Building and Installing Openswan
This stack is obviously a poor choice, unless you need IPv6-based IPsec, and you need it immediately, and you cannot use the Racoon IKE daemon with NETKEY. Some people have managed to get Openswan to run with IPv6 using NETKEY. Though this is not yet officially supported, there is a clear interest in this functionality, and it's possible that at some future time, perhaps by the time you are reading this, Openswan will officially support IPv6 using NETKEY.
Making the Choice
The following table summarizes our recommendations for the decision-making process:
Distribution Pick a general purpose distribution that you (or your colleagues) are most familiar with, or pick a dedicated commercial distribution.
Userland Use Openswan's Pluto.
IPsec stack If you are forced to use an ancient 2.0/2.2 kernel: KLIPS
if you are still using 2.4 kernels: KLIPS
if you are using 2.6 kernels: Production grade VPN's: KLIPS Teleworkers: KLIPS
You want or need IPv6: NETKEY Simple static tunnels: NETKEY
GPL Compliance and KLIPS
Once in a while, we are contacted by people who want to add some newer feature of Openswan to an old FreeS/WAN version. There is only one reason people ask us this question, and that is because they are stuck with a patch (sometimes misleadingly called reference code) to support some foreign piece of hardware that the vendor supports. The vendor has decided that its code may not be released to the public (the person contacting us will be under NDA) and the job of porting that ancient patch on modern Openswan versions is just too daunting for the person contacting us.
We cannot help in such a case, because the vendor is violating the GNU Public License. By reselling such a patched version of FreeS/WAN or Openswan, the person buying these hardware products with patch is also violating the GPL. The only way out of this is for the hardware vendor to release their patch under the GPL license. We can then consider integrating their work into Openswan.
Binary Installation of the Openswan Userland
Linux distributions use different package management software. Most commercial distributions use the Red Hat Package Manager (RPM). These include Red Hat, Fedora, SuSE, and Mandrake. Debian uses the Advanced Package Tool (APT). For small devices, IPKG is often used. Gentoo Linux uses something called emerge.
54
Chapter 3
The drawback of RPMs has been that figuring out the necessary dependencies was left to the user. If package A needed package B, you would only find out when you tried to install package A, and it refused because you didn't have package B. Once you downloaded package B and tried to install both of them, it might complain about package C.
On Debian, you can use apt to figure out these dependencies for you. On Fedora, you can use yum do to a more automated RPM-based install. There is also apt-rpm, which brings the apt command structure from Debian to RPM-based systems. YAST for SuSE automatically handles dependencies for you as well.
Below we will explain the rpm and the apt commands for package management. If you use yum, you can often use the apt arguments with the yum command. If you use apt-rpm, you can follow the instructions we give for apt literally. If you use a distribution with another package manager, you will need to consult its documentation.
Checking for Old Versions
Before you install any new binary package of Openswan, you should make sure no previous version of FreeS/WAN, Super FreeS/WAN, or Openswan is installed.
On RPM-based distributions, use:
# rpm -qa | grep swan
On Debian-based distributions, use:
# dpkg --list | grep swan
As a result of the rename that happened between FreeS/WAN, Super FreeS/WAN, and Openswan, it is better to remove an old version before trying to install Openswan, since dependencies might not realize that Openswan is a replacement for the installed *swan package. To remove any existing packages, use:
# rpm -e freeswan
On Debian-based distributions, use:
# apt-get remove freeswan
Installing the Binary Package for Openswan
Fetching the latest version of Openswan can be automated by your package manager. Normally an update or upgrade command can be used to fetch the list of latest versions of software. If you use an RPM-based system without automatic update facility, you can download the updates manually from your distribution's FTP server (or mirror). You can also check to see if the Openswan project is releasing binary RPMs for your distribution at one of the following locations:
ftp://ftp.openswan.org/openswan/binaries/
http://www.openswan.org/code/
55