]>
Commit | Line | Data |
---|---|---|
997358a6 | 1 | --------------------------- |
9820c0e2 | 2 | strongSwan - Installation |
997358a6 MW |
3 | --------------------------- |
4 | ||
5 | ||
6 | Contents | |
7 | -------- | |
8 | ||
c0d63ac9 MW |
9 | 1. Overview |
10 | 2. Required packages | |
11 | 3. Optional packages | |
12 | 3.1 libcurl | |
13 | 3.2 OpenLDAP | |
14 | 3.3 PKCS#11 smartcard library modules | |
15 | 4. Kernel configuration | |
16 | ||
17 | 1. Overview | |
18 | -------- | |
997358a6 | 19 | |
c0d63ac9 MW |
20 | The strongSwan 4.x branch introduces a new build environment featuring |
21 | GNU autotools. This should simplify the build process and package | |
22 | maintenance. | |
23 | First check for the availability of required packages on your system | |
24 | (section 2.). You may want to include support for additional features, which | |
25 | require other packages to be installed (section 3.). | |
26 | To compile an extracted tarball, run the ./configure script first: | |
997358a6 | 27 | |
c0d63ac9 | 28 | ./configure |
997358a6 | 29 | |
c0d63ac9 MW |
30 | You may want to specify some arguments listed in section 3., or see the |
31 | available options of the script using "./configure --help". | |
997358a6 | 32 | |
c0d63ac9 | 33 | After a successful run of the script, run |
997358a6 | 34 | |
c0d63ac9 | 35 | make |
997358a6 | 36 | |
c0d63ac9 | 37 | followed by |
997358a6 | 38 | |
c0d63ac9 | 39 | make install |
997358a6 | 40 | |
c0d63ac9 | 41 | in the usual manner. |
997358a6 | 42 | |
c0d63ac9 | 43 | To check if your kernel fullfills the requirements, see section 4. |
997358a6 | 44 | |
c0d63ac9 MW |
45 | Next add your connections to "/etc/ipsec.conf" and your secrets to |
46 | "/etc/ipsec.secrets". Connections that are to be negotiated by the new | |
47 | IKEv2 charon keying daemon should be designated by "keyexchange=ikev2" and | |
48 | those by the IKEv1 pluto keying daemon either by "keyexchange=ikev1" or | |
49 | the default "keyexchange=ike". | |
997358a6 | 50 | |
c0d63ac9 | 51 | At last start strongSwan with |
997358a6 | 52 | |
c0d63ac9 | 53 | ipsec start |
997358a6 | 54 | |
997358a6 | 55 | |
c0d63ac9 MW |
56 | 2. Required packages |
57 | ----------------- | |
997358a6 | 58 | |
c0d63ac9 MW |
59 | In order to be able to build strongSwan you'll need the GNU Multiprecision |
60 | Arithmetic Library (GMP) available from http://www.swox.com/gmp/. At least | |
61 | version 4.1.5 of libgmp is required. | |
997358a6 | 62 | |
c0d63ac9 MW |
63 | The libgmp library and the corresponding header file gmp.h are usually |
64 | included in the form of one or two packages in the major Linux | |
65 | distributions (SuSE: gmp; Debian unstable: libgmp3, libgmp3-dev). | |
997358a6 | 66 | |
997358a6 | 67 | |
c0d63ac9 MW |
68 | 3. Optional packages |
69 | ----------------- | |
997358a6 | 70 | |
c0d63ac9 MW |
71 | 3.1 libcurl |
72 | ------- | |
73 | ||
74 | If you intend to dynamically fetch Certificate Revocation Lists (CRLs) | |
75 | from an HTTP server or as an alternative want to use the Online | |
76 | Certificate Status Protocol (OCSP) then you will need the libcurl library | |
77 | available from http://curl.haxx.se/. | |
78 | ||
79 | In order to keep the library as compact as possible for use with strongSwan | |
80 | you can build libcurl from the sources with the optimized options | |
997358a6 | 81 | |
c0d63ac9 MW |
82 | ./configure --prefix=<dir> --without-ssl \ |
83 | --disable-ldap --disable-telnet \ | |
84 | --disable-dict --disable-gopher \ | |
85 | --disable-debug \ | |
86 | --enable-nonblocking --enable-thread | |
87 | ||
88 | As an alternative you can use the ready-made packages included with your | |
89 | favorite Linux distribution (SuSE: curl, curl-devel). | |
997358a6 | 90 | |
c0d63ac9 MW |
91 | In order to activate the use of the libcurl library in strongSwan you must |
92 | enable the ./configure switch: | |
997358a6 | 93 | |
c0d63ac9 | 94 | ./configure [...] --enable-http |
997358a6 | 95 | |
997358a6 | 96 | |
c0d63ac9 MW |
97 | 3.2 OpenLDAP |
98 | -------- | |
997358a6 | 99 | |
c0d63ac9 MW |
100 | If you intend to dynamically fetch Certificate Revocation Lists (CRLs) |
101 | from an LDAP server then you will need the libldap library available | |
102 | from http://www.openldap.org/. | |
997358a6 | 103 | |
c0d63ac9 MW |
104 | OpenLDAP is usually included with your Linux distribution. You will need |
105 | both the run-time and development environments (SuSE: openldap2, | |
106 | openldap2-devel). | |
997358a6 | 107 | |
c0d63ac9 MW |
108 | In order to activate the use of the libldap library in strongSwan you must |
109 | enable the ./configure switch: | |
997358a6 | 110 | |
c0d63ac9 | 111 | ./configure [...] --enable-ldap |
997358a6 | 112 | |
c0d63ac9 MW |
113 | LDAP Protocl version 2 is not supported anymore, --enable-ldap uses always |
114 | version 3 of the LDAP protocol | |
997358a6 | 115 | |
997358a6 | 116 | |
c0d63ac9 MW |
117 | 3.3 PKCS#11 smartcard library modules |
118 | --------------------------------- | |
997358a6 | 119 | |
c0d63ac9 MW |
120 | If you want to securely store your X.509 certificates and private RSA keys |
121 | on a smart card or a USB crypto token then you will need a PKCS #11 library | |
122 | for the smart card of your choice. The OpenSC PKCS#11 library (use | |
123 | versions >= 0.9.4) available from http://www.opensc.org/ supports quite a | |
124 | selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger | |
125 | Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15 | |
126 | directory structure be present on the smart card. But in principle | |
127 | any other PKCS#11 library could be used since the PKCS#11 API hides the | |
128 | internal data representation on the card. | |
997358a6 | 129 | |
c0d63ac9 MW |
130 | For USB crypto token support you must add the OpenCT driver library |
131 | (version >= 0.6.2) from the OpenSC site, whereas for serial smartcard | |
132 | readers you'll need the pcsc-lite library and the matching driver from the | |
133 | M.U.S.C.L.E project http://www.linuxnet.com/ . | |
997358a6 | 134 | |
c0d63ac9 MW |
135 | In order to activate the PKCS#11-based smartcard support in strongSwan |
136 | you must enable the smartcard ./configure switch: | |
997358a6 | 137 | |
c0d63ac9 | 138 | ./configure [...] --enable-smartcard |
997358a6 | 139 | |
c0d63ac9 MW |
140 | During compilation no externel smart card libraries must be present. |
141 | strongSwan directly references a copy of the standard RSAREF pkcs11.h | |
142 | header files stored in the pluto/rsaref sub directory. During compile | |
143 | time a pathname to a default PKCS#11 dynamical library can be specified | |
144 | with a ./configure flag: | |
997358a6 | 145 | |
c0d63ac9 | 146 | ./configure --enable-smartcard --with-default-pkcs11=/path/to/lib.so |
997358a6 | 147 | |
c0d63ac9 MW |
148 | This default path to the easily-obtainable OpenSC library module can be |
149 | simply overridden during run-time by specifying an alternative path in | |
150 | ipsec.conf pointing to any dynamic PKCS#11 library of your choice. | |
997358a6 | 151 | |
c0d63ac9 MW |
152 | config setup |
153 | pkcs11module="/usr/lib/xyz-pkcs11.so" | |
997358a6 | 154 | |
997358a6 | 155 | |
c0d63ac9 MW |
156 | 4. Kernel configuration |
157 | -------------------- | |
997358a6 | 158 | |
c0d63ac9 | 159 | The strongSwan 4.x series currently support only 2.6 kernels and its |
8b4f4452 | 160 | native IPsec stack. Please make sure that the following IPsec kernel |
c0d63ac9 | 161 | modules are available: |
9820c0e2 | 162 | |
c0d63ac9 MW |
163 | o af_key |
164 | o ah4 | |
165 | o esp4 | |
166 | o ipcomp | |
167 | o xfrm_user | |
168 | o xfrm4_tunnel | |
997358a6 | 169 | |
8b4f4452 | 170 | These may be built into the kernel or as modules. Modules get loaded |
c0d63ac9 | 171 | automatically at strongSwan startup. |
997358a6 | 172 | |
c0d63ac9 MW |
173 | Also the built-in kernel Cryptoapi modules with selected encryption and |
174 | hash algorithms should be available. | |
997358a6 | 175 |