IPsec modules and packages for SuSE Linux distributions

About the packages

Modules

To install a module, copy it to the right place. This is e.g. /lib/modules/2.2.19/ipv4/ipsec.o (2.2.19 kernel) or /lib/modules/2.4.4-4GB/kernel/net/ipv4/ipsec.o (2.4.4-4GB kernel).

Userspace RPMs

Just install using rpm -U. Note: Userspace RPM and kernel module (KLIPS) should match (this does not apply to 2.6 nor to 2.4 CGL kernels which have in-kernel IPsec support).

Source RPMs

If you're using an architecture different from i386 and x86_64 or you want to compile the RPMs for a different distribution than the ones provided here, download the source RPM and rpm --recompile it. After a successful build, the binary RPMs will be found below /usr/src/packages/RPMS/<arch>/. These can be installed.

km RPMs

To build kernel modules, SuSE uses so-called km packages. Note that the CGL kernel have IPsec integrated and do not need an extra module built. The same is true for 2.6 kernels.
In order to use them, you need a kernel source tree and properly configured under /usr/src/linux/. Install the km RPMs and

• Install the km_freeswan RPM with rpm -i. The module sources will be under /usr/src/kernel-modules/zz_freeswan/
• If you are using a 2.2.19 kernel, you probably need to copy the net.Config.in file over /usr/src/kernel-modules/zz_freeswan/klips/patches/net.Config.in.
• cd /usr/src/kernel-modules/zz_freeswan
• make -f Makefile.module
• make -f Makefile.module install

Signatures

Please check the GnuPG signatures. I created detached signatures for all modules and signed them with my key. My (public) key can be found on keyservers or here.
Verify the signatures using the gpg --verify command. The latest packages do not have detached signatures, but instead the RPMs are signed. They either have my signature or the SuSE Package Signing Key. Use rpm -v --checksig to verify.

Notes about SuSE Linux distributions

Nowadays, I use the page to offer newer packages or experimental features for interested users.

SuSE integrated the USAGI patches into the service pack 2 of SuSE Linux Enterprise Server 8 (the enterprise product of SuSE). Update kernels to SuSE Linux 8.1 since June 2003 also include the USAGI patches. These provide superior IPv6 support to fulfill the CGL criteria, including IPsecV6.
Changes:

• The kernel module is part of the kernel now (patched in) and not produced via an external package (km_freeswan) any more.
• AES is supported in addition to 3DES
• Rudimentary IPv6 support in Pluto
• pfkey utility to manage keys and configure Security Policies or Associations
• Some /proc files are gone, most notably eroute
• Opportunistic encryption has not been tested and may be broken
• IP Compression is not suported and needs to be switched off

Before the USAGI patches were merged, we had a patch that caused some trouble to some people trying to compile FreeS/WAN on their own: we dropped the inet peer cache. This changes the ip_select_ident() interface. You need to apply this patch to compile the KLIPS kernel module.

Another note: The CGL/USAGI versions of FreeS/WAN and the corresponding kernels will display an error message
Checking for KLIPS support in kernel [FAILED]
upon ipsec verify. This is normal and does not indicate a problem. There is no KLIPS module, as we have the USAGI ipsec code in the kernel similar to the in-kernel code in 2.6 (but unfortunately not similar enough to be usable without userspace modifications).

Notes about features

• All packages include the X.509 patches from Andreas Steffen. These allow the use of certificates instead of RSA keys. This allows to control the possible connections from a central instance, the Certification Authority (CA). Keys can be signed by the CA and are wrapped in certificates. Valid signatures from the CA are enough authentication to allow peers to connect even without prior knowledge of its public key.
  The versions from 0.9.16 on contain the port selectors patch (Stephen Bevan) that allow choosing connections based on ports.
• The ISAKMP deamons (pluto for FreeS/WAN) exchanges messages to negotiate the Security Parameters (keys, encryption, ...). Except for the messages needed to implement this, there are also informational messages that the peer may choose to make use of or ignore.
  One of the more useful message types is telling the other side that a connection is going down, so the other side can clean up the ressources associated with it. The so-called Delete Notifier Patch from Mathieu Lafon does implement this.
• When sitting behind a machine that does network address translation (NAT), IPsec is difficult to do. If the router doing NAT does support IPsec pass-through, one can designate one machine that gets the IPsec packages forwarded to and things are fine. Otherwise the sender & receiver address rewriting screws IPsec: The packages don't match the connection any more.
  To overcome this, there's a draft proposal to encapsulate ESP packets into UDP packets. The UDP packets addresses may be rewritten, the ESP packets stay valid. This technique is called NAT-Traversal. There are patches (also from Mathieu Lafon) that implement NAT-Traversal in FreeS/WAN.
  . Unfortunately, they require a kernel patch, which has not been applied to the official SuSE kernel sources, so you need to apply it and recompile your kernel if you want to make use of NAT-Traversal.
  Update: The update kernels for SUSE Linux 8.2 contain the patch since 2004-04-14 (2.4.20-109), so you don't need to compile a kernel of your own any more to use NAT-T. All 2.6 kernels that we shipped (SL9.1 and later) also contain support for NAT-T.
• 3DES is considered a secure symmetric cipher, but is comparably slow to do in software. Newer algorithms such as Rijndael's AES or Schneier's blowfish and twofish algorithms are considered even secure, but can be implemented much more efficiently (factor 4) in software. Thus using AES128 or blowfish can save you three quarter of the CPU time needed to en- or decrypt the IPsec packets. (If you're bound by the CPU, it will increase the throughput by a factor of four.)
  The Alg patches from Juan Jose Ciarlante support the ciphers AES, Blowfish and Twofish additional to the 3DES.
  Some performance data:

  IPsec cipher performance (MB/s)

  CPU	3DES	AES128	Blowfish	Twofish
  21164A 600	3.0	12.3	18.4	14.4
  iPIII (Cop) 500	4.1	19.3	18.5	15.1
  K7 700	6.3	27.5	30.8	7.4
  iP4 1700	11.7	60.9	44.9	28.9

• The CGL kernel supports AES128 en/decryption for the ESP. Unfortunately, the freeswan userspace as contained on SLES8SP2/3 and on SL90 did not advertise this ability and it was thus not setup nor used. The packages offered for download here fix this.
• Informational messages can also be used to check whether the other side is still alive. This is called Dead Peer Detection (DPD) and is also specified by an internet draft.
  There's an implementation based on patches by SnapGear, improved by Pawe Krawczyk and Ken Bantoft ( SuperFreeS/WAN)). I have extracted two patches, the original one from Pawe and the diffs to the version in SuperFreeS/WAN and applied to our packages.

Links

• OpenSWAN (successor to SuperFreeS/WAN)
• Super FreeS/WAN (w/ X.509, SA del not, NAT-Trav and Alg patch and more ...)
• FreeS/WAN
• IETF IPsec working group
• StrongSec (X.509)
• PGPnet interoperability
• Tools for Win2000 interoperability
• Building a VPN with FreeS/WAN, SuSEfirewall2 and SSH Sentinel
• Arkoon: Delete Notifier and NAT-Traversal patches.
• Juan Jose Ciarlante's Alg patches to support AES, blowfish and twofish in addition to standard 3DES.
• FreeS/WAN and L2TP clients (Win, Mac)