Building and Installing Openswan
After you have downloaded Openswan, you should use GPG to verify the package integrity, and that your download is in fact from a trusted source. All Openswan packages are signed with OpenPGP. You should import the GPG key from a public keyserver, or download it from the Openswan website:
# wget http://www.openswan.org/code/openswan.signingkey.asc
Ideally, you would first verify the key. For instance you could add it to your personal PGP keyring and check the signatures. You should see a few signatures from Xelerance employees on the key, which in turn should be signed by well-known people in the security community. Once you have faith in the key, install it for use within the distribution. On RPM-based distributions this is done with:
# rpm --import openswan.signingkey.asc
Currently there are some issues using rpm and gpg to import certain keys, seemingly related to the type of key used, and the versions of rpm and gpg that are installed. Therefore it is not always possible to properly verify the signature of an RPM package signed by the Openswan team.
Next, you can validate the package has not been compromised:
# rpm --checksig -v openswan-2.4.5-1.i386.rpm
Finally, to install the latest version on RPM-based distributions, use:
# rpm -Uhv openswan-2.4.5-1.i386.rpm
Debian packages are not signed, so we will just have to have faith and install the package:
# apt-get install openswan
If you are going to use NETKEY, the ipsec-tools package should be installed.
This might seem odd, since the ipsec-tools package contains Racoon, another implementation of IKE (and in some way a competitor to Openswan). The reason for this is that NETKEY uses the KAME PF key API to talk to the kernel. This API has not yet fully been merged into Openswan, so Openswan still uses the setkey binary from the ipsec-tools package in a few of the scripts to talk to the kernel, though these have now mostly been replaced by ip xfrm commands.
Building from Source
It is possible to build Openswan from source packages, thereby automating much of your custom compile. This can be especially useful when binary packages of the latest Openswan release have not yet been released for your distribution. It is also useful if you are using your own RPM-based distribution. On Debian systems, the following commands build a package from source, and fetch all necessary build dependencies:
#apt-get build-dep openswan
#apt-get -b source openswan
#dpkg -i openswan.deb
56
Chapter 3
Using RPM-based Distributions
Before we are ready to compile our own RPMs, we need to make sure some of the development packages are installed on our system.
Often, development RPMs contain the include files necessary for using a certain library, so you do not need to install the development package just to use the binary software. If you do want to compile your own software that uses a certain library, you will need to install the development package for that library as well. The exception to this is SuSE, which includes the header files for a library with the regular binary package.
On RPM-based systems, these packages are usually called xxx-devel where xxx corresponds to the package name.
To compile Openswan and possibly recompile the kernel, you will need at least:
Package name |
Description |
|
|
kernel-source (Red Hat Linux 7/8/9 and Fedora |
Despite what the name suggests, this is a binary |
Core 1/ 2/ 3) |
package and not a source package. You only need |
|
this is you are rebuilding the kernel. |
kernel-devel (Fedora Core 4 and up) |
The kernel source package for FC4. |
gmp-devel |
GNU math precision library header files. |
rpm-devel |
This is only needed if you want to build RPM |
|
packages for Openswan or KLIPS. |
gcc |
The GNU C compiler. |
make |
The GNU make package for interpreting Makefiles. |
lex or flex/bison |
Used for creating and interpreting grammar. |
glibc-dev / glibc-devel |
The necessary C header files for compilation. |
awk or gawk or mawk |
An interpreter. |
sed |
A stream editor tool. |
|
|
These packages might themselves have dependencies. The kernel-source package on Fedora currently requires gtk2-devel, which in turn needs a lot of graphical X-based development packages. Most of these packages are, with the exception of the first two, typically installed on a normal base system.
57
Building and Installing Openswan
The lack of the gmp development package is probably the most common problem people encounter when attempting to build Openswan. If your build process fails, double-check if you have the gmp-devel package installed. This is the #1 FAQ about compiling Openswan.
Rebuilding the Openswan Userland
To rebuild the Openswan userland from the source RPM, first download and install the RPM with:
# rpm -ihv openswan-2.4.1-3.src.rpm
This will install various files in /usr/src/redhat (or /usr/src/packages/ on SuSE). The Openswan archive itself will be placed in /usr/src/redhat/SOURCES, along with any potential patches that the distribution package maintainer feels are needed. Naturally, source RPMs from the Openswan project will not contain any patches. An instruction file on how to rebuild a binary package from these sources and possible patches, which includes distribution-specific issues such as start/stop scripts and custom locations of lock files, is placed in the /usr/src/redhat/SPECS directory.
To build a binary RPM for the machine that is running the build process, use:
# rpmbuild -bb /usr/src/redhat/SPECS/openswan.spec
This will build a binary package for the currently running kernel, and, on our example Pentium-III machine, place the package in /usr/src/redhat/RPMS/i386. You can then install the package just as we explained at the beginning of this chapter. If you wish to build a src.rpm file for use on another machine, use:
# rpmbuild -bs /usr/src/redhat/SPECS/openswan.spec
You can specify different builds, and builds for different or multiple CPUs, by supplying various flags to the rpmbuild command. See the RPM documentation for further details.
Building src.rpm from Scratch
Of course, if there is no src.rpm available for your system, you can't use rpmbuild to build a src.rpm. You will have to use the spec files from the source archive (openswan-version.tar.gz). These spec files are included in the package subdirectory. For example, to build an Openswan binary RPM from scratch on an Intel Itanium computer running SuSE Linux for which no src.rpm is available, we first build a source RPM:
#cd /usr/src/packages
#wget http://www.openswan.org/code/openswan-2.3.tar.gz
#tar zxvf openswan-2.3.tar.gz
#rpmbuild -bs openswan-2.3/packaging/suse/openswan.26spec
Now that we have our source RPM, we can build and install the binary RPM for Openswan on this (or another) SuSE machine with the following commands:
#rpmbuild -bb SRPMS/openswan-2.3-0suse9.src.rpm
#rpm -ihv RPMS/ia64/openswan-3.1-0.ia64.rpm
58