Kernel Configuration

After the initial Gateway installation, it may be necessary to enable kernel support for IPsec protocols and Firewall support. This will require that a new kernel be compiled and installed. The steps to complete this process are different depending on the operating system you have selected. The sections below will give an overview on how to accomplish this on either a FreeBSD or NetBSD host. The stock Fedora Core 6 kernel already contains all the kernel support we need so compiling a custom kernel is not necessary.



FreeBSD 6.2



This section describes the basic steps required to build a FreeBSD kernel with FAST IPsec and Packet Filter support. For more information of this topic, please read the FreeBSD Handbook chapter titled Building and installing a Custom Kernel. The Handbook also contains another chapter titled VPN over IPsec that may be useful.


NAT Traversal Support Patch


As of FreeBSD 6.2 stable, NAT Traversal support is not yet available in the stock kernel sources. However, support for this feature is available in the form of a kernel patch that is maintained by a member of the Ipsec Tools development team. Applying this patch is not required but it is highly recommended if you plan to support Clients that connect from behind a NAT enabled Firewall. To obtain the kernel patch and apply it to the FreeBSD kernel sources, follow the prompts listed below using a root login:


cd /usr/src/sys

fetch http://ipsec-tools.sf.net/freebsd6-natt.diff

patch < freebsd6-natt.diff


Creating a Kernel Configuration File


The FreeBSD kernel build system requires a kernel configuration file as input. The file describes what options should be included when compiling a kernel. Instead of creating a configuration file from scratch, the generic kernel configuration file should be copied and edited to add or remove support for specific kernel options. It is important to know what architecture your gateway host supports before beginning this procedure. In most instances, this will be either i386 or amd64. For the purpose of the example given below, we will assume a host using the i386 architecture. To create a new kernel configuration file named CUSTOM, follow the prompts below using a root login:


cd /usr/src/sys/i386/conf

cp GENERIC CUSTOM

Note: The i386 directory may need to be different depending on your architecture type.


Now that you have created a configuration file, a few modifications will need to be made. Open the file with a text editor and change the ident line to read CUSTOM instead of GENERIC:


machine         i386

cpu             I486_CPU

cpu             I586_CPU

cpu             I686_CPU

ident           CUSTOM


To complete the configuration file changes, add the following lines to the end and save the file:


# Packet Filter Support

device          pf

device          pflog


# FAST IPsec Support

device          crypto

device          enc

options         FAST_IPsec

options         IPsec_NAT_T

Note: The last option line is only valid if the NAT Traversal kernel patch was applied.


Compiling and Installing the Custom Kernel


Now that you have a custom kernel configuration file that includes support for FAST IPsec and Packet Filter, it can be used to compile and install a new kernel. To perform this procedure, follow the prompts below using a root login:


cd /usr/src

make buildkernel KERNCONF=CUSTOM

make installkernel KERNCONF=CUSTOM


After the new kernel has been installed, reboot the FreeBSD host to begin using the new features.


Compiling and Installing Userland Programs


If your kernel was patched to support NAT Traversal, the FreeBSD userland programs must be recompiled and installed. To perform this procedure, follow the prompts below using a root login:


cd /usr/src

make buildworld

make installworld


After the new userland programs have been installed, reboot the FreeBSD host to begin using the new features.



NetBSD 3.1



This section describes the basic steps required to build a NetBSD kernel with IPsec and IP Filter support. For more information of this topic, please read the NetBSD Documentation Kernel section titled How to build a kernel. NetBSD also has has published a document entitled How to build a remote user access VPN that may be useful.


Installing the Kernel Sources


Before a kernel can be compiled, you need to ensure that the kernel sources are installed. This can be accomplished by downloading and extracting the archive into the appropriate directory. To download and extract the kernel sources, follow the prompts below using a root login:


ftp -a ftp.netbsd.org

ftp> bin

ftp> get pub/NetBSD/NetBSD-3.1/source/sets/syssrc.tgz /tmp/syssrc.tgz

ftp> exit

cd /

tar xvzpf /tmp/syssrc.tgz


Creating a Kernel Configuration File


The NetBSD kernel build system requires a kernel configuration file as input. The file describes what options should be included when compiling a kernel. Instead of creating a configuration file from scratch, the generic kernel configuration file should be copied and edited to enable or disable support for specific kernel options. It is important to know what architecture your gateway host supports before beginning this procedure. In most instances, this will be either i386 or amd64. For the purpose of the example given below, we will assume a host using the i386 architecture. To create a new kernel configuration file named CUSTOM, follow the prompts below using a root login:


cd /usr/src/sys/arch/i386/conf

cp GENERIC CUSTOM

Note: The i386 directory may need to be different depending on your architecture type.


Now that you have created a configuration file, a few modifications will need to be made. Open the file with a text editor and make sure the following lines are uncommented by removing the leading # character if necessarily:


options         GATEWAY         # packet forwarding

options         INET            # IP + ICMP + TCP + UDP

options         IPsec           # IP security

options         IPsec_ESP       # IP security (encryption part; define w/IPsec)

options         IPsec_NAT_T     # IPsec NAT traversal (NAT-T)

options         PFIL_HOOKS      # pfil(9) packet filter hooks


pseudo-device   ipfilter        # IP filter (firewall) and NAT


Compiling and Installing the Custom Kernel


Now that you have a custom kernel configuration file that includes support for IPsec and IP Filter, you need to run the config program which verifies the option syntax and creates a new build directory. To perform this procedure, execute the following command from the directory that contains your new configuration file:


config CUSTOM


The new kernel configuration is now ready to be compiled and installed. To perform this procedure, follow the prompts below using a root login:


cd ../compile/CUSTOM/

make depend

make

make install


After the new kernel has been installed, reboot the NetBSD host to begin using the new features.

Copyright 2010, Shrew Soft Inc