IPsec modules and packages for SuSE Linux 7.2

The 2.4 kernel module for the ipsec (FreeS/WAN) support does not work as expected. Problem seems to be that I had to patch FreeS/WAN-1.9 to get the module compiled under 2.4.4 (2.4.5pre). Most probably I did miss some things. Sorry about that!

I used FreeS/WAN-1.91 to fix this.

Modules

All ipsec modules were built for Pentium kernels with FreeS/WAN 1.91 code. In case you're running FreeS/WAN-1.9 you need to upgrade userspace (the FreeS/WAN package) as well. See below ...

2.2.19: Std, SMP, 2GB, 2GB-SMP
2.4.4: Std, 4GB, SMP, 4GB-SMP, 64GB-SMP
2.4.7: Std, SMP, 4GB, 4GB-SMP, 64GB 64GB-SMP
2.4.16: Std, SMP, 4GB, 4GB-SMP, 64GB-SMP

To install the module, copy it to the right place. This is e.g. /lib/modules/2.2.19/ipv4/ipsec.o (2.2.19 kernel) or /lib/modules/2.4.4-4GB/kernel/net/ipv4/ipsec.o (2.4.4-4GB kernel).

RPMs

Updated RPMs with FreeS/WAN-1.91 are available here. They were built for SuSE Linux 7.x (i386). They are not (yet) official SuSE packages, because I did not yet properly test them. Note that you still need the kernel modules (they are NOT part of the RPM), unless you use the km_freeswan to build a module yourself. You find here RPMs for FreeS/WAN with the X.509 patch in both version 0.8.5 and 0.9.2.
Download:

SuSE Linux 7.3 (i386), FreeS/WAN 1.91, X.509 0.9.2: FreeS/WAN 1.91 Source RPM; FreeS/WAN 1.91 i386 RPM; kernel module source package
SuSE Linux 7.2 (i386), FreeS/WAN 1.91, X.509 0.9.2: FreeS/WAN 1.91 Source RPM; FreeS/WAN 1.91 i386 RPM; kernel module source package
SuSE Linux 7.2 (i386), FreeS/WAN 1.91, X.509 0.8.5: FreeS/WAN 1.91 Source RPM; FreeS/WAN 1.91 i386 RPM; kernel module source package
SuSE Linux 7.1 (i386), FreeS/WAN 1.91, X.509 0.9: FreeS/WAN 1.91 Source RPM; FreeS/WAN 1.91 i386 RPM; Use the 7.2 km_freeswan package to build a module yourself if necessary. You may need to copy this file to klips/patches/net.Config.in.
SuSE Linux 7.1 (i386), FreeS/WAN 1.91, X.509 0.8.5: FreeS/WAN 1.91 Source RPM; FreeS/WAN 1.91 i386 RPM; Use the 7.2 km_freeswan package to build a module yourself if necessary. You may need to copy this file to klips/patches2.3/net.Config.in.
SuSE Linux 7.0 (i386), FreeS/WAN 1.91, X.509 0.9: FreeS/WAN 1.91 Source RPM; FreeS/WAN 1.91 i386 RPM; Use the 7.2 km_freeswan package to build a module yourself if necessary.
SuSE Linux 7.0 (i386), FreeS/WAN 1.91, X.509 0.8.5: FreeS/WAN 1.91 Source RPM; FreeS/WAN 1.91 i386 RPM; Use the 7.2 km_freeswan package to build a module yourself if necessary.

Note that I also put a detached GnuPG signatures (using my personal key) for each of the files in the directories, so you might want to get those from the modules, the 7.3 RPMs, 7.2 RPMs, 7.1 RPMs, or the 7.0 RPMs directories.

Building the kernel module

Note: If you use SuSE kernels, it should never be necessary to build a module yourself. Instead use the ones above. Otherwise you may want to compile them yourself.
Preconditions: You have the kernel source tree correctly configured and installed in /usr/src/linux. It should be the same kernel you are running (or want to run after the next boot). If you run an unmodified SuSE Linux kernel, easiest is to install the kernel-sources package and cd /usr/src/linux; zcat /proc/config.gz > .config; make oldconfig to get a configured kernel source tree.

Get the km_freeswan RPM. It looks like a binary RPM but in reality it's not.
Install it with rpm -i. The module sources will be under /usr/src/kernel-modules/zz_freeswan/
If you are using a 2.2.19 kernel, you probably need to copy the net.Config.in file over /usr/src/kernel-modules/zz_freeswan/klips/patches/net.Config.in.
cd /usr/src/kernel-modules/zz_freeswan
make -f Makefile.module
make -f Makefile.module install

Note that I put up this page to help people having difficulties with installing FreeS/WAN, partly due to the fact that the FreeS/WAN-1.9 modules on SuSE Linux 7.2 for 2.4.4 did not work correctly. This is NOT an official SuSE update and you should refrain from contacting SuSE support about it.
Please report problems to me.

FreeS/WAN 1.95-0.9.8 packages to test for SuSE Linux 7.3 and 7.2

FreeS/WAN on SuSE Linux 7.3 works.
Anyway, development goes on and features are added and bugs fixed. If you have problems with masquerading in your IPsec gateway, you may want to give FreeS/WAN-1.95 a try, for example. I integrated the X.509 patch version 0.9.8 into the package.
Here's what you need:

The userspace package: 7.3 RPM (SuSE Linux 7.3, ix86) (sig), 7.2 RPM (SuSE Linux 7.2, ix86) (sig).
A kernel module for the 2.4.16 SuSE kernel: dflt (2.4.16-4GB) (sig), or smp (2.4.16-64GB-SMP) (sig), or psmp (2.4.16-4GB-SMP) (sig), or i386 (2.4.16) (sig).
Install it into /lib/modules/`uname -r`/kernel/net/ipv4/
A kernel module for the 2.2.19 SuSE kernel: dflt (2.2.19) (sig), or smp (2.2.19-SMP) (sig).
Install it into /lib/modules/`uname -r`/ipv4/
Alternatively, you can compile your own kernel module by using the km_freeswan (sig) package as described above.
The source RPM (sig) is also available.

FreeS/WAN 1.98b-0.9.13 packages to test for SuSE Linux 8.0 and 7.3

Here are RPMs for SuSE Linux 7.3 and 8.0 to test FreeS/WAN-1.98b with the X.509 patch 0.9.13:

The userspace package: 7.3 RPM (SuSE Linux 7.3, ix86) (sig), 8.0 RPM (SuSE Linux 8.0, ix86) (sig).
You need to compile your own kernel module by using the km_freeswan (sig) package as described above.
Here's a precompiled kernel module for the 8.0 default kernel: dflt (2.4.18-4GB) (sig)
The source RPM (sig) is also available.

FreeS/WAN 1.98b-0.9.15 with the Mathieu Lafon's delete notifier patch from Arkoon packages to test for SuSE Linux 8.1 and 8.0.

Note: The NAT-Traversal patch has not been integrated (yet?). It requires kernel changes and also needs some review before I can offer it.

The userspace package: 8.0 RPM (SuSE Linux 8.0, ix86) 8.1 RPM (SuSE Linux 8.1, i586).
You need to compile your own kernel module by using the km_freeswan package as described above.
The source RPM is also available.

FreeS/WAN-1.98b-0.9.14 packages for the CGL kernels

For service pack 2 of SuSE Linux Enterprise Server powered by UnitedLinux, the features of the CGL spec 1.1 have been added to the kernel. This meant massive changes in the IPv6 area (USAGI patches plus many fixes). IPsecv6 is also supported in that kernel. The changes in the IPsec area are:

The kernel module is part of the kernel now (patched in) and not produced via an external package (km_freeswan) any more.
AES is supported in addition to 3DES
Rudimentary IPv6 support in Pluto
pfkey utility to mangae keys and configure Security Policies or Associations
Some /proc files are gone, most notably eroute
Opportunistic encryption has not been tested and may be broken
IP Compression is not suported and needs to be switched off

Consequently, the FreeS/WAN packages needed some changes. Find here the userspace packages for SLES8-SP2:

SLES8-SP2/SL8.1 RPM (SLES8-SP2, SuSE Linux 8.1, i586).
source RPM (SLES8-SP2, SuSE Linux 8.1).

Note: The latest update kernel for SuSE Linux 8.1 with the security fixes includes the CGL changes and thus need this FreeS/WAN userspace package.

FreeS/WAN 1.99-0.9.23 packages with the Mathieu Lafon's delete notifier and the NAT-Traversal patches from Arkoon, and with the alg patch from Juan Jose Ciarlante to test for SuSE Linux 8.1

Note: The NAT-Traversal patch has been integrated, but the kernel (on the server side) needs this patch.

The userspace package: 8.1 RPM (SuSE Linux 8.1, i586).
You need to compile your own kernel module by using the km_freeswan package as described above.
The source RPM is also available.

Security: Please check the GnuPG signatures. I created detached signatures for all modules and signed them with my key. My (public) key can be found on keyservers or here.
For checking whether your browser corrupted the files during download, you may want to have a look at the MD5SUMS. The latest packages do not have detached signatures, but instead the RPMs are signed.

Please don't ask me how to check the integrity with GnuPG or md5sum. Read the manpages! It's a very good idea to get some of the very basic knowledge before doing something like setting up an IPsec tunnel.

Links

(w) Kurt Garloff, 2003-03-05.