Before IPsec can be deployed it is important to ensure that the systems which will be using it are correctly configured. This is a two stage process requiring both kernel configuration options to be set and user-space software to be installed.
The Linux kernel implementation of IPsec requires several options to be selected when the kernel is built to operate correctly. These options are located in two different sections of the kernel configuration menu. The required Networking options settings are shown below. As usual we have only listed the options which are either required to be enabled or disabled in the list below with all other options left to the discretion of the user.
|
|
|
To function correctly the network related components of the Linux kernel implementation of IPsec require some additional kernel components to be enabled. The required options can be found in the Cryptographic API section. As before only the required settings are shown below.
|
|
|
If you intend to use IPsec with the IPv6 protocol then you will also need to enable the kernel features listed below. These can be located beneath the Networking options screen in the kernel configuration menu.
|
|
|
Once a suitable kernel has been correctly configured, built and installed on all the hosts which will be using IPsec the user-space tools may be installed. The most common tools used to manage IPsec are provided by the net-firewall/ipsec-tools package.
Before we install any packages we should ensure that the correct use-flags are configured so that all required functionality is made available and unnecessary functionality is not included. The net-firewall/ipsec-tools and its dependencies provide a variety of use-flags only some of which will be discussed further here. As usual feel free to add and remove use-flags at will although the minimum set which are required for using this guide in its entirety are shown below.
The net-firewall/ipsec-tools package is currently masked on some architectures. If this is the case for your architecture then a configuration entry can be added to your package.keywords file to enable the installation of masked versions of this package using the command shown below.
Once you are satisfied that the correct use-flags are set for the net-firewall/ipsec-tools package, and any dependencies it may require, you can proceed with the installation by issuing the emerge command shown below.
If you intend to use a configuration where one of the participants will be using a dynamically assigned network address then some additional utilities will be required. These utilities are contained within the net-firewall/hacking-vpn-tools package which is available from the Hacking Networked Solutions overlay for Gentoo Linux.
Once you are satisfied that the correct use-flags are set for the net-firewall/hacking-vpn-tools package, and any dependencies it may require, you can proceed with the installation by issuing the emerge command shown below.