Chapter 3
Patching the Kernel
Kernel patching is only necessary if you wish either to add NAT-Traversal support to a 2.4 kernel, or to add KLIPS support to a 2.4 or 2.6 kernel image without using kernel modules. You can build KLIPS as a module without manual patching.
NAT-Traversal Patch
If you are going to use KLIPS on either a 2.4 or a 2.6 kernel, it is strongly recommended to apply the NAT traversal patch to the kernel, which can be generated from the Openswan source code. It modifies some internal structures of the UDP packet format in the kernel. Note that this is not a change to a kernel module, but a change to the kernel core itself.
If you apply the NAT-T patch, you MUST rebuild both the kernel image (bzImage) and all the kernel modules.
We first generate the patch file, and then apply it to our kernel:
#KERNELSRC=/usr/src/linux-2.6.11
#cd openswan-2
#make nattpatch > /usr/src/openswan-ipsec-natt.patch
#cd /usr/src/linux-2.6.11
#cat /usr/src/openswan-ipsec-natt.patch | patch -p1 -s
#make clean
#make oldconfig
When running the last command, the configuration options that have already been configured will fly by, but the program will pause when it encounters a new option, such as in our case the option to enable NAT-Traversal:
IPSEC NAT-Traversal (CONFIG_IPSEC_NAT_TRAVERSAL) [N/y/?](NEW)
After answering Y to this option, the process will continue and end with a new kernel configuration. Remember that since this is a patch against some core functions of the kernel image itself, and is not a separate kernel module, you must build a new kernel image and you must rebuild all the modules for that kernel. For Linux 2.4 or earlier, you must build the dependencies first:
# make dep
The command to build the kernel and modules is:
# make bzImage modules modules_install
KLIPS Compile Shortcut
If you do not need to apply the NAT-T patch, because you do not need it or because your kernel already has the NAT-T patch applied, you can use a shortcut, which avoids the need to recompile the entire kernel. Obviously, this only works if you are happy with KLIPS as a kernel module:
#cd /usr/src/openswan-2.4.1
#export KERNELSRC=/usr/src/linux-2.6.11
#make module
#make minstall
#depmod -a
69
Building and Installing Openswan
Note that the make target is called module, in the singular, and not the plural as is the case for the Linux kernel itself which uses the target modules. If you want use this shortcut, you can customize
the KLIPS compile-time options from the file openswan-2/linux/net/ipsec/defconfig.
Activating KLIPS
If you compiled KLIPS statically as part of the kernel image or if you applied the NAT-T patch, you will now need to install your new kernel by copying it to the right place (usually /boot), updating your bootloader, and rebooting into your new kernel. Check the documentation for your distribution if you are not familiar with this process.
If you compiled KLIPS as a module, the result of make minstall or make modules_install will be a single module called ipsec.ko (ipsec.o on 2.4) that will be installed in the appropriate directory under /lib/modules/. If you built the module for the currently running kernel, you do not need to reboot.
Before you load KLIPS, ensure that NETKEY is not loaded with the following command:
# rmmod xfrmuser af_key esp4 ah4 ipcomp xfrm4_tunnel
Then you are ready to load KLIPS thus:
# modprobe ipsec
In older versions, some algorithms and ciphers came in their own separate module (such as ipsec_aes.o). This is currently no longer the case.
Determining the Stack in Use
You can test which stack is loaded by checking to see if the files listed in the following table can be found in the /proc filesystem:
Stack |
File to detect this stack |
|
|
KLIPS IPsec stack |
/proc/net/ipsec_version or |
|
/proc/net/pf_key |
NETKEY IPsec stack |
/proc/net/pfkey |
|
note the lack of underscore in the filename |
KLIPS NAT-Traversal support (openswan-2.4.0 and up) |
/proc/net/ipsec_natt |
|
|
If you have also installed the userland, you can use the –-version command. The stack in use appears between brackets right after the version number:
# ipsec --version
Linux Openswan 2.4.1/K2.6.8-1.520 (netkey)
See 'ipsec --copyright' for copyright information.
# ipsec --version
Linux Openswan 2.4.1 (klips)
See 'ipsec --copyright' for copyright information.
70