IPsec modules and packages for SuSE Linux distributions

On this page, you can find FreeS/WAN packages, sources and kernel modules with various add-on features compiled for a variety of SuSE Linux distributions. All SuSE pacakges include the X.509 patches from StrongSec. Other features are listed below. The version numbers are composed by X.XX_Y.Y.Y, wherei X.XX denotes the FreeS/WAN release and Y.Y.Y the release of the X.509 patch.
FreeS/WAN packages
Distribution Userspace RPMSig km packageSig Source RPMSig modulesSigs
SL 8.0 i386 1.95_0.9.8 sig 1.95_0.9.8 sig 1.95_0.9.8 sig
SL 8.0 i386 1.98b_0.9.13 sig 1.98b_0.9.13 sig 1.98b_0.9.13 sig
SL 8.0 i386 1.98b_0.9.15 (1) 1.98b_0.9.15 1.98b_0.9.15 (1)
SL 8.1 i586
SLES8
1.98b_0.9.15 (1) 1.98b_0.9.15 1.98b_0.9.15 (1)
SL 8.1 i586
SLES8
1.99_0.9.23 (1,2,3) 1.99_0.9.23 1.99_0.9.23 (1,2,3)
SL 8.1 i586
SLES8
1.99_0.9.34 (1,2,3,4,5) 1.99_0.9.34 1.99_0.9.34 (1,2,3,4,5)
SL 8.1 x86-64
SLES8
1.99_0.9.34 (1,2,3,4,5) 1.99_0.9.34 1.99_0.9.34 (1,2,3,4,5)
SL 8.1 AXP 1.99_0.9.34 (1,2,3,4,5) 1.99_0.9.34 1.99_0.9.34 (1,2,3,4,5)
SL 8.1 i586 CGL
SLES8SP2/3
1.98b_0.9.14 NN 1.98b_0.9.14
SL 8.1 i586 CGL
SLES8SP2/3
1.99_0.9.34 (1,4,5) NN 1.99_0.9.34 (1,4,5)
SL 8.1 x86_64 CGL
SLES8SP2/3
1.99_0.9.34 (1,4,5) NN 1.99_0.9.34 (1,4,5)
SL 8.2 i586 1.99_0.9.34 (1,2,3,4,5) 1.99_0.9.34 1.99_0.9.34 (1,2,3,4,5)
SL 8.2 x86-64 1.99_0.9.34 (1,2,3,4,5) 1.99_0.9.34 1.99_0.9.34 (1,2,3,4,5)
SL 9.0 i586 (CGL) 1.99_0.9.34 (1,4,5) 1.99_0.9.34 (1,4,5)
SL 9.0 x86-64 (CGL) 1.99_0.9.34 (1,4,5) 1.99_0.9.34 (1,4,5)
SL 9.0 i386 (2.6) 2.04_1.5.4 (1,2,4,5) 2.04_1.5.4 (1,2,4,5)
SL 9.0 x86-64 (2.6) 2.04_1.5.4 (1,2,4,5) 2.04_1.5.4 (1,2,4,5)
SL 9.1 i386 2.04_1.5.4 (1,2,4,5) 2.04_1.5.4 (1,2,4,5)
SL 9.1 x86-64 2.04_1.5.4 (1,2,4,5) 2.04_1.5.4 (1,2,4,5)
Legend: For FreeS/WAN-2.04 with kernel 2.6, you need the ipsec-tools package as well. For SL9.0, packages are available here.
The 9.0 and 9.1 packages, despite not including the Alg patches, do negotiate the AES cipher for the en/decryption of the ESP packets in the kernel.
OpenS/WAN packages
Distribution Userspace RPM Source RPM Distribution Userspace RPM Source RPM
SL 9.1 i386 2.2.0 2.2.0 SL 9.1 x86-64 2.2.0 2.2.0
All OpenS/WAN packages include NAT-Traversal, Delete-Notification, Alg, and Dead-Peer Detection patches. Also XAUTH support is included (don't use, it's insecure). I've also added the MS2LT client patches.

About the packages

Modules
To install a module, copy it to the right place. This is e.g. /lib/modules/2.2.19/ipv4/ipsec.o (2.2.19 kernel) or /lib/modules/2.4.4-4GB/kernel/net/ipv4/ipsec.o (2.4.4-4GB kernel).
Userspace RPMs
Just install using rpm -U. Note: Userspace RPM and kernel module (KLIPS) should match (this does not apply to 2.6 nor to 2.4 CGL kernels which have in-kernel IPsec support).
Source RPMs
If you're using an architecture different from i386 and x86_64 or you want to compile the RPMs for a different distribution than the ones provided here, download the source RPM and rpm --recompile it. After a successful build, the binary RPMs will be found below /usr/src/packages/RPMS/<arch>/. These can be installed.
km RPMs
To build kernel modules, SuSE uses so-called km packages. Note that the CGL kernel have IPsec integrated and do not need an extra module built. The same is true for 2.6 kernels.
In order to use them, you need a kernel source tree and properly configured under /usr/src/linux/. Install the km RPMs and
Signatures
Please check the GnuPG signatures. I created detached signatures for all modules and signed them with my key. My (public) key can be found on keyservers or here.
Verify the signatures using the gpg --verify command. The latest packages do not have detached signatures, but instead the RPMs are signed. They either have my signature or the SuSE Package Signing Key. Use rpm -v --checksig to verify.

Notes about SuSE Linux distributions

When I started this page, I wanted to offer an easy way to get working FreeS/WAN packages for SuSE Linux 7.2. Unfortunatley, the version 1.9 shipped with SuSE Linux 7.2 did have many problems, thus I offered 1.91 which solved the trouble.

Nowadays, I use the page to offer newer packages or experimental features for interested users.

SuSE integrated the USAGI patches into the service pack 2 of SuSE Linux Enterprise Server 8 (the enterprise product of SuSE). Update kernels to SuSE Linux 8.1 since June 2003 also include the USAGI patches. These provide superior IPv6 support to fulfill the CGL criteria, including IPsecV6.
Changes:

The new IPsec kernel module unfortunately breaks FreeS/WAN, due to a different pfkey protocol. Keys for connections can be managed by the pfkey utility, but we've also created adapted FreeS/WAN packages. These won't work on normal kernels, nor will normal FreeS/WAN packages work on a USAGI/CGL kernel.
Kernels with the USAGI patches are denoted as CGL.

Before the USAGI patches were merged, we had a patch that caused some trouble to some people trying to compile FreeS/WAN on their own: we dropped the inet peer cache. This changes the ip_select_ident() interface. You need to apply this patch to compile the KLIPS kernel module.

Another note: The CGL/USAGI versions of FreeS/WAN and the corresponding kernels will display an error message
Checking for KLIPS support in kernel [FAILED]
upon ipsec verify. This is normal and does not indicate a problem. There is no KLIPS module, as we have the USAGI ipsec code in the kernel similar to the in-kernel code in 2.6 (but unfortunately not similar enough to be usable without userspace modifications).

Notes about features

Note that SuperFreeS/WAN still has a few more patches, such as e.g. the Aggressive Mode patch. For SL91, there's OpenSWAN (successor to SuperFreeS/WAN) packages available, see above. SL92 ships with OpenSWAN, thus no updates on this page for SL92.

Links


Trademarks are registered trademarks of their owners.
Note: This page has been redesigned. The old page is here.
(w) Kurt Garloff, 2004-11-13.