• Firewalling. You need to allow UDP 500 and ESP (protocol 50) through your firewall. For more information, see our firewalling document.

For Linux 2.0 or 2.2, use openswan-1.0.10 For Linux Kernels 2.4 and 2.6, use Openswan 2.4.x For FreeBSD, OpenBSD, NetBSD, and OSX, try openswan-2.5.x For the latest bleeding edge, try openswan-3.x.x

RPMs are available with for most rpm based distributions, such as Fedora, RHEL/Centos and Suse. ATRPMS also build openswan rpms.

KLIPS install for 2.0, 2.2, 2.4 or 2.6 kernels

    export KERNELSRC=/usr/src/kernels/linux-2.6.18/
    make module
    make module_install

        cd /usr/src/linux-2.4
        make oldconfig [answer yes to NAT-T]
        make dep [linux < 2.6 only] 
        make bzImage [you must make a new kernel now]
        make modules modules_install

        Update your bootloader if neccessary.

    patch -p1 -s < openswan-2.4.7-klips.patch
    patch -p1 -s < openswan-2.4.7-natt.patch
    make oldconfig [answer Y to klips and nat-t options]
    make dep [linux < 2.6 only]
    make bzImage

If you want NAT-T support (NATTraversal), you need to patch your kernel and build a new bzImage. From the Openswan source directory:

Userland-only Install for 2.6 kernels

KLIPS install for 2.0, 2.2, or 2.4 kernels

[@

[@

@]

[@

@]

[@

@]

[@

@]

[@

@]

[@

@]

RPMs are available here http://www.openswan.org/download/binaries/.

RPMs are available here ][http://www.openswan.org/download/binaries/]].

[@

@]

Installing Openswan

This document will explain how to install Openswan. If your distribution comes with Openswan, we offer tips to get you started.

Requirements

• Linux Kernel, either 2.0, 2.2, 2.4 or 2.6 based.
• If building from source, libgmp development libraries.

Choose your version:

For Linux Kernels 2.0, 2.2 and 2.4, you may use Openswan 1.x.x

For Linux Kernels 2.4 and 2.6, you may use Openswan 2.x.x

There are two basic ways to get Openswan onto your system:

• RPM install
• Install from source

RPM install

RPMs are available here [http://www.openswan.org/download/binaries/].

Install from Source

As root, unpack your Openswan source somewhere (eg: /usr/src).

<pre>

    su
    mv openswan-2.#.#.tar.gz /usr/src
    cd /usr/src
    tar -xzf openswan-2.#.#.tar.gz

</pre>

Choose one of the methods below.

Userland-only Install for 2.6 kernels

Change to your new Openswan directory, and make and install the Openswan userland tools.

<pre>

    cd /usr/src/openswan-2.#.#
    make programs
    make install

</pre>

Now, start Openswan and test your install.

KLIPS install for 2.0, 2.2, or 2.4 kernels

To make a modular version of KLIPS, along with other Openswan programs you'll need, use the command sequence below. This will change to your new Openswan directory, make the Openswan module (and other stuff), and install it all.

<pre>

    cd /usr/src/openswan-2.#.#
    make oldmod
    make minstall

</pre>

If you want NAT-T support ([NATTraversal]), you need to patch your kernel and build a new bzImage. From the Openswan source directory:

(assumes kernel source is in /usr/src/linux-2.4)

        make nattpatch | (cd /usr/src/linux-2.4 && patch -p1 && make bzImage)

        Note: Build and install kernel as normal, as you have modified
        the TCP/IP stack in the kernel, so it needs to be recompiled and
        installed.

        eg: cd /usr/src/linux && make dep bzImage install

Start Openswan and test your install.

To link KLIPS statically into your kernel (using your old kernel settings), and install other Openswan components, do:

<pre>

    cd /usr/src/openswan-2.#.#
    make oldmod
    make minstall

</pre>

Reboot your system and test your install.

For other ways to compile KLIPS, see our Makefile.

Start Openswan and test your install

Bring Openswan up with:

<pre>

    service ipsec start

</pre>

This is not necessary if you've rebooted, as Openswan is added to runlevel 3 init scripts.

Test your install

To check that you have a successful install, run:

<pre>

    ipsec verify

</pre>

You should see at least:

<pre>

    Checking your system to see if IPsec got installed and started correctly
    Version check and ipsec on-path                             [OK]
    Checking for KLIPS support in kernel                        [OK]
    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
    Checking that pluto is running                              [OK]

</pre>

If any of these first four checks fails, see our troubleshooting guide.

Making Openswan play well with others

There are at least a couple of things on your system that might interfere with Openswan, and now's a good time to check these:

• Firewalling. You need to allow UDP 500 and ESP (protocol 50) through your firewall. For more information, see our firewalling document.
• Network address translation. Do not NAT the packets you will be tunneling.

Configure for your needs

You'll need to configure Openswan for your local site. Have a look at our opportunism quickstart guide to see if that easy method is right for your needs. Or, see how to configure a network-to-network or Road Warrior style VPN.