Table of Contents
In addition to the HIPL userspace software, you need a linux system with BEET IPsec support. You can install BEET IPsec by following one of the following methods:
Install kernel version 2.6.27 or higher which include already BEET support. For example, Fedora 9 and Ubuntu Intrepid Linux distributions and their later versions have already BEET support. Check your running kernel version with "uname -a".
If you have installed the prebuilt binaries, you can modify /etc/init.d/hipfw to contain the -i option (e.g. OPTIONS="-bklpFi"). Alternatively, you can run "hipfw" with the same options from the command line.
Patch your kernel by installing the binary kernel images (debian and redhat based distributions) from here: http://infrahip.hiit.fi/index.php?index=download. The binary kernel images are based on vanilla kernel and therefore do not include any proprietary drivers or firmware images. As a result, you may have to install software for your WLAN interface manually. The HIPL sources contain also a number of patches for older kernel sources in patches/kernel directory.
The HIPL library and header dependencies are not listed here. Read the INSTALL file to see what software you need to install before compilation of HIPL.
Make sure that the end-host firewall does not block HIP and ESP traffic (try "iptables -L") or otherwise you won't get any traffic through. As a workaround, you try enabling the NAT mode at the end-host.
Make sure that a middlebox is not blocking HIP traffic. If there is firewall between the machines, it might have been configured to block HIP or ESP traffic. If there is a NAT between the machines, it might also be blocking traffic. Either make sure that the middlebox allows HIP and ESP traffic, or you can try enabling the NAT mode at the end-host.
You should allow also HIP related traffic in your firewall. For example:
iptables -A INPUT -p 139 -j ACCEPT
iptables -A OUTPUT -p139 -j ACCEPT
iptables -A INPUT -p udp --sport 10500 -j ACCEPT
iptables -A OUTPUT -p udp --dport 10500 -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
iptables -A INPUT -p 58 -j ACCEPT
iptables -A OUTPUT -p 58 -j ACCEPT
iptables -A INPUT -s 220.127.116.11/8 -d 18.104.22.168/8 -j ACCEPT
iptables -A OUTPUT -s -s 22.214.171.124/8 -d -s 126.96.36.199/8 -j ACCEPT
ip6tables -A INPUT -s 2001:0010::/28 -d 2001:0010::/28 -j ACCEPT
ip6tables -A OUTPUT -s 2001:0010::/28 -d 2001:0010::/28 -j ACCEPT
The last two rules basically allow the whole orchid namespace. You can set up more specific rules for HITs or use the hipfw to filter traffic (as explained in a later section).
SElinux should be disabled with HIPL in /etc/selinux/config (you have to reboot the machine after this). We don't have yet instructions on configuring SElinux yet. Contributions are welcome.