]>
Commit | Line | Data |
---|---|---|
53f8ac3d TB |
1 | ------------------------- |
2 | strongSwan - Installation | |
3 | ------------------------- | |
997358a6 MW |
4 | |
5 | ||
6 | Contents | |
7 | -------- | |
8 | ||
53f8ac3d TB |
9 | 1. Overview |
10 | 2. Required packages | |
11 | 3. Optional packages | |
12 | 3.1 HTTP fetcher | |
13 | 3.2 LDAP | |
14 | 3.3 Other pluggable modules | |
15 | 4. Kernel configuration | |
c0d63ac9 MW |
16 | |
17 | 1. Overview | |
18 | -------- | |
997358a6 | 19 | |
2015c469 TB |
20 | Since version 4.x strongSwan uses the GNU build system (Autotools). |
21 | This simplifies the build process and package maintenance. First, check for | |
22 | the availability of required packages on your system (section 2.). You may | |
23 | want to include support for additional features, which require other | |
24 | packages to be installed (section 3.). | |
25 | ||
c0d63ac9 | 26 | To compile an extracted tarball, run the ./configure script first: |
997358a6 | 27 | |
c0d63ac9 | 28 | ./configure |
997358a6 | 29 | |
c0d63ac9 MW |
30 | You may want to specify some arguments listed in section 3., or see the |
31 | available options of the script using "./configure --help". | |
997358a6 | 32 | |
c0d63ac9 | 33 | After a successful run of the script, run |
997358a6 | 34 | |
c0d63ac9 | 35 | make |
997358a6 | 36 | |
c0d63ac9 | 37 | followed by |
997358a6 | 38 | |
c0d63ac9 | 39 | make install |
997358a6 | 40 | |
c0d63ac9 | 41 | in the usual manner. |
997358a6 | 42 | |
2015c469 | 43 | To check if your kernel fulfills the requirements, see section 4. |
997358a6 | 44 | |
5ed3e3a7 | 45 | Next add your connections to "/etc/ipsec.conf" and your secrets to |
2015c469 | 46 | "/etc/ipsec.secrets". |
997358a6 | 47 | |
c0d63ac9 | 48 | At last start strongSwan with |
997358a6 | 49 | |
c0d63ac9 | 50 | ipsec start |
997358a6 | 51 | |
997358a6 | 52 | |
c0d63ac9 MW |
53 | 2. Required packages |
54 | ----------------- | |
997358a6 | 55 | |
2015c469 TB |
56 | In order to be able to build strongSwan you'll need one of the following |
57 | cryptographic libraries: | |
58 | ||
59 | * The GNU Multiprecision Arithmetic Library (GMP, libgmp) | |
60 | http://www.gmplib.org | |
61 | * The OpenSSL cryptographic library (libcrypto) | |
62 | http://www.openssl.org | |
63 | * The GNU cryptographic library (libgcrypt) | |
64 | http://www.gnupg.org | |
65 | ||
66 | If no other options are specified during ./configure libgmp will be used. | |
997358a6 | 67 | |
2015c469 TB |
68 | The libraries and the corresponding header files are usually included in |
69 | the form of one or two packages in the major Linux distributions (for GMP on | |
70 | Debian: libgmp3 and libgmp3-dev). | |
997358a6 | 71 | |
997358a6 | 72 | |
c0d63ac9 MW |
73 | 3. Optional packages |
74 | ----------------- | |
997358a6 | 75 | |
2015c469 TB |
76 | 3.1 HTTP Fetcher |
77 | ------------ | |
c0d63ac9 MW |
78 | |
79 | If you intend to dynamically fetch Certificate Revocation Lists (CRLs) | |
80 | from an HTTP server or as an alternative want to use the Online | |
2015c469 TB |
81 | Certificate Status Protocol (OCSP) then you will need the either of the |
82 | following libraries: | |
c0d63ac9 | 83 | |
2015c469 TB |
84 | * The cURL library (libcurl) |
85 | http://curl.haxx.se/libcurl/ | |
86 | * The LibSoup library (libsoup) | |
87 | https://live.gnome.org/LibSoup | |
997358a6 | 88 | |
2015c469 TB |
89 | In order to activate the use of either of these libraries in strongSwan you |
90 | must enable the appropriate ./configure switch. | |
c0d63ac9 | 91 | |
997358a6 | 92 | |
2015c469 TB |
93 | 3.2 LDAP |
94 | ---- | |
997358a6 | 95 | |
c0d63ac9 MW |
96 | If you intend to dynamically fetch Certificate Revocation Lists (CRLs) |
97 | from an LDAP server then you will need the libldap library available | |
98 | from http://www.openldap.org/. | |
997358a6 | 99 | |
c0d63ac9 MW |
100 | OpenLDAP is usually included with your Linux distribution. You will need |
101 | both the run-time and development environments (SuSE: openldap2, | |
102 | openldap2-devel). | |
997358a6 | 103 | |
c0d63ac9 MW |
104 | In order to activate the use of the libldap library in strongSwan you must |
105 | enable the ./configure switch: | |
997358a6 | 106 | |
53f8ac3d | 107 | ./configure [...] --enable-ldap |
997358a6 | 108 | |
2015c469 | 109 | LDAP Protocol version 2 is not supported anymore, --enable-ldap uses always |
c0d63ac9 | 110 | version 3 of the LDAP protocol |
997358a6 | 111 | |
997358a6 | 112 | |
2015c469 TB |
113 | 3.3 Other pluggable modules |
114 | ----------------------- | |
997358a6 | 115 | |
2015c469 TB |
116 | There are many other optional plugins that, for instance, provide support |
117 | for PKCS#11 or SQL databases. | |
118 | For a more detailed description of these refer to our wiki: | |
997358a6 | 119 | |
2015c469 | 120 | * http://wiki.strongswan.org |
997358a6 | 121 | |
997358a6 | 122 | |
c0d63ac9 MW |
123 | 4. Kernel configuration |
124 | -------------------- | |
997358a6 | 125 | |
2015c469 TB |
126 | Since version 4.x strongSwan only supports 2.6.x and 3.x kernels and its |
127 | native NETKEY IPsec stack. Please make sure that the following IPsec kernel | |
c0d63ac9 | 128 | modules are available: |
9820c0e2 | 129 | |
2015c469 TB |
130 | * af_key |
131 | * ah4 | |
132 | * esp4 | |
133 | * ipcomp | |
134 | * xfrm_user | |
135 | * xfrm4_tunnel | |
997358a6 | 136 | |
8b4f4452 | 137 | These may be built into the kernel or as modules. Modules get loaded |
c0d63ac9 | 138 | automatically at strongSwan startup. |
997358a6 | 139 | |
c0d63ac9 MW |
140 | Also the built-in kernel Cryptoapi modules with selected encryption and |
141 | hash algorithms should be available. | |
997358a6 | 142 | |
2015c469 TB |
143 | Support for multiple routing tables is also recommended. |
144 | ||
145 | For a more up-to-date list of recommended modules refer to: | |
146 | ||
53f8ac3d | 147 | * http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules |
2015c469 | 148 |