1 ---------------------------
2 strongSwan - Installation
3 ---------------------------
13 2.3 PKCS#11 smartcard library modules
14 3. Building strongSwan with a Linux 2.4 kernel
15 4. Updating strongSwan with a Linux 2.4 kernel
16 5. Building strongSwan with a Linux 2.6 kernel
22 In order to be able to build strongSwan you'll need the GNU Multiprecision
23 Arithmetic Library (GMP) available from http://www.swox.com/gmp/.
25 The libgmp library and the corresponding header file gmp.h are usually
26 included in the form of one or two packages in the major Linux
27 distributions (SuSE: gmp; Debian unstable: libgmp3, libgmp3-dev).
36 If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
37 from an HTTP server or as an alternative want to use the Online
38 Certificate Status Protocol (OCSP) then you will need the libcurl library
39 available from http://curl.haxx.se/.
41 In order to keep the library as compact as possible for use with strongSwan
42 you can build libcurl from the sources with the optimized options
44 ./configure --prefix=<dir> --without-ssl \
45 --disable-ldap --disable-telnet \
46 --disable-dict --disable-gopher \
48 --enable-nonblocking --enable-thread
50 As an alternative you can use the ready-made packages included with your
51 favorite Linux distribution (SuSE: curl, curl-devel).
53 In order to activate the use of the libcurl library in strongSwan you must
54 set the USE_LIBCURL option in "Makefile.inc":
56 # include libcurl support (CRL fetching, OCSP and SCEP)
59 Under Gentoo emerge strongSwan with
61 USE="curl -ssl" emerge strongswan
67 If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
68 from an LDAP server then you will need the libldap library available
69 from http://www.openldap.org/.
71 OpenLDAP is usually included with your Linux distribution. You will need
72 both the run-time and development environments (SuSE: openldap2,
75 In order to activate the use of the libldap library in strongSwan you must
76 set the USE_LDAP option in "Makefile.inc":
78 # include LDAP support (CRL fetching)
81 Depending upon whether your LDAP server understands the V3 (preferred) or
82 V2 LDAP protocol, uncomment one ot the two following lines:
84 # Uncomment to enable dynamic CRL fetching using LDAP V3
86 # Uncomment to enable dynamic CRL fetching using LDAP V2
89 The latest OpenLDAP releases use the LDAP V3 protocol, whereas older
90 versions require LDAP V2.
92 Under Gentoo emerge strongSwan with
94 USE="ldap -ssl" emerge strongswan
97 2.3 PKCS#11 smartcard library modules
98 ---------------------------------
100 If you want to securely store your X.509 certificates and private RSA keys
101 on a smart card or a USB crypto token then you will need a PKCS #11 library
102 for the smart card of your choice. The OpenSC PKCS#11 library (use
103 versions >= 0.9.4) available from http://www.opensc.org/ supports quite a
104 selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger
105 Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15
106 directory structure be present on the smart card. But in principle
107 any other PKCS#11 library could be used since the PKCS#11 API hides the
108 internal data representation on the card.
110 For USB crypto token support you must add the OpenCT driver library
111 (version >= 0.6.2) from the OpenSC site, whereas for serial smartcard
112 readers you'll need the pcsc-lite library and the matching driver from the
113 M.U.S.C.L.E project http://www.linuxnet.com/ .
115 In order to activate the PKCS#11-based smartcard support in strongSwan
116 you must set the USE_SMARTCARD option in "Makefile.inc":
118 #include PKCS11-based smartcard support
121 During compilation no externel smart card libraries must be present.
122 strongSwan directly references a copy of the standard RSAREF pkcs11.h
123 header files stored in the pluto/rsaref sub directory. During compile
124 time a pathname to a default PKCS#11 dynamical library can be specified
127 # Uncomment this line if using OpenSC <= 0.9.6
128 PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
129 # Uncomment tis line if using OpenSC >= 0.10.0
130 #PKCS11_DEFAULT_LIB=\"usr/lib/opensc-pkcs11.so\"
132 This default path to the easily-obtainable OpenSC library module can be
133 simply overridden during run-time by specifying an alternative path in
134 ipsec.conf pointing to any dynamic PKCS#11 library of your choice.
137 pkcs11module="/usr/lib/xyz-pkcs11.so"
139 Under Gentoo emerge strongSwan with
141 USE="smartcard usb -pam -X" emerge strongswan
144 3. Building strongSwan with a Linux 2.4 kernel
145 -------------------------------------------
147 * Building strongSwan with a Linux 2.4 kernel requires the presence of the
148 matching kernel sources referenced via the symbolic link /usr/src/linux.
149 The use of the vanilla kernel sources from ftp.kernel.org is strongly
152 Before building strongSwan you must have compiled the kernel sources at
155 make menuconfig; make dep; make bzImage; make modules
157 * Now change into the strongswan-2.x.x source directory.
159 First uncomment any desired compile options in "programs/pluto/Makefile"
160 (see section 2. Optional packages).
162 Then in the top source directory type
166 This command applies an ESP_IN_UDP encapsulation patch which is required
167 for NAT-Traversal to the kernel sources.
169 In the "Networking options" menu set
171 <M> IP Security Protocol (strongSwan IPsec)
173 in order to build KLIPS as a loadable kernel module "ipsec.o". Do not
174 forget to save the modified configuration file when leaving "menumod".
176 The strongSwan userland programs are now automatically built and
177 installed, whereas the ipsec.o kernel module and the crypto modules
178 are only built and must be installed with the command
182 * If you intend to use the NAT-Traversal feature then you must compile the
183 patched kernel sources again by executing
187 and then install and boot the modified kernel.
189 * Next add your connections to "/etc/ipsec.conf" and start strongSwan with
194 4. Updating strongSwan with a Linux 2.4 kernel
195 -------------------------------------------
197 * If you have already successfully installed strongSwan and want to update
198 to a newer version then the following shortcut can be taken:
200 First uncomment any desired compile options in "programs/pluto/Makefile"
201 (see section 2. Optional packages).
203 Then in the strongwan-2.x.x top directory type
205 make programs; make install
209 make module; make minstall
211 * You can then start the updated strongSwan version with
216 5. Building strongSwan with a Linux 2.6 kernel
217 -------------------------------------------
219 * Because the Linux 2.6 kernel comes with a built-in native IPsec stack,
220 you won't need to build the strongSwan kernel modules. Please make sure
221 that the the following Linux 2.6 IPsec kernel modules are available:
229 Also the built-in kernel Cryptoapi modules with selected encryption and
230 hash algorithms should be available.
232 * First uncomment any desired compile options in "programs/pluto/Makefile"
233 (see section 2. Optional packages).
235 Then in the strongwan-2.x.x top directory type
243 * Next add your connections to "etc/ipsec.conf" and start strongSwan with
247 -----------------------------------------------------------------------------
249 This file is RCSID $Id: INSTALL,v 1.8 2006/01/22 16:22:23 as Exp $