Kernel Configuration
After the initial Gateway installation, it may be necessary to enable kernel support for IPsec protocols and Firewall support. This will require that a new kernel be compiled and installed. The steps to complete this process are different depending on the operating system you have selected. The sections below will give an overview on how to accomplish this on either a FreeBSD or NetBSD host. The stock Fedora Core 6 kernel already contains all the kernel support we need so compiling a custom kernel is not necessary.
FreeBSD 6.2
This section describes the basic steps required to build a FreeBSD kernel with FAST IPsec and Packet Filter support. For more information of this topic, please read the FreeBSD Handbook chapter titled Building and installing a Custom Kernel. The Handbook also contains another chapter titled VPN over IPsec that may be useful.
NAT Traversal Support Patch
As of FreeBSD 6.2 stable, NAT Traversal support is not yet available in the stock kernel sources. However, support for this feature is available in the form of a kernel patch that is maintained by a member of the Ipsec Tools development team. Applying this patch is not required but it is highly recommended if you plan to support Clients that connect from behind a NAT enabled Firewall. To obtain the kernel patch and apply it to the FreeBSD kernel sources, follow the prompts listed below using a root login:
cd /usr/src/sys fetch http://ipsec-tools.sf.net/freebsd6-natt.diff patch < freebsd6-natt.diff |
Creating a Kernel Configuration File
The FreeBSD kernel build system requires a kernel configuration file as input. The file describes what options should be included when compiling a kernel. Instead of creating a configuration file from scratch, the generic kernel configuration file should be copied and edited to add or remove support for specific kernel options. It is important to know what architecture your gateway host supports before beginning this procedure. In most instances, this will be either i386 or amd64. For the purpose of the example given below, we will assume a host using the i386 architecture. To create a new kernel configuration file named CUSTOM, follow the prompts below using a root login:
cd /usr/src/sys/i386/conf cp GENERIC CUSTOM |
Note: The i386 directory may need to be different depending on your architecture type.
Now that you have created a configuration file, a few modifications will need to be made. Open the file with a text editor and change the ident line to read CUSTOM instead of GENERIC:
machine i386 cpu I486_CPU cpu I586_CPU cpu I686_CPU ident CUSTOM |
To complete the configuration file changes, add the following lines to the end and save the file:
# Packet Filter Support device pf device pflog # FAST IPsec Support device crypto device enc options FAST_IPsec options IPsec_NAT_T |
Note: The last option line is only valid if the NAT Traversal kernel patch was applied.
Compiling and Installing the Custom Kernel
Now that you have a custom kernel configuration file that includes support for FAST IPsec and Packet Filter, it can be used to compile and install a new kernel. To perform this procedure, follow the prompts below using a root login:
cd /usr/src make buildkernel KERNCONF=CUSTOM make installkernel KERNCONF=CUSTOM |
After the new kernel has been installed, reboot the FreeBSD host to begin using the new features.
Compiling and Installing Userland Programs
If your kernel was patched to support NAT Traversal, the FreeBSD userland programs must be recompiled and installed. To perform this procedure, follow the prompts below using a root login:
cd /usr/src make buildworld make installworld |
After the new userland programs have been installed, reboot the FreeBSD host to begin using the new features.
NetBSD 3.1
This section describes the basic steps required to build a NetBSD kernel with IPsec and IP Filter support. For more information of this topic, please read the NetBSD Documentation Kernel section titled How to build a kernel. NetBSD also has has published a document entitled How to build a remote user access VPN that may be useful.
Installing the Kernel Sources
Before a kernel can be compiled, you need to ensure that the kernel sources are installed. This can be accomplished by downloading and extracting the archive into the appropriate directory. To download and extract the kernel sources, follow the prompts below using a root login:
ftp -a ftp.netbsd.org ftp> bin ftp> get pub/NetBSD/NetBSD-3.1/source/sets/syssrc.tgz /tmp/syssrc.tgz ftp> exit cd / tar xvzpf /tmp/syssrc.tgz |
Creating a Kernel Configuration File
The NetBSD kernel build system requires a kernel configuration file as input. The file describes what options should be included when compiling a kernel. Instead of creating a configuration file from scratch, the generic kernel configuration file should be copied and edited to enable or disable support for specific kernel options. It is important to know what architecture your gateway host supports before beginning this procedure. In most instances, this will be either i386 or amd64. For the purpose of the example given below, we will assume a host using the i386 architecture. To create a new kernel configuration file named CUSTOM, follow the prompts below using a root login:
cd /usr/src/sys/arch/i386/conf cp GENERIC CUSTOM |
Note: The i386 directory may need to be different depending on your architecture type.
Now that you have created a configuration file, a few modifications will need to be made. Open the file with a text editor and make sure the following lines are uncommented by removing the leading # character if necessarily:
options GATEWAY # packet forwarding options INET # IP + ICMP + TCP + UDP options IPsec # IP security options IPsec_ESP # IP security (encryption part; define w/IPsec) options IPsec_NAT_T # IPsec NAT traversal (NAT-T) options PFIL_HOOKS # pfil(9) packet filter hooks pseudo-device ipfilter # IP filter (firewall) and NAT |
Compiling and Installing the Custom Kernel
Now that you have a custom kernel configuration file that includes support for IPsec and IP Filter, you need to run the config program which verifies the option syntax and creates a new build directory. To perform this procedure, execute the following command from the directory that contains your new configuration file:
config CUSTOM |
The new kernel configuration is now ready to be compiled and installed. To perform this procedure, follow the prompts below using a root login:
cd ../compile/CUSTOM/ make depend make make install |
After the new kernel has been installed, reboot the NetBSD host to begin using the new features.
Copyright © 2010, Shrew Soft Inc