Previous chapter
Introduction to IPsec
Index
Managing the Security Policy Database using setkey
Next chapter

Installing the IPsec software

Before IPsec can be deployed it is important to ensure that the systems which will be using it are correctly configured. This is a two stage process requiring both kernel configuration options to be set and user-space software to be installed.

Kernel configuration

The Linux kernel implementation of IPsec requires several options to be selected when the kernel is built to operate correctly. These options are located in two different sections of the kernel configuration menu. The required Networking options settings are shown below. As usual we have only listed the options which are either required to be enabled or disabled in the list below with all other options left to the discretion of the user.

Networking options
  • [*]
  • [*]
  • [ ]
  • [*]
  • [*]
  • [*]
  • [*]
  • [*]
  • [*]
  • [*]
  • [ ]
  • Transformation user configuration interface
  • PF_KEY sockets
    • PF_KEY MIGRATE (EXPERIMENTAL)
  • TCP/IP networking
    • IP: verbose route monitoring
    • IP: AH transformation
    • IP: ESP transformation
    • IP: IPComp transformation
    • IP: IPsec transport mode
    • IP: IPsec tunnel mode
    • IP: IPsec BEET mode
  • CONFIG_XFRM_USER
  • CONFIG_NET_KEY
  • CONFIG_NET_KEY_MIGRATE
  • CONFIG_INET
  • CONFIG_IP_ROUTE_VERBOSE
  • CONFIG_INET_AH
  • CONFIG_INET_ESP
  • CONFIG_INET_IPCOMP
  • CONFIG_INET_XFRM_MODE_TRANSPORT
  • CONFIG_INET_XFRM_MODE_TUNNEL
  • CONFIG_INET_XFRM_MODE_BEET

To function correctly the network related components of the Linux kernel implementation of IPsec require some additional kernel components to be enabled. The required options can be found in the Cryptographic API section. As before only the required settings are shown below.

Cryptographic API
  • ---
  • [*]
  • [*]
  • [*]
  • [*]
  • [*]
  • [*]
  • [*]
  • Cryptographic API
    • Null algorithms
    • HMAC support
    • MD5 digest algorithm
    • SHA1 digest algorithm
    • AES cipher algorithms
    • DES and Triple DES EDE cipher algorithms
    • Deflate compression algorithm
  • CONFIG_CRYPTO
  • CONFIG_CRYPTO_NULL
  • CONFIG_CRYPTO_HMAC
  • CONFIG_CRYPTO_MD5
  • CONFIG_CRYPTO_SHA1
  • CONFIG_CRYPTO_AES
  • CONFIG_CRYPTO_DES
  • CONFIG_CRYPTO_DEFLATE

Kernel configuration (IPv6 only)

If you intend to use IPsec with the IPv6 protocol then you will also need to enable the kernel features listed below. These can be located beneath the Networking options screen in the kernel configuration menu.

The IPv6 protocol
  • ---
  • [*]
  • [*]
  • [*]
  • [*]
  • [*]
  • [ ]
  • The IPv6 protocol
    • IPv6: AH transformation
    • IPv6: ESP transformation
    • IPv6: IPComp transformation
    • IPv6: IPsec transport mode
    • IPv6: IPsec tunnel mode
    • IPv6: IPsec BEET mode
  • CONFIG_IPV6
  • CONFIG_INET6_AH
  • CONFIG_INET6_ESP
  • CONFIG_INET6_IPCOMP
  • CONFIG_INET6_XFRM_MODE_TRANSPORT
  • CONFIG_INET6_XFRM_MODE_TUNNEL
  • CONFIG_INET6_XFRM_MODE_BEET

IPsec tools

Once a suitable kernel has been correctly configured, built and installed on all the hosts which will be using IPsec the user-space tools may be installed. The most common tools used to manage IPsec are provided by the net-firewall/ipsec-tools package.

Before we install any packages we should ensure that the correct use-flags are configured so that all required functionality is made available and unnecessary functionality is not included. The net-firewall/ipsec-tools and its dependencies provide a variety of use-flags only some of which will be discussed further here. As usual feel free to add and remove use-flags at will although the minimum set which are required for using this guide in its entirety are shown below.

lisa emerge -pv ipsec-tools
 
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild      ] net-firewall/ipsec-tools-0.8.1  USE="ipv6 ldap nat pam readline -hybrid -idea -kerberos -rc5 -stats"

The net-firewall/ipsec-tools package is currently masked on some architectures. If this is the case for your architecture then a configuration entry can be added to your package.keywords file to enable the installation of masked versions of this package using the command shown below.

lisa echo "net-firewall/ipsec-tools" >> /etc/portage/package.keywords

Once you are satisfied that the correct use-flags are set for the net-firewall/ipsec-tools package, and any dependencies it may require, you can proceed with the installation by issuing the emerge command shown below.

lisa emerge ipsec-tools

VPN tools

If you intend to use a configuration where one of the participants will be using a dynamically assigned network address then some additional utilities will be required. These utilities are contained within the net-firewall/hacking-vpn-tools package which is available from the Hacking Networked Solutions overlay for Gentoo Linux.

lisa emerge hacking-vpn-tools
 
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild      ] net-firewall/hacking-vpn-tools-0.1

Once you are satisfied that the correct use-flags are set for the net-firewall/hacking-vpn-tools package, and any dependencies it may require, you can proceed with the installation by issuing the emerge command shown below.

lisa emerge hacking-vpn-tools