3
Building and Installing Openswan
This chapter will describe how to build and install Openswan. It will discuss some design decisions that need to be made, and then guide you through the process of building and installing Openswan:
•Choosing a Linux distribution
•Picking an IPsec stack: KLIPS or NETKEY?
•Using existing source or binary packages
•Compiling and installing Openswan from source
•Optionally patching your kernel for NAT-Traversal and KLIPS
Some of the decisions that must be made before beginning the installation of Openswan depend on the precise use of Openswan and the type of IPsec connections it will need for your specific scenario. A choice of kernel, distribution, and of IPsec kernel stack will then need to be made.
Linux Distributions
The choice of distribution is really a personal one. Security is not a product, but a process. The decision of which Linux distribution to use is not a decision that depends solely on the quality of a vendor's boxed Linux distribution with respect to its VPN capabilities. It also depends on how the system administrators, who are the ones that will need to work with the security product, will interact with that product.
If you install a highly secure Linux distribution that your system administrators do not understand, then your VPN server will likely not be maintained very well. As a result, your once highly secure VPN gateway will acquire security holes. It is important to pick a distribution that the system administrators who will need to maintain it are comfortable with. If that distribution does not support IPsec, you can still add it by building your own Linux kernel and by building Openswan from source code.
Building and Installing Openswan
If you are completely new to Linux, pick a more popular distribution such as Red Hat, Fedora Core, or SuSE. If you come from the BSD world, you would probably prefer Debian. In the following sections, we give a few details about the advantages and disadvantages of the most commonly used distributions.
Red Hat
Although Red Hat distributions do not come with Openswan out of the box, both source and binary RPM packages of the latest versions of these distributions are available from the Openswan website. Fedora Core distributions come with Openswan pre-installed.
Openswan is well tested on the free Red Hat distributions: Red Hat Linux 7.x and 9, and the Fedora Core distributions.
It might be tempting to buy a commercial Red Hat distribution, such as Red Hat Enterprise Linux (RHEL), but for IPsec this can be a bad choice. RHEL3 (which comes in various flavors, such as Advanced Server, Work Station, and Enterprise Server) uses a mixture of code from the 2.4 and 2.6 kernel. It will complicate your choice of stack immensely, since this mixture of code contains known bugs in IPsec as it was merged in from an older (broken) 2.6 kernel. The appearance of 2.6 code in the 2.4 kernel also prevents you from patching that kernel to switch from the broken code to the code shipped with Openswan. And patching your kernel will likely void your support and warranty on the system, probably one of the major reasons to buy a RHEL system to begin with. We do not recommend using these hybrid kernel systems. RHEL4, however, comes with a modern 2.6 kernel, which should work as well as a normal 2.6 kernel.
There are two closely-related free Linux distributions available that are based on RHEL, but are not released or supported by Red Hat. They are called White Box Linux and Centos. White Box Linux is based on RHEL3 and therefore has the same problems mentioned above. Centos version 4 is based on RHEL4, and should work fine with Openswan.
Debian
Thanks to Rene Mayrhofer of the Debian Project, the Debian distribution has been one of the early adopters of Openswan, and ships with a stable and recent version of Openswan. If you have experience with Debian, then this distribution is a very good choice. Debian has its own way of building kernels, but it is very easy to build kernels for Debian based on the stock kernels released by Linus Torvalds as well.
SuSE
SuSE is also a good choice for Openswan. Just be aware that versions prior to SuSE Linux 9.2 might be running their IPv6-modified version of FreeS/WAN. This means that you cannot replace the FreeS/WAN package with Openswan without also changing the kernel package to match the new software. SL9.2 and higher do not have this problem.
46
Chapter 3
Slackware
This is one of the oldest Linux distributions around. Unfortunately, it shows. There is no advanced package manager, just a small utility called pkgtool that untars an archive, and does not perform any dependency checks. Currently, there is no Openswan package, so you will have to compile and install your own package and rebuild your own kernel.
Slackware still uses a BSD-like start-up scheme. It has no concept of 'services', and the IPsec service file that is executed on all other distributions will not be installed or called on Slackware. Instead, you will need to manually edit a file in /etc/rc.d/rc.*, such as rc.inet or rc.local, and add the command:
ipsec setup start
All the usual properties of a real service are not supported. One of those properties detects when Openswan is first started and generates a new IPsec key for the host if one doesn't already exist. On Slackware, this command will have to be run manually:
# ipsec newhostkey --output /etc/ipsec.secrets
We do not recommend you use Slackware, even if it is currently your favorite distribution.
Gentoo
Gentoo is a distribution that is quite different to any other Linux distribution. To install Gentoo, you bootstrap it with a minimum system that includes a C compiler. This mini system then downloads various source packages and literally builds your entire machine from source. Instead of installing the OS from precompiled packages, you compile your entire system yourself. If you are installing a full system, the compilation might take days.
To add a certain package on Gentoo, you emerge it. Emerging a package will download, compile, and install the package.
Gentoo uses its own method for compiling new kernels, called gen-kernel, though as with Debian, it is still very easy to build the kernel in the standard way. There is an Openswan (userland) package available for emerging, but be aware that the kernel and the userland must work well together.
Gentoo unfortunately has seen a lot of problems in the past with IPsec support. It seemed there was not enough communication between the kernel developers and the FreeS/WAN / Openswan maintainer for Gentoo. In practice this meant that the Gentoo *swan packages have never properly worked. We were also fairly unsuccessful in reporting bugs to Gentoo. Of course, this might all have changed, since Gentoo is under very active development.
But in general, Gentoo users are expected to be experienced Linux users. Unless you are already a Gentoo user, this would be very poor choice.
47