3 <meta http-equiv="Content-Type" content="text/html">
4 <title>FreeS/WAN installation</title>
6 content="Linux, IPsec, VPN, security, FreeSWAN, installation, kernel">
9 Written by Sandy Harris for the Linux FreeS/WAN project
10 Freely distributable under the GNU General Public License
12 More information at www.freeswan.org
13 Feedback to users@lists.freeswan.org
16 RCS ID: $Id: install.html,v 1.37 2002/03/24 18:47:35 sandy Exp $
17 Last changed: $Date: 2002/03/24 18:47:35 $
18 Revision number: $Revision: 1.37 $
20 CVS revision numbers do not correspond to FreeS/WAN release numbers.
25 <h1><a name="install">Installing FreeS/WAN from source</a></h1>
27 <h2><a name="who.install">Not everyone needs to install from source</a></h2>
29 <p>Some Linux distributions, <a href="intro.html#distwith">listed in the
30 introduction</a>, ship with FreeS/WAN included. If you are using one of them,
31 you need not perform a FreeS/WAN installation. That should all be done for
32 you already. All you have to do is:</p>
34 <li>include FreeS/WAN in your installation choices, or add it to your
35 configuration later</li>
36 <li>if you install kernel source, be sure to use a version which includes
37 the FreeS/WAN patches. This should be available from your CDs or from the
38 web site for your distribution.</li>
41 <p>For other distributions, you may be able to find pre-packaged RPMs and use
42 the <a href="quickstart.html">simple installation</a> we describe in our
43 quicksatrt document.</p>
45 <p>If either of those methods works for you, we recommend you use it. Once
46 that is done, continue at <a href="quickstart.html#enable">enabling
47 FreeS/WAN</a> in our quickstart document.</p>
49 <h2>Some people do need to install from source</h2>
51 <p>Unfortunately, due to <a href="politics.html#exlaw">export laws</a>
52 restricting distribution of strong cryptography, not all distributions
53 include FreeS/WAN. Moreover, the standard kernel does not include the kernel
54 parts of FreeS/WAN.</p>
56 <p>Also, if you need to add patches to the FreeS/WAN code (see <a
57 href="web.html#patch">this list</a>), you need to do that and then install
58 FreeS/WAN from the patched source.</p>
60 <p>Many people will need to install FreeS/WAN from source, including patching
61 and rebuilding their kernel.</p>
63 <p>Information on <a href="#not-install">re-installing or un-installing</a>
64 is provided near the end of this document.</p>
66 <h2><a name="before">Before starting the install</a></h2>
68 <p>Configure, compile, install, and test a Linux kernel, without
71 <p>If you have not done this before, you will need to read the <a
72 href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel HowTo</a>.
73 You might also look at this <a
74 href="http://www.techtv.com/screensavers/print/0,23102,2433297,00.html">magazine
77 <h3><a name="choosek">Choosing a kernel</a></h3>
79 <p>The general rule is choose a current release of a production kernel -- the
80 latest 2.2 or 2.4.</p>
82 <p>For specific information on which kernels a FreeS/WAN release supports,
83 see the <a href="../README">README</a> file in that release.</p>
85 <h4><a name="2.2">2.2.x for many users</a></h4>
87 <p>Many users can continue to run kernels from the 2.2 series of Linux
88 production <a href="glossary.html#kernel">kernels</a>.</p>
90 <p>We recommend using the latest release in that series. At time of writing
91 (Feb 2002), that is 2.2.20.</p>
93 <p>If you need to use an older 2.2.x kernel for some reason, be warned that
94 recent versions of FreeS/WAN will not compile out-of-the-box on a kernel
95 earlier than 2.2.19. A workaround is described in the FreeS/WAN 1.91 section
96 of our <a href="../CHANGES">CHANGES</a> file. See the <a
97 href="mail.html">mailing list archives</a>, around June 2001, for more
98 details if needed.</p>
100 <h4><a name="2.4">2.4.x is possible</a></h4>
101 The 2.4 series of kernels are currently (Feb 2002) at 2.4.18.
103 <p>2.4 has new firewalling code called <a
104 href="http://www.netfilter.org">nefilter</a>. This may provide good reasons
105 to move to 2.4, especially on for gateway machines.</p>
107 <p><strong>Do not use 2.4.15</strong>; it has a bug that causes file system
110 <h4><a name="2.0">2.0.x may still work</a></h4>
112 <p>If you must use the older 2.0.x kernel series -- for example because you
113 need some driver that has not been ported to later kernels -- you may be in
114 luck. When last tested, FreeS/WAN worked fine on 2.0.39.</p>
116 <p>On the other hand, you may have problems in the future. Recent versions of
117 FreeS/WAN are not heavily tested on 2.0 kernels -- most of both the
118 development team and the user community are on 2.2, or even 2.4, by now --
119 and <strong>we are almost certain to drop 2.0 support</strong> whenever some
120 problem crops up that would mean retaining it required significant work from
123 <h4><a name="devkernel">Development kernels</a></h4>
124 Development kernels are a separate series, work-in-progress versions for use
125 by kernel developers. By convention, production kernels have an even second
126 digit in the version number (2.0, 2.2, 2.4) and development kernels have an
127 odd digit there (2.1, 2.3, 2.5).
129 <p><strong>Development kernels are not intended for production use</strong>.
130 They change often and include new code which has not yet been thoroughly
131 tested. <strong>These changes often break things, including
132 FreeS/WAN</strong>. The FreeS/WAN team does not have the resources to chase
133 the moving target; our priority is developing FreeS/WAN on stable kernels. If
134 you encounter a problem on a development kernel, please solve it (you are a
135 developer, aren't you?) and send us a patch. Of course, we will happily
136 discuss problems and solutions on the <a href="mail.html">mailing list</a>,
137 but we are unlikely to do much work on actually implementing a solution.</p>
139 <p>Fortunately we have a user who regularly fixes problems with FreeS/WAN on
140 development kernels (merci, Marc), and we do fix some ourselves. FreeS/WAN
141 often works just fine on a development kernel; it's just that there's no
144 <p>If you are going to test FreeS/WAN with a development kernel, we recommend
145 you <strong>use our latest snapshot</strong>. This is the FreeS/WAN version
146 most likely to have the patches required to work on a recent development
147 kernel. The released version of FreeS/WAN is likely to be out of date for
150 <h3><a name="getkernel">Things you must have installed</a></h3>
152 <p>If you have a CD distribution of Linux, it should include everything you
155 <h4><a name="tool.lib" ">Tools and libraries</a></h4>
157 Use your distribution's tools to load:
161 <li>a GNU C compiler (gcc or egcs)</li>
162 <li>assembler and linker for your architecture (the bin86 package on
164 <li>miscellaneous development tools such as make(1) and patch(1)</li>
167 <li>libraries, both headers and object modules
169 <li>standard compiler libraries such as glibc</li>
170 <li>the GMP (<strong>G</strong>NU
171 <strong>M</strong>ulti-<strong>P</strong>recision) library, required
172 for Pluto's public key calculations.</li>
173 <li>ncurses library if you want to use menuconfig (recommended)</li>
178 <p>There are some <strong>common slips</strong> worth avoiding here:</p>
180 <li>not installing the GMP library. Pluto will not compile without it. See
181 the FreeS/WAN FAQ for <a href="faq.html#gmp.h_missing">more detail</a> if
183 <li>not installing patch(1). Our scripts need it to apply our patches to
187 <h4><a name="kernel.">Kernel source code</a></h4>
189 You need the source code for the kernel because you must patch and re-compile
190 it to install FreeS/WAN. There are several places you can get this:
192 <li>off your distribution CDs</li>
193 <li>from your ditribution vendor's website</li>
194 <li>from kernel.org</li>
197 <h5><a name="kernel.cd">Kernel from CD</a></h5>
198 You can install the kernel from your distribution CD. It may be in two
201 <li>kernel source</li>
202 <li>kernel headers</li>
204 However, if your CD is not recent, it may have an older kernel, in which case
205 we suggest getting more recent kernel source from the net.
207 <h5>Vendor kernels</h5>
209 <p>All the major distribution vendors provide kernel source. See for
212 <li>Red Hat's list of <a href="http://www.redhat.com/mirrors.html">mirror
215 href="http://www.suse.com/us/support/download/index.html">download
219 <p>Using a kernel from your distribution vendor may save you some annoyance
222 <p>Different distributions put the kernel in different places (/vmlinuz,
223 /boot/vmlinuz, /boot/vmlinuz-2.2.15 ...) and set lilo (the
224 <strong>Li</strong>nux <strong>lo</strong>ader) up differently. With a kernel
225 from your distribution vendor, everything should work right. With other
226 combinations, a newly compiled kernel may be installed in one place while
227 lilo is looking in another. You can of course adjust the kernel Makefile
228 and/or /etc/lilo.conf to solve this problem, but we suggest just avoiding
231 <p>Also, distributions vendors may include patches or drivers which are not
232 part of the standard kernel. If you install a standard kernel, you must
233 either do without those features or download those patches and add them
236 <h5>Kernels from kernel.org</h5>
237 For kernels direct from Linus, without any distribution vendor's
238 modifications, see the <a
239 href="http://www.kernel.org/mirrors/">kernel.org</a> mirror list, or go
240 directly to <nobr><var>ftp.<country>.kernel.org</var>,</nobr>with the
241 appropriate two-letter country code inserted.
243 <h4>Once you've found a kernel</h4>
245 <p>Once you have found suitable kernel source, choose a mirror that is close
246 to you and bookmark it.</p>
248 <p>Kernel source normally resides in <var>/usr/src/linux</var>, whether you
249 load it from a distribution CD or download a tar file into
250 <var>/usr/src</var> and untar it there. Unless you both have unusual
251 requirements and know exactly what you're doing, we recommend you put it
254 <p><strong>Note:</strong> Some recent distributions (certainly Redhat 7.2 and
255 Mandrake 8.1, perhaps others) put kernel source code in a directory named
256 <var>linux-2.4</var> while FreeS/WAN expects to find it in <var>linux</var>,
257 which is where all distributions used to put it and the kernel.org kernels
258 still do. If your distribution uses <var>linux-2.4</var>, then <strong>you
259 must create a symbolic link to <var>linux</var></strong> before proceeding
260 with your FreeS/WAN install. See the man page for ln(1) for details of how to
261 do this if required.</p>
263 <h3>Getting FreeS/WAN</h3>
265 <p>You can download FreeS/WAN from our <a
266 href="ftp://ftp.xs4all.nl/pub/crypto/freeswan/">primary site</a> or one of
267 our <a href="intro.html#sites">mirrors</a>.</p>
269 <p>Put the tarfile under <var>/usr/src</var> and untar it there. The command
272 <li>tar -xzf freeswan*.gz</li>
275 <p>This will give you a directory
276 <var>/usr/src/freeswan<version></var>.</p>
278 <p>Note that <strong>these methods don't work:</strong></p>
280 <li>putting freeswan under <var>/usr/src/linux</var>. The links become
282 <li>untarring in one place, then using <var>cp -R</var> to move it where
283 you want it. Some necessary symbolic links are not copied.</li>
286 <h3><a name="kconfig">Kernel configuration</a></h3>
288 <p>The gateway kernel must be configured before FreeS/WAN is added because
289 some of our utilities rely on the results of configuration.</p>
291 <p><strong>Note for Redhat 7.1 users</strong>: If you are using the
292 Redhat-supplied kernel, then you <strong>must do a <nobr><var>make
293 mrproper</var></nobr></strong> command before starting the kernel
294 configuration. This prevents some unpleasant interactions between Redhat's
295 config and our patches.</p>
297 <p>On some distributions, you can get the configuration files for the
298 vendor's standard kernel(s) off the CD, and use that. This allows you to skip
299 this step; you need not configure the kernel if the vendor has <em>and you
300 have the vendor's config file installed</em>. Here is a mailing list message
301 describing the procedure for Redhat:</p>
302 <pre>Subject: Re: [Users] Do I need to recompile kernel 2.2.17-14?
303 Date: Wed, 6 Jun 2001 08:38:38 -0500
304 From: "Corey J. Steele" <csteele@mtron.com>
306 if you install the corresponding kernel-source-*.rpm, you can actually find
307 the config file used to build that kernel in /usr/src/linux/Configs, just
308 copy the one you want to use (based solely on architecture) to
309 /usr/src/linux/.config, and proceed! It should work.</pre>
310 If you have ever configured the kernel yourself on this machine, you can also
313 <p>If the kernel has not been configured, do that now. This is done by giving
314 one of the following commands in <var>/usr/src/linux</var>:</p>
317 <dd>command-line interface</dd>
318 <dt>make menuconfig</dt>
319 <dd>text menus (requires curses(3) libraries)</dd>
320 <dt>make xconfig</dt>
321 <dd>using the X window system (requires X, not recommended for
325 <p>Any of these wiil do the job. If you have no established preference, we
326 suggest trying <var>menuconfig</var>.</p>
328 <p>For more information on configuring your kernel, see our <a
329 href="kernel.html">section</a> on that topic.</p>
331 <h3><a name="inst-test">Install and test a kernel before adding
334 <p>You should compile, install and test the kernels as you have configured
335 them, so that you have a known stable starting point. The series of commands
336 involved is usually something like:</p>
338 <dt>make menuconfig</dt>
339 <dd>choose kernel options, set up a kernel for your machine</dd>
341 <dd>find <strong>dep</strong>endencies between files</dd>
342 <dt>make bzImage</dt>
343 <dd>build a loadable kernel image, compressed with bzip(1)</dd>
344 <dt>make install</dt>
346 <dt>make modules</dt>
347 <dd>build modules which can be added to a running kernel</dd>
348 <dt>make modules_install</dt>
349 <dd>install them</dd>
351 <dd>ensure that the boot loader sees your changes</dd>
354 <p>Doing this first means that if there is a problem after you add FreeS/WAN,
355 tracking it down is <em>much</em> simpler.</p>
357 <p>If you need advice on this process, or general Linux background
358 information, try our <a href="web.html#linux.link">Linux web references</a>.
359 The most directly relevant document is the <a
360 href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
363 <h2><a name="building">Building and installing the software</a></h2>
365 <p>There are several ways to build and install the software. All require that
366 you have kernel source, correctly configured for your machine, as a starting
367 point. If you don't have that yet, see the <a href="#before">previous
370 <p>Whatever method you choose, it will do all of the following:</p>
372 <li>add FreeS/WAN code to the kernel
374 <li>insert patches into standard kernel code to provide an
376 <li>add additional files which use that interface</li>
379 <li>re-configure and re-compile the kernel to activate that code</li>
380 <li>install the new kernel</li>
381 <li>build the non-kernel FreeS/WAN programs and install them
383 <li><a href="manpage.d/ipsec.8.html">ipsec(8)</a> in
384 <var>/usr/local/sbin</var></li>
385 <li>others in <var>/usr/local/lib/ipsec</var></li>
388 <li>install FreeS/WAN <a href="manpages.html">man pages</a> under
389 <var>/usr/local/man</var></li>
390 <li>create the configuration file <a
391 href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a>. Editing this file
392 to configure your IPsec gateway is described in the <a
393 href="config.html">next section</a>.</li>
394 <li>create an RSA public/private key pair for your system and place it in
395 <a href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a></li>
396 <li>install the initialisation script <var>/etc/rc.d/init.d/ipsec</var></li>
397 <li>create links to that script from the <var>/etc/rc.d/rc[0-6].d</var>
398 directories so that each run level starts or stops IPsec. (If the
399 previous sentence makes no sense to you, try the <a
400 href="http://www.linuxdoc.org/HOWTO/From-PowerUp-To-Bash-Prompt-HOWTO.html">From
401 Power-up to Bash Prompt HowTo</a>).</li>
404 <p>You can do the whole install with two commands (recommended in most cases)
405 or get into as much of the detail as you like.</p>
407 <h3><a name="build.rpm">Building RPMs</a></h3>
408 As of version 1.93, we provide a facilty to build FreeS/WAN RPMs.
410 <p>Go to the FreeS/WAN directory and do whichever of the following commands
414 <dd>uses command-line kernel configuration</dd>
415 <dt>make menurpm</dt>
416 <dd>uses menu kernel configuration (requires ncurses library)</dd>
418 <dd>use X Window kernel configuration (requires X)</dd>
421 <p>After the Makefile does the software and kernel build, it will make some
422 RPMs and leave them in the <var>rpms</var> directory. The RPMs are:</p>
425 <dd>the userland utilities</dd>
426 <dt>freeswan-module</dt>
427 <dd>the ipsec.o kernel module, built only if your kernel configuration
428 sets klips as a module</dd>
429 <dt>freeswan-kernel</dt>
430 <dd>the Linux kernel and its modules</dd>
431 <dt>freeswan-userkernel</dt>
432 <dd>all of the above</dd>
435 <p>Once you have the RPMs, you can install FreeS/WAN from them with <var>rpm
436 -i</var> commands. For a more detailed procedure, go to our <a
437 href="quickstart.html">quickstart document</a>.</p>
439 <p>This makes it much easier to build FreeS/WAN on one system for
440 installation on another.</p>
442 <p>This facility is based on work by Paul Lahaie at <a
443 href="http://www.steamballoon.com">Steamballoon</a>.</p>
445 <h3><a name="build.module">Building IPsec as a module</a></h3>
447 <p>With the full procedure described in the <a href="#non-rpm">next
448 section</a>, you can either build the kernel parts of FreeS/WAN into your
449 kernel or build them as a kernel module, depending on how you set the kernel
450 configuration options.</p>
452 <p>Since 1.91, we also provide an option to build only the FreeS/WAN module,
453 without re-compiling the rest of your kernel.</p>
455 <p>Note, however, that this requires:</p>
457 <li>kernel source in <var>/usr/src/linux</var></li>
458 <li>kernel has been configured</li>
459 <li>source matches the kernel you are actually running</li>
462 <p>To do the module install, give two commands in the FreeS/WAN directory:</p>
464 <li>one of <var>make omod</var>, <var>make menumod</var> or <var>make
466 <li><var>make minstall</var></li>
469 <p>This is relatively new code and not yet tested on a wide range of systems.
470 If it does not work for you, please report the problem. In the meanwhile,
471 fall back to the older procedure described next..</p>
473 <h3><a name="non-rpm">Installing directly from source</a></h3>
474 You can also install FreeS/WAN directly from the source, without building
475 RPMs as an intermediate step.
477 <p>There are two steps here. First you do everything else, then you install
478 the new FreeS/WAN-enabled kernel.</p>
480 <h4><a name="allbut">Everything but kernel installation</a></h4>
482 <p>To do everything except install the new kernel, <var>cd</var> into the
483 freeswan directory and become root. Give <strong>any one</strong> of the
484 following commands:</p>
487 <dd>Uses FreeS/WAN's default settings for some kernel configuration
488 options. Leaves all other options unchanged from your last kernel
491 <dd>Invokes <var>config</var> so you can configure the kernel from the
494 <dd>Invokes <var>menuconfig</var> so you can configure the kernel with
495 text-mode menus.</dd>
497 <dd>Invokes <var>xconfig</var> so you can configure the kernel in an X
501 <p>You must <strong>save the new configuration even if you make no
502 changes</strong>. This ensures that the FreeS/WAN changes are actually seen
505 <p>There are few options in the FreeS/WAN part of kernel configuration. For
506 most of them, we recommend that you make no changes.</p>
508 <li>In particular, <strong>please do not disable FreeS/WAN debugging during
509 kernel configuration</strong>. This code has no effect unless you turn it
510 on with <var>klipsdebug</var> in your <a
511 href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> file, and therefore
512 no cost other than a modest increase in kernel size. However, if you
513 disable it and then run into problems, we may not be able to help
515 <li>One thing you can change is whether KLIPS is compiled into the kernel
516 or as a module. The FreeS/WAN intialisation scripts work with either
517 configuration, automatically loading the module if required, so it is
521 Our scripts save the output of <var>make</var> commands they call in files
522 with names like <var>out.kbuild</var> or <var>out.kinstall</var>. The last
523 command of each script checks the appropriate <var>out.*</var> file for error
526 <li>If the last output you see is <var>make</var> saying it is calling our
527 <var>errcheck</var> script, then all is well. There were no errors.</li>
528 <li>If not, an error has occurred. Check the appropriate <var>out.*</var>
529 file for details.</li>
532 <p>For the above commands, the error files are <var>out.kpatch</var> and
533 <var>out.kbuild</var>.</p>
535 <p>These scripts automatically build an <a href="glossary.html#RSA">RSA</a>
536 authentication key pair (a public key and the matching private key) for you,
537 and put the result in <var>/etc/ipsec.secrets</var>. For information on using
538 RSA authentication, see our <a href="config.html">configuration section</a>.
539 Here, we need only note that generating the key uses random(4) quite heavily
540 and if random(4) runs out of randomness, <strong>it will block until it has
541 enough input</strong>. You may need to provide input by moving the mouse
542 around a lot, or going to another window and typing random characters, or
543 using some command such as <var>du -s /usr</var> to generate disk
546 <h4><a name="newk">Installing the new kernel</a></h4>
548 <p>To install the kernel the easy way, just give this command in the
549 FreeS/WAN directory:</p>
551 <dt>make kinstall</dt>
552 <dd>Installs the new kernel and, if required, the modules to go with it.
553 Errors, if any, are reported in <var>out.kinstall</var></dd>
556 <p>Using <var>make kinstall</var> from the FreeS/WAN directory is equivalent
557 to giving the following sequence of commands in <var>/usr/src/linux</var>:</p>
560 <li>make install</li>
561 <li>make modules</li>
562 <li>make modules_install</li>
565 <p>If you prefer that sequence, use it instead.</p>
567 <p>If you have some unusual setup such that the above sequence of commands
568 won't work on your system, then our <var>make kinstall</var> will not work
569 either. Use whatever method does work on your system. See our <a
570 href="impl.notes">implementation notes</a> file for additional information
571 that may help in such situations.</p>
573 <h2>Where to go from here</h2>
575 <p>At this point, you are finished the install. Go to the quickstart document
576 section on <a href="quickstart.html#enable">enabling FreeS/WAN</a> and
577 continue from there.</p>
579 <p>Alternately, you might want to look at background material on the <a
580 href="ipsec.html">protocols used</a> before trying configuration.</p>
582 <h2><a name="not-install">Re-install or un-install</a></h2>
584 If you have FreeS/WAN installed from source on this machine, and need to
585 install a newer version or un-install FreeS/WAN, this section is for you.
587 <p>If you have FreeS/WAN installed from RPMs, use <var>rpm -e</var> or
588 <var>rpm -u</var> to uninstall or upgrade.</p>
590 <h3><a name="re-install">Re-install</a></h3>
592 <p>The scripts are designed so that a re-install -- to upgrade to a later
593 FreeS/WAN version or to a later kernel version -- can be done in exactly the
594 same way as an original install.</p>
596 <p>The scripts know enough, for example, not to apply the same kernel patch
597 twice and not to overwrite your <var>ipsec.conf</var> or
598 <var>ipsec.secrets</var> files. However, they will overwrite the _updown
599 script. If you have modified that, save your version under another name
600 before doing the install.</p>
602 <p>Also, they may not always work exactly as designed. Check the <a
603 href="../BUGS">BUGS</a> file for any caveats in the current version.</p>
605 <dt>to install a new version of FreeS/WAN, with your current kernel</dt>
606 <dd>Download and untar the new FreeS/WAN. Since kernel source has already
607 been installed and configured, you can skip a few steps in the
608 procedure below. Go to <a href="#building">Building FreeS/WAN</a>, and
609 follow normal install-from-source procedures from there.</dd>
610 <dt>to install a new kernel, on a machine which already has FreeS/WAN
612 <dd>Download and untar the new kernel source. Since this kernel is not
613 yet configured, that is the next thing to do.Go to <a
614 href="#kconfig">Kernel configuration</a>, and follow normal procedures
616 <dt>to upgrade both kernel and FreeS/WAN</dt>
617 <dd>You need both new kernel source and new FreeS/WAN source. Follow the
618 full FreeS/WAN install procedure. See <a href="#before">above</a>.</dd>
621 <h3><a name="un-install">Un-install</a></h3>
623 <h4><a name="disable">Disabling FreeS/WAN</a></h4>
625 <p>In many Linux distributions, you can easily disable FreeS/WAN with the
627 <pre> chkconfig --del ipsec</pre>
629 <p>This removes the symlinks in <var>/etc/rc.d/rc?.d</var> which cause
630 <var>ipsec(8)</var> to be called at boot time or when switching run levels.
631 If the kernel part of IPsec, <a href="glossary.html#KLIPS">KLIPS</a>, has
632 been compiled as a module, then this also prevents loading that module, so
633 IPsec is completely disabled.</p>
635 <p>Other distributions may use another version of <var>init(8)</var>, or may
636 not provide the <var>chkconfig(8)</var> command. For these, you will have to
637 use other tools, or manually edit the init scripts, to achieve the same
640 <h4><a name="remove.files">Removing FreeS/WAN files</a></h4>
642 <p>If you installed FreeS/WAN from RPMs, then just use<var> rpm -e</var> to
643 uninstall it. This section is for those who have installed from source.</p>
645 <p>To entirely remove the user-level FreeS/WAN components from your system,
646 go to the FreeS/WAN install directory and give the command:</p>
647 <pre> make uninstall_freeswan</pre>
649 <p>If that doesn't work for you -- for example, if FreeS/WAN was built on
650 another system and copied here -- then you can do it manually. First disable
651 FreeS/WAN as described above (to avoid problems with symlinks pointing to
652 things you are about to remove), and then use these commands:</p>
653 <pre> rm -f /etc/ipsec.* /usr/local/sbin/ipsec /etc/rc.d/init.d/ipsec
654 rm -rf /usr/local/lib/ipsec
655 rm -f /usr/local/man/man?/ipsec[._]*</pre>
657 You may need to vary the commands slightly if you, or whoever packaged your
658 distribution, changed the install directories when building FreeS/WAN.
660 <h4><a name="remove.kernel">Removing FreeS/WAN from the kernel</a></h4>
662 <p>If you compiled <a href="glossary.html#KLIPS">KLIPS</a> as a module, then
663 just disabling FreeS/WAN as described <a href="#disable">above</a> prevents
664 loading the module.</p>
666 <p>If <a href="glossary.html#KLIPS">KLIPS</a> is compiled into your kernel,
667 then you can disable it by turning off IPsec in your kernel configuration (or
668 by making it a module) and recompiling.</p>
670 <p>You can remove the FreeS/WAN patches from your kernel source by going to
671 the FreeS/WAN install directory and giving the command:</p>
672 <pre> make unpatch</pre>
674 <p>This does not remove all FreeS/WAN changes; some are not done with
675 patch(1) and cannot be reversed in this way.</p>
677 <p>To remove all trace of IPsec in your kernel, you should revert to an
678 unpatched version, or download fresh kernel source.</p>