Securing-Optimizing-RH-Linux-1_2_299
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
299
[root@deep linux]# make config
NOTE: The difference with the make config command we have made before is that now a new
section related to FreeS/WAN has been included in our kernel configuration and for this reason
we must reconfigure the kernel to customize the IPSec options and be part of your kernel.
The first thing you need to do is ensure that your kernel has been built with FreeS/WAN support
enabled. In the 2.2.14 kernel version, a new section related to frees/WAN VPN support named
IPSec options (FreeS/WAN) would appear in your kernel configuration after you have patched
the kernel with the FreeS/WAN program as descibed above. You need ensure that you have
answered Y to the following questions under the new section: IPSec options (FreeS/WAN).
IPSec options (FreeS/WAN)
IP Security Protocol (FreeS/WAN IPSEC) (CONFIG_IPSEC) [Y/n/?]
IPSEC: IP-in-IP encapsulation (CONFIG_IPSEC_IPIP) [Y/n/?]
IPSEC: PF_KEYv2 kernel/user interface (CONFIG_IPSEC_PFKEYv2) [Y/n/?]
IPSEC: Enable ICMP PMTU messages (CONFIG_IPSEC_ICMP) [Y/n/?]
IPSEC: Authentication Header (CONFIG_IPSEC_AH) [Y/n/?]
HMAC-MD5 authentication algorithm (CONFIG_IPSEC_AUTH_HMAC_MD5) [Y/n/?]
HMAC-SHA1 authentication algorithm (CONFIG_IPSEC_AUTH_HMAC_SHA1) [Y/n/?]
IPSEC: Encapsulating Security Payload (CONFIG_IPSEC_ESP) [Y/n/?]
3DES encryption algorithm (CONFIG_IPSEC_ENC_3DES) [Y/n/?]
IPSEC Debugging Option (DEBUG_IPSEC) [Y/n/?]
NOTE: All customization you have made to your kernel the first time you are running the make
config, make dep, and make clean commands will be preserved. So you dont need to
reconfigure all the part of your kernel but just the new section added by FreeS/WAN named
IPSec options (FreeS/WAN) like show above.
Some networking options will get turned On automatically even if you are previously turned them
Off, this is because IPSEC needs them. Whichever configuration program you are using, you
should pay careful attention to a few issues: in particular, do NOT disable any of the following
under the Networking Options of your kernel configuration:
Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?]
Netlink device emulation (CONFIG_NETLINK_DEV) [Y/n/?]
Compile and install the new kernel with FreeS/WAN
Now that we are including in the kernel, support for FreeS/WAN VPN, we can compile and install
the new kernel.
·
Return to the /usr/src/linux directory and run the following commands again:
[root@deep linux]# make dep; make clean; make bzImage
After execution of the commands above, follow the rest of the instructions in the Linux Kernel
section of this book (Chapter 5 Configuring and Building a secure, optimized Kernels) as normal
to install the kernel. At this point, after you have copied and installed your new kernel image,
system.map, or modules (if necessary), and set the lilo.conf file to load the new kernel, you must
edit and customize the configuration files related to FreeS/WAN ipsec.conf and ipsec.secrets
before rebooting your system.
Cleanup after work
[root@deep /]# cd /usr/src
[root@deep src]# rm -rf freeswan-version/ freeswan-version_tar.gz