freemode.net

Freeswan on Debian    [ Software ]

I've been wrestling with a Debian box with FreeS/WAN patches applied as part of upgrading some end-of-life RedHat 8 systems.   IPSEC services start fine, somewhere between one third and one half of the tunnels come up, but it doesn't consistently work... then I found this page, which talks about getting FreeS/WAN to work with an older version of Debian, and most importantly, mentions that you have to turn OFF spoof protection in /etc/network/options.   Wallah!   It works, and I can stop worrying about having to restore the RedHat image over top of a perfectly good Debian install.

Some general notes on getting Debian Sid (-testing) + FreeS/WAN (yes, I know that's end-of-lifed as well) working on an HPaq DL380 G3:

* Install from a Debian 3.0r1 (woody) ISO image, use 'bf24' at the cdrom's initial prompt to boot using the 2.4.18 kernel instead of the old 2.2-series kernel
* Grumble and complain when I realize that the Tigon3 (tg3) driver isn't included with that kernel, go and hunt down a decent Intel EEPRO 100 card and drop it into the DL380
* Reconfig the network after installation by running /usr/sbin/base-config, manually edit /etc/network/interfaces
* Upgrade from -stable to -testing: take out duplicate entries for non-us.debian.org from /etc/apt/sources.list, 's/stable/testing/g' on /etc/apt/sources.list, then upgrade packages:

# apt-get update && apt-get dist-upgrade

* Upgrade to a shiny new 2.4-series kernel, 'apt-get install kernel-image-2.4.25-1-686', reboot
* Mess with /etc/kernel-pkg.conf, set CONCURRENCY_LEVEL=4 (equivalent of '-j4' passed to make), patch_the_kernel=YES (since I want to use Debian's kernel-patch-* packages and automatically patch the kernel sources), plus maintainer & email fields for myself
* Install kernel-related packages + freeswan userland utilities:

# apt-get install kernel-package kernel-source-2.4.25 kernel-patch-debian-2.4.25 kernel-patch-debianlogo kernel-patch-freeswan freeswan

* Extract kernel sources:

# cd /usr/src
# bunzip2 -cd kernel-source-2.4.25.tar.bz2
# ln -s kernel-source-2.4.25 linux-2.4

* Copy existing 2.4.25 kernel config into source tree:

# cp /boot/config-2.4.25-1-686 /usr/src/linux-2.4/.config

* Add the 'cciss' and 'ext3' modules to /etc/mkinitrd/modules to make sure we can mount our root filesystem
* Build a custom kernel, since 'patch_the_kernel=YES' is set in /etc/kernel-pkg.conf, make-kpkg will prompt for new kernel options from patches:

# make-kpkg --revision=5:custom1.1+freeswan --initrd kernel_image

* Wait for the compilation to finish, then install the fresh new Debian package:

# dpkg -i ../kernel-image-2.4.25_vacirc.1.1+freeswan_i386.deb

* Reboot to use the new kernel
* Copy over existing /etc/ipsec.conf, /etc/ipsec.secrets
* Set 'ipforwarding=yes', 'spoofprotect=no' in /etc/network/options
* '/etc/init.d/ipsec restart' and then 'ipsec eroute' to see if the tunnels are up