2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / INSTALL

If you are a non-expert, you should not be working from this file.
Instead, you should work from the HTML documentation, starting with
the Introduction (see README).  The rest of this file is FOR EXPERTS ONLY.

doc/impl.notes discusses some expert-only side issues; doc/kernel.notes
is some (old) notes on kernel-building fine points.

If you have used an earlier version, read the CHANGES and BUGS files.

0. You must configure and build your own Linux kernel first, and you
preferably should boot it to confirm that it works.  Also, if humanly
possible, configure and test your network(s) without IPsec first, to make
sure packets really can get from one end to the other.  Also, your system
now needs to have the GMP library, including any "GMP development" package
as well as GMP itself; this is part of normal Linux distributions but
often isn't installed unless you ask for it.  (Note, there is also a GPM
library, which is completely unrelated to GMP despite the similar names.)

1. Do ONE of the following commands, depending on how you configure your
kernel.  (This configures, builds, and installs IPsec, except it does not
install the new kernel.  The kernel build includes "make dep clean".)

        # pick one; does more than just configure!
        make menugo             # use menuconfig
        make xgo                # use xconfig
        make ogo                # use config
        make oldgo              # use oldconfig

Experimentally, you can substitute (e.g.) "menumod" and have only the
kernel modules, not the whole kernel, rebuilt.  You must configure IPsec
as a module for this to work.

2. IPsec-related configuration settings are under "Networking options". 
Most relevant things are now right by default.  Some seemingly-unrelated
options get turned on automatically because IPsec needs them.  Beware that
the 2.2.xx "advanced router" causes problems:  its "rp_filter" subsystem
often must be turned off for IPsec to work, and just leaving the whole
thing disabled is the simplest approach unless you know what you're doing.
Turning "IPSEC Debugging Option" off may look attractive but is unwise.

3. Save the new configuration settings, even if you have made no changes;
KLIPS will not be part of your kernel configuration without such a save.

4. Wait.  The compile and kernel build take a while, perhaps 15min on a
200MHz PCI machine with 32MB and good disks.  No interaction is needed
after the configuration save.  A report on kernel patching is left in the
file out.kpatch; the kernel build output is left in out.kbuild.  Proper
error checking is done at every step:  the make WILL STOP if something
goes wrong (even in the Linux kernel Makefiles, which are careless about
this themselves -- their output is caught and checked). 

5. Most of the user-level utilities are now in /usr/local/lib/ipsec, with
the "ipsec" command in /usr/local/sbin to provide easy access to the rest. 
(Our procedures generally assume that /usr/local/sbin is in your shell's
search path.)  The manual pages are in /usr/local/man/man[1-8], mostly
under names starting with "ipsec_".  The new kernel is built but not yet
installed.  At boot time, KLIPS and Pluto will start automatically. 

6. Install the new kernel.  *IF* kernel install on your system uses the
kernel's own "make install" (and perhaps "make modules_install"), then as
a convenience, you can do it from our top-level directory by: 

        make kinstall           # only if using kernel "make install" etc.

This is properly error-checked, and the output is left in out.kinstall. 

7. Edit the /etc/ipsec.conf and /etc/ipsec.secrets configuration files as
necessary (see doc/intro.html or the manpages).  The Makefile will not
overwrite them if run again. 

8. Reboot.

This file is RCSID $Id: INSTALL,v 1.107 2001/05/30 12:57:13 henry Exp $