Securing and Optimizing Linux: RedHat Edition -A Hands on Guide | ||
---|---|---|
Prev | Chapter 25. Linux FreeS/WAN VPN | Next |
Now, we must return to the /usr/src/linux directory and execute the following commands to reconfigure the kernel with FreeS/WAN support enable:
[root@deep ]/freeswan-1.3# cd /usr/src/linux [root@deep ]/linux# make config |
: The difference with the make config command we used before is that now a new section related to FreeS/WAN has been included in our kernel configuration, and for this reason we must reconfigure the kernel to customize the IPSec options to be part of your kernel.
The first thing you need to do is ensure that your kernel has been built with FreeS/WAN support enabled. In the 2.2.14 kernel version, a new section related to frees/WAN VPN support named IPSec options (FreeS/WAN) should appear in your kernel configuration after you have patched the kernel with the FreeS/WAN program as descibed above. You need ensure that you have answered Y to the following questions under the new section: IPSec options (FreeS/WAN).
IPSec options (FreeS/WAN) IP Security Protocol (FreeS/WAN IPSEC) (CONFIG_IPSEC) [Y/n/?] IPSEC: IP-in-IP encapsulation (CONFIG_IPSEC_IPIP) [Y/n/?] IPSEC: PF_KEYv2 kernel/user interface (CONFIG_IPSEC_PFKEYv2) [Y/n/?] IPSEC: Enable ICMP PMTU messages (CONFIG_IPSEC_ICMP) [Y/n/?] IPSEC: Authentication Header (CONFIG_IPSEC_AH) [Y/n/?] HMAC-MD5 authentication algorithm (CONFIG_IPSEC_AUTH_HMAC_MD5) [Y/n/?] HMAC-SHA1 authentication algorithm (CONFIG_IPSEC_AUTH_HMAC_SHA1) [Y/n/?] IPSEC: Encapsulating Security Payload (CONFIG_IPSEC_ESP) [Y/n/?] 3DES encryption algorithm (CONFIG_IPSEC_ENC_3DES) [Y/n/?] IPSEC Debugging Option (DEBUG_IPSEC) [Y/n/?] |
: All the customizations you made to your kernel the first time you ran the make config, make dep, and make clean commands will be preserved, so you don't need to reconfigure every part of your kernel; Just the new section added by FreeS/WAN named IPSec options (FreeS/WAN) is required, as shown above.
Some networking options will get turned on automatically, even if you previously turned them off, this is because IPSEC needs them. Whichever configuration program you are using, you should pay careful attention to a few issues. In particular, do not disable any of the following under the Networking Options of your kernel configuration:
Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] Netlink device emulation (CONFIG_NETLINK_DEV) [Y/n/?] |
You need to Compile and install the new kernel with FreeS/WAN, now that we have included in the kernel the support for FreeS/WAN VPN, Return to the /usr/src/linux directory and run the following commands again:
[root@deep ]/linux# make dep; make clean; make bzImage |
After execution of the commands above, follow the rest of the instructions in the Linux Kernel section of this book Configuring and Building a secure, optimized Kernel as normal to install the kernel. At this point, after you have copied and installed your new kernel image, system.map, or modules, if necessary and set the lilo.conf file to load the new kernel, you must edit and customize the configuration files related to FreeS/WAN ipsec.conf and ipsec.secrets before rebooting your system.
Please don't forget to cleanup later:
[root@deep] /# cd /usr/src [root@deep ]/src# rm -rf freeswan-version/ freeswan-version.tar.gz |