# # HOWTO written by Kenneth Grande 6 oct 2006 # # send comments/questions to kenneth (at) aspit (dot) no # # Scenario: # When using openswan on a box providing multiple VPN tunnels you need KLIPS support to get an ipsec0 adapter for firewalling # # Problem: # Debian ships with a backport of NETKEY instead of KLIPS, we want to remove NETKEY and enable KLIPS by building a custom kernel. # # Setup: # a standard debian debian-31r3 installed with the 2.4 kernel that ships with the release. # Openswan-2.4.6 (and the openswan-2.4.6.kernel-2.4-klips patch) #
####################################################################### Get the kernel source: ####################################################################### fw-01:/# apt-get install kernel-source-2.4.27 ####################################################################### unpack the kernel in the /usr/src/ directory: ####################################################################### fw-01:/# cd /usr/src/ fw-01:/# tar jxvf kernel-source-2.4.27.tar.bz2 ####################################################################### I make a symbolic link in the /usr/src/ directory ####################################################################### fw-01:/# ln -s kernel-source-2.4.27 linux This will result in the folder /usr/src/linux/ ####################################################################### download/unpack/copy the openswan patch ####################################################################### fw-01:/# cd /home/ fw-01:/# wget http://www.openswan.org/download/openswan-2.4.6.kernel-2.4-klips.patch.gz fw-01:/# gunzip openswan-2.4.6.kernel-2.4-klips.patch.gz fw-01:/# cp openswan-2.4.6.kernel-2.4-klips.patch /usr/src/linux fw-01:/# cd /usr/src/linux fw-01:/# patch -p1 < openswan-2.4.6.kernel-2.4-klips.patch ####################################################################### Configure the kernel: ####################################################################### I will use make menuconfig, this needs libncurses5-dev to run so i install it: fw-01:/# apt-get install libncurses5-dev fw-01:/# make menuconfig What you want to include in your kernel will depend on your needs. The most important things to remember is your NIC's and your network capabilities under the Networking options. I will only go into detail on the things that you obviously need, but you have to look at your system and decide if you have got any special needs (depending on your hardware). My box has got 6 ethernet ports, 2xe1000 and 4xe100, so i will enable support for them first: Network device support --> Ethernet (10 or 100 Mbit) --> <*> EtherExpressPro/100 support (e100, Alternate Intel driver) Ethernet (1000 Mbit) --> <*> Intel(R) PRO/1000 Gigabit Ethernet support Networking options --> NB! This is VERY important the following value has got to be removed: < > PF_KEY sockets This is the NETKEY option in the kernel, we will disable this one so we can make room for KLIPS :) Here is the rest of the Networking options, this is at testbox so i havent been to picky about the options i have selected. (but pay attention to the NB!!! sections :) If you are planning on using an iptables like shorewall you MUST enable IP tables support under IP: Netfilter Configuration (<*> IP tables support (required for filtering/masq/NAT) ) I have selected quite a few here, so again you have to make it suit your needs. Spend some time in the menu to get familiar with the different alternatives you have got. If you find out that you are missing something you can always do it again and include the things you missed. <*> Packet socket [ ] Packet socket: mmapped IO < > Netlink device emulation [*] Network packet filtering (replaces ipchains) [*] Network packet filtering debugging [*] Socket Filtering <*> Unix domain sockets < > PF_KEY sockets NB!!! - THIS IS IMPORTANT - NB!!! [*] TCP/IP networking [*] IP: multicasting [*] IP: advanced router [*] IP: policy routing (NEW) [*] IP: use netfilter MARK value as routing key (NEW) [*] IP: fast network address translation (NEW) [*] IP: equal cost multipath (NEW) [*] IP: use TOS value as routing key (NEW) [*] IP: verbose route monitoring (NEW) [ ] IP: kernel level autoconfiguration < > IP: tunneling < > IP: GRE tunnels over IP [ ] IP: multicast routing [ ] IP: TCP Explicit Congestion Notification support [ ] IP: TCP syncookie support (disabled per default) <*> IP: AH transformation <*> IP: ESP transformation <*> IP: IPComp transformation IP: Netfilter Configuration ---> NB!!! - THIS IS IMPORTANT - NB!!! IP: Virtual Server Configuration ---> <*> IP: IPsec user configuration interface <*> 802.1Q VLAN Support --- < > The IPX protocol < > Appletalk protocol support Appletalk devices ---> < > DECnet Support < > 802.1d Ethernet Bridging QoS and/or fair queueing ---> Network testing ---> <*> IP Security Protocol (Openswan IPSEC) --- IPsec options (Openswan) [*] IPsec: IP-in-IP encapsulation (tunnel mode) [*] IPsec: Authentication Header [*] IPsec: Encapsulating Security Payload --- IPsec algorithms to include [*] 3DES encryption algorithm [*] AES encryption algorithm fw-01:/# make dep ####################################################################### You will also need to install the kernel-package: ####################################################################### fw-01:/# apt-get install kernel-package ####################################################################### i will not go into detail on this: ####################################################################### fw-01:/# make-kpkg --initrd --revision aspITKGv01 kernel_image fw-01:/# dpkg -i kernel-image-2.4.27_aspITKGv01_i386.deb fw-01:/# reboot (NB!!! remember to select your new kernel after booting :), it will not be default unless you edit the /boot/grub/menu.lst file.) ####################################################################### i had some interface issues after the first boot, i set eth0 up manually and restart networking, if you have network connectivity just ignore this.. ####################################################################### fw-01:/# cd /etc/network/ fw-01:/# pico interfaces ####################################################################### Edit the file (to suit your environment): ####################################################################### auto eth0 iface eth0 inet static address 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.254 ####################################################################### Restart networking: ####################################################################### fw-01:/# /etc/init.d/networking restart ####################################################################### Download and install openswan: ####################################################################### fw-01:/# cd /home/ (yeah i know i like the /home/ folder, but theres no place like 127.0.0.1 :) fw-01:/# wget http://www.openswan.org/download/openswan-2.4.6.tar.gz fw-01:/# gunzip openswan-2.4.6.tar.gz fw-01:/# tar -xvf openswan-2.4.6.tar fw-01:/# cd openswan-2.4.6 (you can "cat" or "pico" the INSTALL file for details) ####################################################################### Needed during install: ####################################################################### fw-01:/# apt-get install man2html fw-01:/# apt-get install libgmp3-dev ####################################################################### Building userland: ####################################################################### fw-01:/# make programs install ####################################################################### Building KLIPS kernel module on 2.4 ####################################################################### fw-01:/# make KERNELSRC=/usr/src/linux module minstall ####################################################################### restart or start ipsec: ####################################################################### fw-01:/# /etc/init.d/ipsec restart ipsec_setup: Stopping Openswan IPsec... ipsec_setup: stop ordered, but IPsec does not appear to be running! ipsec_setup: doing cleanup anyway... ipsec_setup: Starting Openswan IPsec 2.4.6... ipsec_setup: WARNING: changing route filtering on eth0 (changing /proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0) ####################################################################### Check for ipsec0 inteface: ####################################################################### fw-01:/# ifconfig eth0 Link encap:Ethernet HWaddr 00:E0:81:42:39:B0 inet addr:xxxxx Bcast:xxxxxx Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9179 errors:0 dropped:0 overruns:0 frame:0 TX packets:7593 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10250068 (9.7 MiB) TX bytes:1040114 (1015.7 KiB) Base address:0xb000 Memory:e9020000-e9040000 ipsec0 Link encap:Ethernet HWaddr 00:E0:81:42:39:B0 inet addr:xxxxxxx Mask:255.255.255.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:560 (560.0 b) TX bytes:560 (560.0 b) congratulations!! You now have an ipsec0 adapter to use with your favorite firewall. NB! Remember to keep selecting the new kernel during boot or edit the /boot/grub/menu.lst file to make it default. I hope someone finds this howto useful. Regards, Kenneth Grande. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
