This document will explain how to install Openswan. If your distribution comes with Openswan, we offer tips to get you started.
For Linux 2.0 or 2.2, use openswan-1.0.10 For Linux Kernels 2.4 and 2.6, use Openswan 2.4.x For FreeBSD, OpenBSD, NetBSD, and OSX, try openswan-2.5.x For the latest bleeding edge, try openswan-3.x.x
There are two basic ways to get Openswan onto your system:
RPMs are available with for most rpm based distributions, such as Fedora, RHEL/Centos and Suse. ATRPMS also build openswan rpms.
As root, unpack your Openswan source somewhere (eg: /usr/src).
su
mv openswan-2.#.#.tar.gz /usr/src
cd /usr/src
tar -xzf openswan-2.#.#.tar.gz
Choose one of the methods below.
Change to your new Openswan directory, and make and install the Openswan userland tools.
cd /usr/src/openswan-2.#.#
make programs
make install
Now, start Openswan and test your install.
To make a modular version of KLIPS, along with other Openswan programs you'll need, use the command sequence below. This will change to your new Openswan directory, make the Openswan module (and other stuff), and install it all.
cd /usr/src/openswan-2.#.#
export KERNELSRC=/usr/src/kernels/linux-2.6.18/
make module
make module_install
If you want NAT-T support (NATTraversal), you need to patch your kernel and build a new bzImage. From the Openswan source directory:
(assumes kernel source is in /usr/src/linux-2.4)
make nattpatch | (cd /usr/src/linux-2.4 && patch -p1 && make bzImage)
cd /usr/src/linux-2.4
make oldconfig [answer yes to NAT-T]
make dep [linux < 2.6 only]
make bzImage [you must make a new kernel now]
make modules modules_install
Update your bootloader if neccessary.
Start Openswan and test your install.
To link KLIPS statically into your kernel (using your old kernel settings), and install other Openswan components, do:
cd /usr/src/openswan-2.#.#
patch -p1 -s < openswan-2.4.7-klips.patch
patch -p1 -s < openswan-2.4.7-natt.patch
make oldconfig [answer Y to klips and nat-t options]
make dep [linux < 2.6 only]
make bzImage
Reboot your system and test your install.
For other ways to compile KLIPS, see our Makefile.
Bring Openswan up with:
service ipsec start
This is not necessary if you've rebooted, as Openswan is added to runlevel 3 init scripts.
To check that you have a successful install, run:
ipsec verify
You should see at least:
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
If any of these first four checks fails, see our troubleshooting guide.
There are at least a couple of things on your system that might interfere with Openswan, and now's a good time to check these:
You'll need to configure Openswan for your local site. Have a look at our opportunism quickstart guide to see if that easy method is right for your needs. Or, see how to configure a network-to-network or Road Warrior style VPN.
