IPsec with Linux 2.6.9 & Shorewall

My previous post promised some information about how firewall rules interact with IPsec under Linux 2.6, well here it is.

The Shoreline Firewall has full support for declaratively defining IPsec tunnels and hosts under the new IPsec support. To do this however, you will need the policy match netfilter extension from the Patch-o-Matic NG and also 4 other patches:

  • ipsec-01-output-hooks.patch
  • ipsec-02-input-hooks.patch
  • ipsec-03-policy-lookup.patch
  • ipsec-04-policy-checks.patch

While these patches are in the POM-NG, they will not cleanly apply to linux 2.6.9. Ronald Moesbergen was nice enough to port the patches are are available from the list archive.

To apply the patches, simply run patch -p1 < ipsec-* from the top of our kernel source tree. Also copy the policy match extension’s files from the POM-NG directory into your kernel tree and insert the contents of the two .ladd files into the relevant Makefile and Kconfig file. Then reconfigure, enabling the policy match, and rebuild. Then follow the documentation.

If I have time, I’ll try and add some more information here.

One thought on “IPsec with Linux 2.6.9 & Shorewall

Comments are closed.