Chapter 3
Identifying your Kernel's Abilities
By far the easiest way to find out what your kernel supports is by looking at the kernel configuration file on the build system. Since the Linux kernel has a GPL license, that build environment should always be available, no matter what vendor made the hardware. If it runs Linux, you should have access to the Linux kernel source code.
The kernel source is not always installed on the default system. For Red Hat or Debian, you will need to install the kernel-source package. The kernel build tree is normally installed in /usr/src/. The standard configuration file is created in the top level of the Linux kernel directory, and is called .config. If that file does not exist, the easiest way to create it is using the command:
# make oldconfig
Some distributions have the .config file in the module directory:
# more /lib/modules/`uname -r`/build/.config
As of Linux 2.6, there is also a way to bundle the .config file within the kernel image itself. The configuration file of your kernel is then available in the /proc/ filesystem:
# zmore /proc/config.gz
Most distribitions store a copy of the used .config file in /boot. For embedded systems, it is unlikely that this will have been added to the kernel, due to the space constraints previously mentioned.
Using Both KLIPS and NETKEY
If you want to test both stacks before making a final decision, you will have to compile both stacks as modules. By default, Openswan uses the stack that is already loaded when it starts. If it doesn't find any stack, it will first try to load NETKEY, and if that fails it will try to load KLIPS. In the future, there will probably be a configuration option in /etc/ipsec.conf to choose your stack.
Unfortunately, modules cannot easily detect other modules. Therefore, a module cannot detect whether its competitor is already loaded in the kernel. This means that you can actually manually load both stacks in the kernel. The results of this are completely unpredictable, and your kernel will likely blow up in your face. The Openswan userland will refuse to start when it detects that both modules are loaded.
The Kernel Build Options
Listed overleaf, are the required and recommended options. Note that regular options, like CPU or network card, are not listed, but only those options that a sane kernel might not have set, but which is required or desired by Openswan.
65
Building and Installing Openswan
Required Kernel Options
The following options must be enabled for a kernel that is to run Openswan:
Option name |
Description |
|
|
CONFIG_UNIX |
Unix domain sockets. Openswan userland (Pluto) uses these. |
CONFIG_PROC_FS |
The /proc filesystem (needed by both KLIPS and NETKEY). |
CONFIG_CRYPTO |
CryptoAPI, pluggable crypto modules. Necessary for NETKEY; optional |
|
for KLIPS. |
CONFIG_CRYPTO_* |
Various crypto modules. HMAC, MD5, 3DES, AES, SHA1 are |
|
necessary for NETKEY; optional for KLIPS. Most of the other crypto |
|
modules should be treated with severe skepticism and probably not |
|
used at all. |
|
|
Desired Options
The following kernel compile options are strongly recommended:
Option name |
Description |
|
|
CONFIG_IP_ADVANCED_ROUTER |
This gives far better routing control and is needed for some script |
|
features, such as _updown. |
CONFIG_PACKETT |
Necessary for tcpdump, a debugging tool, as well as KLIPS |
|
and NETKEY |
CONFIG_NETFILTER |
TCP/IP packet filter. You need this to make a firewall, or to |
|
support NAT. |
CONFIG_IPSEC_NAT_TRAVERSAL |
This adds support for NAT traversal by encapsulating ESP packets in |
This option only appears after the |
UDP packets. This is needed if you wish to connect from behind a |
kernel has been patched with the |
NATed network to your Openswan server. |
NAT-T patch |
Older versions of this code call this option CONFIG_ESPINUDP. These |
|
versions are broken and should not be used. |
|
|
NETKEY Stack Options
The following options are part of the NETKEY stack. These must be built as modules if you wish to be able to switch between the NETKEY stack and the KLIPS stack. If not, these features can be built into the kernel itself.
Option name |
Description |
|
|
CONFIG_NET_KEY |
PF_KEYv2 (IPsec) sockets. |
|
|
66
|
|
Chapter 3 |
|
|
|
|
Option name |
Description |
|
|
|
|
CONFIG_XFRM_USER |
IPsec user configuration interface (Openswan userland uses this). |
|
CONFIG_INET_AH |
Authentication Header (AH) for IPv4. You probably don't need this. |
|
CONFIG_INET_ESP |
Encapsulating Security Payload (ESP) for IPv4. |
|
CONFIG_INET_IPCOMP |
Payload compression support. |
|
CONFIG_INET_TUNNEL |
Generic IP tunnel transformation, needed by ipcomp. |
|
CONFIG_INET6_AH |
Authentication Header (AH) for IPv6. You probably don't need this. |
|
CONFIG_INET6_ESP |
Encapsulating Security Payload (ESP) for IPv6. |
|
CONFIG_INET6_IPCOMP |
Compression mode for IPv6. |
|
|
|
KLIPS Stack Options
The following options are part of the KLIPS stack. These must be built as modules if you want to alternate between NETKEY and KLIPS, otherwise these features can be built into the kernel itself. Older versions of Openswan, and all versions of FreeS/WAN, call these options
CONFIG_IPSEC_* instead of CONFIG_KLIPS_*.
The following table lists the KLIPS options that are available:
Configuration Option |
Description |
|
|
CONFIG_KLIPS |
Enables KLIPS as either a module or as part of the kernel. |
CONFIG_KLIPS_IPIP |
This enables tunnel mode. You will always want to support this, with |
|
the exception of building a dedicated Windows L2TP VPN server. But |
|
even then it makes sense to add support for this, unless space |
|
restrictions are an issue. |
CONFIG_KLIPS_AH |
AH mode is disabled by default, since it only authenticates, but does |
|
not encrypt packets and also cannot pass through a NAT. It is very |
|
unlikely that you will need this. |
CONFIG_KLIPS_ESP |
ESP mode, aka VPN. This enables authentication plus encryption. You |
|
must enable this option. |
CONFIG_KLIPS_ENC_3DES |
3DES cipher support. |
|
(1DES can come in through CryptoAPI only.) |
CONFIG_KLIPS_ENC_AES |
AES cipher support. |
CONFIG_KLIPS_AUTH_HMAC_MD5 |
HMAC-MD5 algorithm support. |
|
|
|
67 |
Building and Installing Openswan
Configuration Option |
Description |
|
|
CONFIG_KLIPS_AUTH_HMAC_SHA1 |
HMAC-SHA1 algorithm support. |
CONFIG_KLIPS_ALG |
IPsec Modular Extensions. Support for using ciphers and algorithms |
|
from the Linux CryptoAPI. This has the advantage that you can add |
|
other less standard ciphers (such as blowfish), but it is also often used |
|
to attach to hardware accelerator device drivers. |
CONFIG_KLIPS_IPCOMP |
Compression for IPsec. There have been some reports that |
|
compression isn't always working, though this is often because of |
|
misconfigured Racoon configurations. If you experience problems, you |
|
can try turning compression off. Note that the ipsec.conf option |
|
compress=no only changes whether Openswan advertises the ability. |
|
If the other end requests compression, it is still used if compression |
|
support was added to KLIPS even when compress=no is used. |
CONFIG_KLIPS_DEBUG |
IPsec Debugging. You should enable this unless you are severely |
|
limited in memory and disk space, as on an embedded device. |
IPSEC_CONFIG_REGRESS |
Regression testing support. This is additional support for the nightly |
|
regression testing system using UserModeLinux (UML) that Openswan |
|
uses. You probably want to disable this. |
|
|
L2TP Options
If you are going to use Microsoft's L2TP, then you also need the following options:
Option name |
Description |
|
|
CONFIG_UNIX98_PTYS |
Unix PTYs. |
CONFIG_PPP |
PPP support. |
CONFIG_PPP_SYNC_TTY |
Synchronous PPP support. |
CONFIG_PPP_DEFLATE |
Deflate support. |
CONFIG_PPP_BSDCOMP |
BSD (de)compression support for IP headers. |
|
|
And on 2.6 you have one further option:
Option name |
Description |
|
|
CONFIG_LEGACY_PTYS |
Legacy PTYs (only needed when using certain older L2TP daemons). |
|
Note: This is disabled in the stock kernels for Fedora Core 2 and up. |
|
|
68 |
|