After many long hours and a lot of help from Tom I was able to get IPSEC
running on kernel 2.6, here''s a step-by-step for Getting Policy match
working.. Hope it helps
Adding Policy Match Support to Kernel 2.6
JJ Truax
jtruax at optivel dot com
This is a step by step how-to for adding policy match support to a 2.6
kernel. For information on configuring IPSEC for the Kernel 2.6 see Tom
Eastep''s How-to IPSEC using Linux Kernel 2.6
http://www.shorewall.net/IPSEC-2.6.html
Distro Info:
I''m using Debian Sarge and will be using some commands that may not be
avialible in other ditros.
Versions
I''ll be covering the following Versions.
Download the following files to the noted locations.
kernel 2.6.11
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-2.6.11.tar.bz2 to /usr/src
iptables 1.3.1
http://www.netfilter.org/files/iptables-1.3.1.tar.bz2 /usr/src
patch-o-matic-ng-20050504
ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20050504.tar.bz2
to /var/tmp
5 IPSEC patch files
http://shorewall.net/pub/shorewall/contrib/IPSEC/2.6.11/ /var/tmp (make
sure you dont have any other .diff file in /var/tmp
Debian Kernel image 2.6.11
http://ftp.debian.org/debian/pool/main/k/kernel-image-2.6.11-i386/kernel-image-2.6.11-i386_2.6.11-3.tar.gz
Getting Started
1. Lets start by using apt-get to install some utilities we will need
during the process >apt-get install bzip2 kernel-package libncurses5-dev
2. Extract the source files in /usr/src
>tar jxvf linux-2.6.11.tar.bz2
>tar jxvf iptables-1.3.1.tar.bz2
3. Extract file in /var/tmp in /var/tmp
>tar jxvf patch-o-matic-ng-20050504.tar.bz2
>tar zxvf kernel-image-2.6.11-i386_2.6.11-3.tar.gz
4. Move the 5 IPSEC patch to the kernel source folder
>mv /var/tmp/*.diff /usr/src/linux-2.6.11
5. Apply the patches to the kernel
>cd /usr/src/linux-2.6.11
>cat *.diff | patch p 1
6. Move the config file from the Debian kernel image to the kernel source
There are 5 files in /var/tmp/kernel-image-2.6.11-i386-2.6.11/config
386 686 686-smp default k7 k7-smp
Select the one the best matches the architecture of you hardware. Ill
be using 686-smp because Im using a dual processor P4. This will be
used to load all of the default Debain modules for your kernel.
7. Apply the policy match patch via patch-o-matic-ng
>export KERNEL_DIR=/usr/src/linux-2.6.11
>export IPTABLES_DIR=/usr/src/iptables-1.3.1
>cd /var/tmp/patch-o-matic-ng-20050504/
>./runme extra
Select no to all patches except policy match (its somewhere around the
48th one.)
8. Compile the kernel
>cd /usr/src/linux-2.6.11
>make-kpkg config menu initrd configure
The Linux configuration menu will open.
First load the config file from step 6 (686-smp in my case)
Select load an Alternate Configuration File
Type the name of the file you moved in step 6
Now you need to add policy match support to your kernel. Its under.
Device Drivers->
Networking support ->
Networking Options->
Network packet filtering ->
IP: Netfilter Configuration ->
<>IPsec policy match support
press space to select it
Now exit out of the kernel configuration menu and save your changes.
>make-kpkg config menu initrd kernel-image (this will take a while 20-30
>minutes)
8. Install the new kernel
Your new kernel package should be in /usr/src/
>dpkg install /usr/src/kernel-image-2.6.11_10.00.Custom.deb
9. Reboot and load your new kernel. its ready for you to use, dont
forget to remove the default install of iptables and compile/install the
new version.
