Chapter 3
Openswan Options
For almost everyone, the default options and features for Openswan should be fine. At present, all the binary and source RPM packages assume the build only needs to supply RPMs that use the standard options and features. This might not always be the case. Some of the options cannot be set from the spec file at this point, so to change options, you need to either write a patch against Makefile or Makefile.inc, or manually build and install Openswan outside the packaging system. Always check the spec file to see if options can be changed from there.
You can further change these compile-time options by changing the MODULE_DEF_INCLUDE variable to point to a file that differs from the supplied packaging/linus/config-all.h file.
Building the Openswan Userland from Source
Use of a package manager is not essential: Openswan can of course also be built without one. Though this method offers you greater control, there is less protection from unwise decisions. When building from source fails, it will be more difficult to figure out what went wrong and why.
This section covers the process of building Openswan from source for those who do chose this option, explaining some of the advanced options not previously discussed.
Downloading the Source Code
First, we download and verify the source:
#wget http://www.openswan.org/code/openswan-2.4.1.tar.gz
#wget http://www.openswan.org/code/openswan-2.4.1.tar.gz.asc
#gpg --verify openswan-2.4.1.tar.gz.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Fri 13 Aug 2004 12:34:30 AM CEST using RSA key ID B7E82DF8 gpg: Good signature from "Openswan Master Signing Key <build@openswan.org>" gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D450 193B D905 43FE D929 C9C5 0D58 2984 B7E8 2DF8
You should of course check the Openswan website to confirm the currently recommended version. Normally there are full releases, test releases meant only for developers ('dr'), and release candidates ('rc'), which can be tried by both developers and users.
Configuring the Userland Tools
If you build Openswan from source, the default installation directory will be inside /usr/local. This is to distinguish a custom compile from the distribution software, which is typically installed in /usr. It is therefore important to remove any possible *swan package that is installed as part of the distribution. If you do not, older versions might get (partially) used because they appear in the $PATH before /usr/local/sbin. If using the default locations, the ipsec command is installed in
59
Building and Installing Openswan
/usr/local/sbin, and the sub-commands are installed in /usr/local/libexec/ipsec/*. Some
helper applications are installed in /usr/local/lib/ipsec/. Finally, depending on the distribution, the daemon start-stop script (also called ipsec) is installed in /etc/init.d/.
Openswan does not use a GNU-style configure script. Instead, everything is controlled directly by the top level Makefile. Most of the user-configurable options are located in the file Makefile.inc: Makefile itself should not be changed, only Makefile.inc. Unfortunately, Makefile.inc does not just contain those options you can set, but lots of others too. In general, however, the options that are meant to be configurable use the following syntax:
VARIABLE?=value
This is make syntax. The ?= means that if the environment $VARIABLE has not been set, then create one with the specified value, otherwise leave the existing value untouched. This makes it easy to configure the build process without even editing Makefile.inc, as you only need to specify the right shell variables before you run make.
If you are building Openswan on the machine that needs to run it, and it is a full-blown Linux distribution, then you very likely do not need to set or change any of these options anyway.
Optional Features
The following options are supported in Makefile.inc or as shell environment variables:
Option name |
Description |
|
|
USE_LWRES |
Use the ISC BIND version 9 resolv library. This is necessary for |
(true or false) |
various DNSSEC functions, but is not yet available for all Linux |
|
distributions. Enable this if your distribution has a version 9 |
|
BIND package. |
USE_IPROUTE2 |
Use the iproute2 package (and the kernel's advanced routing |
(true or false) |
features). This should only be false for Linux 2.0 and early 2.2 |
|
kernels. |
IPSEC_FIREWALLTYPE |
This should be set to the type of firewall commands that are to |
(iptables, ipchains, or ipfwadm) |
be used. On modern distributions this is iptables. On older |
|
kernels or distributions, this can be ipchains or ipfwadm. |
USE_IKEPING |
This option compiles a small test program called ikeping. This |
(true or false) |
should only be disabled for small embedded devices. |
USE_KEYRR |
This option adds support for the DNS KEY record. See Chapter 6. |
(true or false) |
|
USE_KERNEL26 |
Enables support for the 2.6 kernel. This should only be disabled |
(true or false) |
on small embedded systems running a 2.4 (or older) kernel. |
USE_VENDORID |
This enables sending a vendor ID identifying the software as |
(true or false) |
"Openswan". This is disabled by default for security reasons. |
|
|
60 |
|
Chapter 3
Option name |
Description |
USE_XAUTH (true or false)
USE_XAUTHPAM (true or false)
USE_NAT_TRAVERSAL (true or false)
USE_NAT_TRAVERSAL_TRANSPORT_MODE (true or false)
Builds the userland with XAUTH support. See Chapter 9.
Add PAM support to XAUTH. With this you can use your system's user and password information for XAUTH.
Support NAT traversal. Strongly recommended in today's imperfect world.
Support NAT-T in Transport mode. This is a security problem and should be disabled. However, it is necessary if you wish to be compatible with Microsoft clients using L2TP over IPsec. See Chapter 8.
USE_LDAP (true or false)
USE_LIBCURL (true or false)
USE_SMARTCARD (true or false)
USE_OE
(true or false)
HAVE_THREADS (true or false)
Support fetching Certificate Revocation Lists over LDAP. See Chapter 5.
Use libcurl instead of native code for fetching over LDAP.
Add smartcard support. This requires openct and opensc.
Enable Opportunistic Encryption per default. See Chapter 6.
Include support for POSIX threads. This is necessary for XAUTHPAM and LDAP. It is recommended to disable this if you don't include support for PAM or LDAP.
Compile Flags
The following are compile options:
Option name |
Description |
|
|
KERNELSRC |
The location of the Linux kernel source you wish to use. If not |
(for example: /usr/src/linux) |
set, it will first try /usr/src/linux-2.6, then |
|
/usr/src/linux-2.4, then /usr/src/linux. |
RH_KERNELSRC |
The location of the Red Hat modified Linux kernel source tree. |
(for example: /usr/src/linux-2.6.8- |
This option is only used for the make rpm target. See |
1.520) |
packaging/redhat/openswan.spec. |
RH_KERNELSRC_POOL |
The location of the Red Hat kernel source pool. This is used for |
(for example: /vol/bigstorage/) |
automating the compilation of a large number of binary RPM |
|
packages for our official binary Red Hat releases. See |
|
packaging/redhat/openswan.spec for details. |
|
|
|
61 |
Building and Installing Openswan
Option name |
Description |
|
|
USERCOMPILE |
The compiler flags for building the Openswan userland. |
(for example: -O3 or -g) |
|
KLIPSCOMPILE |
The compiler flags for building the KLIPS kernel module. |
(for example: -O3 or -g) |
|
|
|
Do not put -L, -I, or other cross-compile options in these compile flag variables. The above options are only meant for generic options such as -O3 for optimizing, or -g, which adds debug information into the binary object code.
File Path Options
The following options affect the paths used within the scripts and binaries:
Option name |
Description |
|
|
DESTDIR |
This is the exact location where the files will be installed. If |
(for example: /vol/bigspace/arm-port) |
unset, it is ignored. |
INC_USRLOCAL |
This is the exact location where the files consider themselves |
(for example: /usr/local or /usr) |
installed for the running system. Various scripts will have this |
|
path hard coded in them. |
PUBDIR |
The location of the ipsec command. This should be within the |
|
$PATH of the root user. Note that some systems, such as Red |
|
Hat and Fedora, call the startup script ipsec as well. These |
|
are entirely different commands though! |
FINALCONFFILE |
The location of ipsec.conf. Normally this is |
|
/etc/ipsec.conf, but Gentoo for instance uses |
|
/etc/ipsec/ipsec.conf. |
INC_RCDIRS |
This contains a list of directories in decreasing preference for |
|
the daemon start-stop script. The first directory found on the |
|
system in this list is used. This option is mainly to recognize |
|
new distributions automatically. It is unlikely you'll need to |
|
change this. |
|
|
There are a few more settings that fine-tune the paths where files are installed. See the comments in Makefile.inc for details. Usually, if compiling Openswan for the host system itself, these do not need to be changed.
Obscure Pluto Options
There are three more options hidden in Pluto's Makefile at programs/pluto/Makefile. It is very unlikely that you need to change these. These options haven't made it into Makefile.inc yet, but will probably move there in the future.
62