HOWTO - use KLIPS instead of the backport of NETKEY to enable ipsec0 adapter with openswan.
#
# HOWTO written by Kenneth Grande 6 oct 2006
#
# send comments/questions to kenneth (at) aspit (dot) no
#
# Scenario:
# When using openswan on a box providing multiple VPN tunnels you need KLIPS
support to get an ipsec0 adapter for firewalling
#
# Problem:
# Debian ships with a backport of NETKEY instead of KLIPS, we want to remove
NETKEY and enable KLIPS by building a custom kernel.
#
# Setup:
# a standard debian debian-31r3 installed with the 2.4 kernel that ships
with the release.
# Openswan-2.4.6 (and the openswan-2.4.6.kernel-2.4-klips patch)
#
#######################################################################
Get the kernel source:
#######################################################################
fw-01:/# apt-get install kernel-source-2.4.27
#######################################################################
unpack the kernel in the /usr/src/ directory:
#######################################################################
fw-01:/# cd /usr/src/
fw-01:/# tar jxvf kernel-source-2.4.27.tar.bz2
#######################################################################
I make a symbolic link in the /usr/src/ directory
#######################################################################
fw-01:/# ln -s kernel-source-2.4.27 linux
This will result in the folder /usr/src/linux/
#######################################################################
download/unpack/copy the openswan patch
#######################################################################
fw-01:/# cd /home/
fw-01:/# wget
http://www.openswan.org/download/openswan-2.4.6.kernel-2.4-klips.patch.gz
fw-01:/# gunzip openswan-2.4.6.kernel-2.4-klips.patch.gz
fw-01:/# cp openswan-2.4.6.kernel-2.4-klips.patch /usr/src/linux
fw-01:/# cd /usr/src/linux
fw-01:/# patch -p1 < openswan-2.4.6.kernel-2.4-klips.patch
#######################################################################
Configure the kernel:
#######################################################################
I will use make menuconfig, this needs libncurses5-dev to run so i
install it:
fw-01:/# apt-get install libncurses5-dev
fw-01:/# make menuconfig
What you want to include in your kernel will depend on your needs. The most
important things
to remember is your NIC's and your network capabilities under the Networking
options. I will
only go into detail on the things that you obviously need, but you have to
look at your
system and decide if you have got any special needs (depending on your
hardware).
My box has got 6 ethernet ports, 2xe1000 and 4xe100, so i will enable
support for them first:
Network device support -->
Ethernet (10 or 100 Mbit) -->
<*> EtherExpressPro/100 support (e100, Alternate
Intel driver)
Ethernet (1000 Mbit) -->
<*> Intel(R) PRO/1000 Gigabit Ethernet support
Networking options -->
NB! This is VERY important the following value has got to be removed:
< > PF_KEY sockets
This is the NETKEY option in the kernel, we will disable this one so we can
make room for KLIPS :)
Here is the rest of the Networking options, this is at testbox so i havent
been to picky about the
options i have selected. (but pay attention to the NB!!! sections :)
If you are planning on using an iptables like shorewall you MUST enable IP
tables support under
IP: Netfilter Configuration (<*> IP tables support (required for
filtering/masq/NAT) )
I have selected quite a few here, so again you have to make it suit your
needs. Spend some time in
the menu to get familiar with the different alternatives you have got. If
you find out that you are
missing something you can always do it again and include the things you
missed.
<*> Packet socket
[ ] Packet socket: mmapped IO
< > Netlink device emulation
[*] Network packet filtering (replaces ipchains)
[*] Network packet filtering debugging
[*] Socket Filtering
<*> Unix domain sockets
< > PF_KEY sockets NB!!! - THIS IS IMPORTANT - NB!!!
[*] TCP/IP networking
[*] IP: multicasting
[*] IP: advanced router
[*] IP: policy routing (NEW)
[*] IP: use netfilter MARK value as routing key (NEW)
[*] IP: fast network address translation (NEW)
[*] IP: equal cost multipath (NEW)
[*] IP: use TOS value as routing key (NEW)
[*] IP: verbose route monitoring (NEW)
[ ] IP: kernel level autoconfiguration
< > IP: tunneling
< > IP: GRE tunnels over IP
[ ] IP: multicast routing
[ ] IP: TCP Explicit Congestion Notification support
[ ] IP: TCP syncookie support (disabled per default)
<*> IP: AH transformation
<*> IP: ESP transformation
<*> IP: IPComp transformation
IP: Netfilter Configuration ---> NB!!! - THIS IS IMPORTANT - NB!!!
IP: Virtual Server Configuration --->
<*> IP: IPsec user configuration interface
<*> 802.1Q VLAN Support
---
< > The IPX protocol
< > Appletalk protocol support
Appletalk devices --->
< > DECnet Support
< > 802.1d Ethernet Bridging
QoS and/or fair queueing --->
Network testing --->
<*> IP Security Protocol (Openswan IPSEC)
--- IPsec options (Openswan)
[*] IPsec: IP-in-IP encapsulation (tunnel mode)
[*] IPsec: Authentication Header
[*] IPsec: Encapsulating Security Payload
--- IPsec algorithms to include
[*] 3DES encryption algorithm
[*] AES encryption algorithm
fw-01:/# make dep
#######################################################################
You will also need to install the kernel-package:
#######################################################################
fw-01:/# apt-get install kernel-package
#######################################################################
i will not go into detail on this:
#######################################################################
fw-01:/# make-kpkg --initrd --revision aspITKGv01 kernel_image
fw-01:/# dpkg -i kernel-image-2.4.27_aspITKGv01_i386.deb
fw-01:/# reboot
(NB!!! remember to select your new kernel after booting :), it will not be
default unless you edit
the /boot/grub/menu.lst file.)
#######################################################################
i had some interface issues after the first boot, i set eth0 up manually and
restart networking, if you have network connectivity just ignore this..
#######################################################################
fw-01:/# cd /etc/network/
fw-01:/# pico interfaces
#######################################################################
Edit the file (to suit your environment):
#######################################################################
auto eth0
iface eth0 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.254
#######################################################################
Restart networking:
#######################################################################
fw-01:/# /etc/init.d/networking restart
#######################################################################
Download and install openswan:
#######################################################################
fw-01:/# cd /home/
(yeah i know i like the /home/ folder, but theres no place like 127.0.0.1 :)
fw-01:/# wget http://www.openswan.org/download/openswan-2.4.6.tar.gz
fw-01:/# gunzip openswan-2.4.6.tar.gz
fw-01:/# tar -xvf openswan-2.4.6.tar
fw-01:/# cd openswan-2.4.6
(you can "cat" or "pico" the INSTALL file for details)
#######################################################################
Needed during install:
#######################################################################
fw-01:/# apt-get install man2html
fw-01:/# apt-get install libgmp3-dev
#######################################################################
Building userland:
#######################################################################
fw-01:/# make programs install
#######################################################################
Building KLIPS kernel module on 2.4
#######################################################################
fw-01:/# make KERNELSRC=/usr/src/linux module minstall
#######################################################################
restart or start ipsec:
#######################################################################
fw-01:/# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec 2.4.6...
ipsec_setup: WARNING: changing route filtering on eth0 (changing
/proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0)
#######################################################################
Check for ipsec0 inteface:
#######################################################################
fw-01:/# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:81:42:39:B0
inet addr:xxxxx Bcast:xxxxxx Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9179 errors:0 dropped:0 overruns:0 frame:0
TX packets:7593 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10250068 (9.7 MiB) TX bytes:1040114 (1015.7 KiB)
Base address:0xb000 Memory:e9020000-e9040000
ipsec0 Link encap:Ethernet HWaddr 00:E0:81:42:39:B0
inet addr:xxxxxxx Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
congratulations!! You now have an ipsec0 adapter to use with your favorite
firewall.
NB! Remember to keep selecting the new kernel during boot or edit the
/boot/grub/menu.lst file to make it default.
I hope someone finds this howto useful.
Regards,
Kenneth Grande.
Reply to: