Installing and Configuring a Linux VPN Server

The actual build of FreeS/WAN can take many forms. You can build it to load as a module, install directly from the source, and, as of version 1.93 you can even build your own RPMs if you choose. We’ll be installing from source, but building RPMs might be a worthwhile undertaking, especially is you plan to deploy a large number of gateways. The installation from source involves two major processes. The first reconfigures and recompiles the kernel to support IPSec, while the second actually installs the new kernel. There are a number of configuration options available if you’re interested in controlling the actual IPSec options, but by choosing the fully automated versions you’ll save time, and they work exceptionally well.

To reconfigure and recompile the kernel, issue the following from the /usr/src/freeswan-1.94 directory:

make oldgo

You should note that depending on your hardware, this process might take a while. Since an RSA authentication key pair is also generated at this point, and relies heavily on the use of random, you might consider providing input by moving the mouse or typing on the keyboard during the process. If that bores you to tears, considering using Alt+F2 to open a new terminal session and run du /usr > /dev/null to generate disk activity. If the very last line of make’s output is as follows – utils/errcheck out.kbuild – you’ll know the process completed successfully. If not, you will need to check the out.kpatch and out.kbuild files for details.

After the kernel has been recompiled, the updated kernel needs to be installed. This process has been automated as well. From the /usr/src/freeswan-1.94 directory enter the following:

make kinstall

The last line of the script should call another errcheck script signalling that the install was successful – utils/errcheck out.kinstall. Finally, check that your kernel configuration is correct in lilo.conf, and run lilo again. Now reboot into your newly compiled and installed kernel. If the installation has completed and is loading successfully, you should see the ipsec start-up message at boot time. You can also issue the following commands from the prompt to get more information, or view running processes using ps -ax|less and scroll through the list.

ipsec —version

ipsec whack —status

Well, that does it for part one of this two-part mini-series. In the next article we’ll continue with a look at the actual configuration of FreeS/WAN, in order to ensure that traffic is properly encrypted between two or more locations.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.