为了让openswan与linux的IPsec栈同时工作,首先要在编译linux内核是,enable NETKEY这个feature,同时还要enable一些openswan所需要的option。
必须enable的kernel options:
Option Name | Description |
CONFIG_UNIX | Unix domain sockets. Openswan userland (Pluto) uses these. |
CONFIG_PROC_FS | The /proc filesystem (needed by both KLIPS and NETKEY). |
CONFIG_CRYPTO | CryptoAPI, pluggable crypto modules. Necessary for NETKEY; optional for KLIPS. |
CONFIG_CRYPTO_* | Various crypto modules. HMAC, MD5, 3DES, AES, SHA1 are necessary for NETKEY; optional for KLIPS. Most of the other crypto modules should be treated with severe skepticism and probably not used at all. |
强烈建议enable的kernel options:
Option Name | Description |
CONFIG_IP_ADVANCED_ROUTER | This gives far better routing control and is needed for some script features, such as _updown. |
CONFIG_PACKET | Necessary for tcpdump, a debugging tool, as well as KLIPS and NETKEY |
CONFIG_NETFILTER | TCP/IP packet filter. You need this to make a firewall, or to support NAT. |
CONFIG_IPSEC_NAT_TRAVERSAL This option only appears after the kernel has been patched with the NAT-T patch | This adds support for NAT traversal by encapsulating ESP packets in UDP packets. This is needed if you wish to connect from behind a NATed network to your Openswan server. Older versions of this code call this option CONFIG_ESPINUDP. These versions are broken and should not be used. |
NETKEY栈的option
Option Name | Description |
CONFIG_NET_KEY | PF_KEYv2 (IPsec) sockets. |
CONFIG_XFRM_USER | IPsec user configuration interface (Openswan userland uses this). |
CONFIG_INET_AH | Authentication Header (AH) for IPv4. You probably don't need this. |
CONFIG_INET_ESP | Encapsulating Security Payload (ESP) for IPv4. |
CONFIG_INET_IPCOMP | Payload compression support. |
CONFIG_INET_TUNNEL | Generic IP tunnel transformation, needed by ipcomp. |
CONFIG_INET6_AH | Authentication Header (AH) for IPv6. You probably don't need this. |
CONFIG_INET6_ESP | Encapsulating Security Payload (ESP) for IPv6. |
CONFIG_INET6_IPCOMP | Compression mode for IPv6. |
如果会使用微软的L2TP,还需要enable以下的option。
Option Name | Description |
CONFIG_UNIX98_PTYS | Unix PTYs. |
CONFIG_PPP | PPP support. |
CONFIG_PPP_SYNC_TTY | Synchronous PPP support. |
CONFIG_PPP_DEFLATE | Deflate support. |
CONFIG_PPP_BSDCOMP | BSD (de)compression support for IP headers. |
CONFIG_LEGACY_PTYS(linux 2.6) | Legacy PTYs (only needed when using certain older L2TP daemons). Note: This is disabled in the stock kernels for Fedora Core 2 and up. |
下面开始编译openswan。
openswan没有使用GNU风格的configure脚本来指定编译和安装option,大部分用户可配置的option在最顶层目录中的Makefile.inc中。根据自己的需求,修改Makefile.in。最后备份一份原始文件,用于恢复。
然后make programs编译;make install安装。
最后验证一下ipsec
-bash-3.00# ipsec --version
Linux Openswan U2.6.33/K2.6.26.5 (netkey)
See `ipsec --copyright' for copyright information.
Linux Openswan U2.6.33/K2.6.26.5 (netkey)
See `ipsec --copyright' for copyright information.
这个命令可以显示ipsec和kernel的版本,以及ipsec是与哪个linux的IPsec栈合作的。
还可以使用ipsec verify来进一步验证,可以得到更为详细的信息
-bash-3.00# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.33/K2.6.26.5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
Checking that pluto is running [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.33/K2.6.26.5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
Checking that pluto is running [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
参考资料:
1.
2. openswan官方网站