Requirements

• Linux Kernel, either 2.0, 2.2, 2.4 or 2.6 based.
• If building from source, libgmp development libraries.

Choose your version:

For Linux 2.0 or 2.2, use openswan-1.0.10 For Linux Kernels 2.4 and 2.6, use Openswan 2.4.x For FreeBSD, OpenBSD, NetBSD, and OSX, try openswan-2.5.x For the latest bleeding edge, try openswan-3.x.x

There are two basic ways to get Openswan onto your system:

• RPM install
• Install from source

RPM install

RPMs are available with for most rpm based distributions, such as Fedora, RHEL/Centos and Suse. ATRPMS also build openswan rpms.

Install from Source

As root, unpack your Openswan source somewhere (eg: /usr/src).

    su
    mv openswan-2.#.#.tar.gz /usr/src
    cd /usr/src
    tar -xzf openswan-2.#.#.tar.gz

Choose one of the methods below.

Userland-only Install for 2.6 kernels

Change to your new Openswan directory, and make and install the Openswan userland tools.

    cd /usr/src/openswan-2.#.#
    make programs
    make install

Now, start Openswan and test your install.

KLIPS install for 2.0, 2.2, 2.4 or 2.6 kernels

To make a modular version of KLIPS, along with other Openswan programs you'll need, use the command sequence below. This will change to your new Openswan directory, make the Openswan module (and other stuff), and install it all.

    cd /usr/src/openswan-2.#.#
    export KERNELSRC=/usr/src/kernels/linux-2.6.18/
    make module
    make module_install

If you want NAT-T support (NATTraversal), you need to patch your kernel and build a new bzImage. From the Openswan source directory:

(assumes kernel source is in /usr/src/linux-2.4)

        make nattpatch | (cd /usr/src/linux-2.4 && patch -p1 && make bzImage)
        cd /usr/src/linux-2.4
        make oldconfig [answer yes to NAT-T]
        make dep [linux < 2.6 only] 
        make bzImage [you must make a new kernel now]
        make modules modules_install

        Update your bootloader if neccessary.

Start Openswan and test your install.

To link KLIPS statically into your kernel (using your old kernel settings), and install other Openswan components, do:

    cd /usr/src/openswan-2.#.#
    patch -p1 -s < openswan-2.4.7-klips.patch
    patch -p1 -s < openswan-2.4.7-natt.patch
    make oldconfig [answer Y to klips and nat-t options]
    make dep [linux < 2.6 only]
    make bzImage

Reboot your system and test your install.

For other ways to compile KLIPS, see our Makefile.

Start Openswan and test your install

Bring Openswan up with:

    service ipsec start

This is not necessary if you've rebooted, as Openswan is added to runlevel 3 init scripts.

Test your install

To check that you have a successful install, run:

    ipsec verify

You should see at least:

    Checking your system to see if IPsec got installed and started correctly
    Version check and ipsec on-path                             [OK]
    Checking for KLIPS support in kernel                        [OK]
    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
    Checking that pluto is running                              [OK]

If any of these first four checks fails, see our troubleshooting guide.

Making Openswan play well with others

There are at least a couple of things on your system that might interfere with Openswan, and now's a good time to check these:

• Firewalling. You need to allow UDP 500 and ESP (protocol 50) through your firewall. For more information, see our firewalling document.
• Network address translation. Do not NAT the packets you will be tunneling.

Configure for your needs

You'll need to configure Openswan for your local site. Have a look at our opportunism quickstart guide to see if that easy method is right for your needs. Or, see how to configure a network-to-network or Road Warrior style VPN.

Reference:
http://wiki.openswan.org/index.php/Openswan/Install