 1.x.
	http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/config.html FreeS/WAN Configuration

Acknowledgments:

htp://newbiedoc.sourceforge.net/system/kernel-pkg.en.html Jesse Goerz's work provided most of the information given here on how to compile and install the kernel.

Disclaimer:

These are the steps that worked for me. Your mileage may vary. Attempting to install FreeSwan or a compiled kernel can be dangerous. You could end up with a totally unusable system or one with reduced functionality. Follow my footsteps at your own risk.

Last Modified: 05/01/2002 04:57:11 PM