]>
Commit | Line | Data |
---|---|---|
1 | ------------------------- | |
2 | strongSwan - Installation | |
3 | ------------------------- | |
4 | ||
5 | ||
6 | Contents | |
7 | -------- | |
8 | ||
9 | 1. Overview | |
10 | 2. Required packages | |
11 | 3. Optional packages | |
12 | 3.1 HTTP fetcher | |
13 | 3.2 LDAP | |
14 | 3.3 Other pluggable modules | |
15 | 4. Kernel configuration | |
16 | ||
17 | 1. Overview | |
18 | -------- | |
19 | ||
20 | Since version 4.x strongSwan uses the GNU build system (Autotools). | |
21 | This simplifies the build process and package maintenance. First, check for | |
22 | the availability of required packages on your system (section 2.). You may | |
23 | want to include support for additional features, which require other | |
24 | packages to be installed (section 3.). | |
25 | ||
26 | To compile an extracted tarball, run the ./configure script first: | |
27 | ||
28 | ./configure | |
29 | ||
30 | You may want to specify some arguments listed in section 3., or see the | |
31 | available options of the script using "./configure --help". | |
32 | ||
33 | After a successful run of the script, run | |
34 | ||
35 | make | |
36 | ||
37 | followed by | |
38 | ||
39 | make install | |
40 | ||
41 | in the usual manner. | |
42 | ||
43 | To check if your kernel fulfills the requirements, see section 4. | |
44 | ||
45 | Next add your connections to "/etc/ipsec.conf" and your secrets to | |
46 | "/etc/ipsec.secrets". | |
47 | ||
48 | At last start strongSwan with | |
49 | ||
50 | ipsec start | |
51 | ||
52 | ||
53 | 2. Required packages | |
54 | ----------------- | |
55 | ||
56 | In order to be able to build strongSwan you'll need one of the following | |
57 | cryptographic libraries: | |
58 | ||
59 | * The GNU Multiprecision Arithmetic Library (GMP, libgmp) | |
60 | http://www.gmplib.org | |
61 | * The OpenSSL cryptographic library (libcrypto) | |
62 | http://www.openssl.org | |
63 | * The GNU cryptographic library (libgcrypt) | |
64 | http://www.gnupg.org | |
65 | ||
66 | If no other options are specified during ./configure libgmp will be used. | |
67 | ||
68 | The libraries and the corresponding header files are usually included in | |
69 | the form of one or two packages in the major Linux distributions (for GMP on | |
70 | Debian: libgmp3 and libgmp3-dev). | |
71 | ||
72 | ||
73 | 3. Optional packages | |
74 | ----------------- | |
75 | ||
76 | 3.1 HTTP Fetcher | |
77 | ------------ | |
78 | ||
79 | If you intend to dynamically fetch Certificate Revocation Lists (CRLs) | |
80 | from an HTTP server or as an alternative want to use the Online | |
81 | Certificate Status Protocol (OCSP) then you will need the either of the | |
82 | following libraries: | |
83 | ||
84 | * The cURL library (libcurl) | |
85 | http://curl.haxx.se/libcurl/ | |
86 | * The LibSoup library (libsoup) | |
87 | https://live.gnome.org/LibSoup | |
88 | ||
89 | In order to activate the use of either of these libraries in strongSwan you | |
90 | must enable the appropriate ./configure switch. | |
91 | ||
92 | ||
93 | 3.2 LDAP | |
94 | ---- | |
95 | ||
96 | If you intend to dynamically fetch Certificate Revocation Lists (CRLs) | |
97 | from an LDAP server then you will need the libldap library available | |
98 | from http://www.openldap.org/. | |
99 | ||
100 | OpenLDAP is usually included with your Linux distribution. You will need | |
101 | both the run-time and development environments (SuSE: openldap2, | |
102 | openldap2-devel). | |
103 | ||
104 | In order to activate the use of the libldap library in strongSwan you must | |
105 | enable the ./configure switch: | |
106 | ||
107 | ./configure [...] --enable-ldap | |
108 | ||
109 | LDAP Protocol version 2 is not supported anymore, --enable-ldap uses always | |
110 | version 3 of the LDAP protocol | |
111 | ||
112 | ||
113 | 3.3 Other pluggable modules | |
114 | ----------------------- | |
115 | ||
116 | There are many other optional plugins that, for instance, provide support | |
117 | for PKCS#11 or SQL databases. | |
118 | For a more detailed description of these refer to our wiki: | |
119 | ||
120 | * http://wiki.strongswan.org | |
121 | ||
122 | ||
123 | 4. Kernel configuration | |
124 | -------------------- | |
125 | ||
126 | Since version 4.x strongSwan only supports 2.6.x and 3.x kernels and its | |
127 | native NETKEY IPsec stack. Please make sure that the following IPsec kernel | |
128 | modules are available: | |
129 | ||
130 | * af_key | |
131 | * ah4 | |
132 | * esp4 | |
133 | * ipcomp | |
134 | * xfrm_user | |
135 | * xfrm4_tunnel | |
136 | ||
137 | These may be built into the kernel or as modules. Modules get loaded | |
138 | automatically at strongSwan startup. | |
139 | ||
140 | Also the built-in kernel Cryptoapi modules with selected encryption and | |
141 | hash algorithms should be available. | |
142 | ||
143 | Support for multiple routing tables is also recommended. | |
144 | ||
145 | For a more up-to-date list of recommended modules refer to: | |
146 | ||
147 | * http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules | |
148 |