I’ve been trying to install the Shrew VPN client from source for quite some time now until I found that it’s available as a package for openSUSE.
This what I did to make it work and want to share it with you so everyone can use the Shrew VPN software without compiling etc.
I’ll try to be as detailed as I can. Ok here goes:
Install Shrew
If you want your plan to come together you must:
Add a Additional software repositoy.
Install Shrew (IKE)
Create init.d start & stop scripts (optional)
Create a launcher on your desktop (optional)
Add a Repository
StartYast2
Go to:Software
Click on Software Reposities
Clik on ADD.
Choose Specify URL… and click next
Name the repo. E.g : security
The URL is: http://download.opensuse.org/reposit...openSUSE_11.x/
Clik on Next.
Read the GNUPG key message . If you agree click Import. (if you don’t get this message just go ahead)
Next click on OK and close the Repository management.
Install Shrew
Start Yast2
Go to: Software
Choose Software Management
Use the filter Luke and search for “ike”
From the available list of packages select “ike”
Clik op Apply and wait for completion
Close Yast2.
Init script
To make use of the Shrew VPN client the IKE deamon must be started by root. You can do this manually or you can make an INIT script to start if for you on the next boot:
To run at manually run the following command as root
/usr/sbin/iked
To create a init script copy to content of the script below and save it to /etc/init.d/ike
This is script source:
Code:
#! /bin/sh
# Copyright (c) 2011 Harald van Bree
# All rights reserved.
#
# Author: Harald van Bree, 2011
#
# /etc/init.d/iked
# and its symbolic link
# /usr/sbin/iked
### BEGIN INIT INFO
# Provides: iked
# Required-Start: $network $local_fs
# Required-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: ike - The Shrew Soft VPN Client
# Description: The Shrew Soft VPN Client for Unix is a free IPsec Client for FreeBSD, NetBSD and Linux based operating systems.
# It was originally developed to provide secure communications between mobile Windows hosts and open source VPN
# gateways that utilize standards compliant software such as ipsec-tools, OpenSWAN, FreeSWAN, StrongSWAN, isakmpd.
# It now offers many of the advanced features only found in expensive commercial software solutions and provides
# compatibility for VPN appliances produced by vendors such as Cisco, Juniper, Checkpoint, Fortinet, Netgear,
# Linksys, Zywall and many others. It supports most of the features availalble in the Windows VPN Client version
# with the exception of those which are not cross platform compatible.
### END INIT INFO
# Check for missing binaries
IKED_BIN=/usr/sbin/iked
test -x $IKED_BIN || { echo "$IKED_BIN not installed";
if "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
#BAR_CONFIG=/etc/bar.cfg
#test -r $BAR_CONFIG || { echo "$BAR_CONFIG not existing";
# if "$1" = "stop" ]; then exit 0;
# else exit 6; fi; }
# Read config
#. $BAR_CONFIG
# Load the rc.status script for this service.
. /etc/rc.status
# Reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting IKE Deamon"
## Start daemon with startproc(8). If this fails
## the return value is set appropriately by startproc.
startproc $IKED_BIN
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down IKE Deamin "
## Stop daemon with killproc(8) and if this fails
## killproc sets the return value according to LSB.
killproc -TERM $IKED_BIN
# Remember status and be verbose
rc_status -v
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
reload)
# If it supports signaling:
echo -n "Reload service bar "
killproc -HUP $IKED_BIN
#touch /var/run/iked.pid
rc_status -v
## Otherwise if it does not support reload:
#rc_failed 3
#rc_status -v
;;
status)
echo -n "Checking for service IKED "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
# NOTE: checkproc returns LSB compliant status values.
checkproc $IKED_BIN
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
*)
## If no parameters are given, print which are avaiable.
echo "Usage: $0 {start|stop|status|restart|reload}"
exit 1
;;
esac
Save this to /etc/init.d/iked
Then do “chmod 744 /etc/init.d/iked”
and then do : “ln -s /etc/init.d/iked /sbin/rciked” to create a symbolic link to the script.
Now you can use the “rciked” command to start stop and check status of the ike deamon. (like in rciked start | rciked stop etc)
To make shure the IKE Deamon is started on the next boot execute the following command (as root)
“chkconfig -a iked”
Now start the deamon by “rciked start” (you don’t have to reboot for this just now)
Launcher
The final step is to create a launcher on your desktop to start the GUI.
Right click on your desktop and choose “Create Launcher…”
Fill in the fields as described below
Type: Application
Name: Shrew
Command: /usr/bin/ikea
Comment: Shrew VPN client
Tadaa…
If you followed the steps outlined above you are able to setup a tunnel but no traffic will pass. This has something to do with a route verification filter setting for the Linux kernel. To resolve this you must edit as root the file /etc/sysctl.conf and make sure the following is in this file.
enable route verification on all interfaces
net.ipv4.conf.all.rp_filter = 0
Just restart your machine at this point and your good to go. Happing tunneling
