- ---------------------------
- strongSwan - Installation
- ---------------------------
+ -------------------------
+ strongSwan - Installation
+ -------------------------
Contents
--------
- 1. Overview
- 2. Required packages
- 3. Optional packages
- 3.1 libcurl
- 3.2 OpenLDAP
- 3.3 PKCS#11 smartcard library modules
- 4. Kernel configuration
+ 1. Overview
+ 2. Required packages
+ 3. Optional packages
+ 3.1 HTTP fetcher
+ 3.2 LDAP
+ 3.3 Other pluggable modules
+ 4. Kernel configuration
1. Overview
--------
- The strongSwan 4.x branch introduces a new build environment featuring
- GNU autotools. This should simplify the build process and package
- maintenance.
- First check for the availability of required packages on your system
- (section 2.). You may want to include support for additional features, which
- require other packages to be installed (section 3.).
+ Since version 4.x strongSwan uses the GNU build system (Autotools).
+ This simplifies the build process and package maintenance. First, check for
+ the availability of required packages on your system (section 2.). You may
+ want to include support for additional features, which require other
+ packages to be installed (section 3.).
+
To compile an extracted tarball, run the ./configure script first:
./configure
in the usual manner.
- To check if your kernel fullfills the requirements, see section 4.
+ To check if your kernel fulfills the requirements, see section 4.
Next add your connections to "/etc/ipsec.conf" and your secrets to
- "/etc/ipsec.secrets". Connections that are to be negotiated by the new
- IKEv2 charon keying daemon should be designated by "keyexchange=ikev2" and
- those by the IKEv1 pluto keying daemon either by "keyexchange=ikev1" or
- the default "keyexchange=ike".
+ "/etc/ipsec.secrets".
At last start strongSwan with
2. Required packages
-----------------
- In order to be able to build strongSwan you'll need the GNU Multiprecision
- Arithmetic Library (GMP) available from http://www.swox.com/gmp/. At least
- version 4.1.5 of libgmp is required.
+ In order to be able to build strongSwan you'll need one of the following
+ cryptographic libraries:
+
+ * The GNU Multiprecision Arithmetic Library (GMP, libgmp)
+ http://www.gmplib.org
+ * The OpenSSL cryptographic library (libcrypto)
+ http://www.openssl.org
+ * The GNU cryptographic library (libgcrypt)
+ http://www.gnupg.org
+
+ If no other options are specified during ./configure libgmp will be used.
- The libgmp library and the corresponding header file gmp.h are usually
- included in the form of one or two packages in the major Linux
- distributions (SuSE: gmp; Debian unstable: libgmp3, libgmp3-dev).
+ The libraries and the corresponding header files are usually included in
+ the form of one or two packages in the major Linux distributions (for GMP on
+ Debian: libgmp3 and libgmp3-dev).
3. Optional packages
-----------------
-3.1 libcurl
- -------
+3.1 HTTP Fetcher
+ ------------
If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
from an HTTP server or as an alternative want to use the Online
- Certificate Status Protocol (OCSP) then you will need the libcurl library
- available from http://curl.haxx.se/.
+ Certificate Status Protocol (OCSP) then you will need the either of the
+ following libraries:
- In order to keep the library as compact as possible for use with strongSwan
- you can build libcurl from the sources with the optimized options
+ * The cURL library (libcurl)
+ http://curl.haxx.se/libcurl/
+ * The LibSoup library (libsoup)
+ https://live.gnome.org/LibSoup
- ./configure --prefix=<dir> --without-ssl \
- --disable-ldap --disable-telnet \
- --disable-dict --disable-gopher \
- --disable-debug \
- --enable-nonblocking --enable-thread
+ In order to activate the use of either of these libraries in strongSwan you
+ must enable the appropriate ./configure switch.
- As an alternative you can use the ready-made packages included with your
- favorite Linux distribution (SuSE: curl, curl-devel).
-
- In order to activate the use of the libcurl library in strongSwan you must
- enable the ./configure switch:
- ./configure [...] --enable-http
-
-
-3.2 OpenLDAP
- --------
+3.2 LDAP
+ ----
If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
from an LDAP server then you will need the libldap library available
In order to activate the use of the libldap library in strongSwan you must
enable the ./configure switch:
- ./configure [...] --enable-ldap
+ ./configure [...] --enable-ldap
- LDAP Protocl version 2 is not supported anymore, --enable-ldap uses always
+ LDAP Protocol version 2 is not supported anymore, --enable-ldap uses always
version 3 of the LDAP protocol
-3.3 PKCS#11 smartcard library modules
- ---------------------------------
-
- If you want to securely store your X.509 certificates and private RSA keys
- on a smart card or a USB crypto token then you will need a PKCS #11 library
- for the smart card of your choice. The OpenSC PKCS#11 library (use
- versions >= 0.9.4) available from http://www.opensc.org/ supports quite a
- selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger
- Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15
- directory structure be present on the smart card. But in principle
- any other PKCS#11 library could be used since the PKCS#11 API hides the
- internal data representation on the card.
+3.3 Other pluggable modules
+ -----------------------
- For USB crypto token support you must add the OpenCT driver library
- (version >= 0.6.2) from the OpenSC site, whereas for serial smartcard
- readers you'll need the pcsc-lite library and the matching driver from the
- M.U.S.C.L.E project http://www.linuxnet.com/ .
+ There are many other optional plugins that, for instance, provide support
+ for PKCS#11 or SQL databases.
+ For a more detailed description of these refer to our wiki:
- In order to activate the PKCS#11-based smartcard support in strongSwan
- you must enable the smartcard ./configure switch:
-
- ./configure [...] --enable-smartcard
-
- During compilation no externel smart card libraries must be present.
- strongSwan directly references a copy of the standard RSAREF pkcs11.h
- header files stored in the pluto/rsaref sub directory. During compile
- time a pathname to a default PKCS#11 dynamical library can be specified
- with a ./configure flag:
-
- ./configure --enable-smartcard --with-default-pkcs11=/path/to/lib.so
-
- This default path to the easily-obtainable OpenSC library module can be
- simply overridden during run-time by specifying an alternative path in
- ipsec.conf pointing to any dynamic PKCS#11 library of your choice.
-
- config setup
- pkcs11module="/usr/lib/xyz-pkcs11.so"
+ * http://wiki.strongswan.org
4. Kernel configuration
--------------------
- The strongSwan 4.x series currently support only 2.6 kernels and its
- native IPsec stack. Please make sure that the following IPsec kernel
+ Since version 4.x strongSwan only supports 2.6.x and 3.x kernels and its
+ native NETKEY IPsec stack. Please make sure that the following IPsec kernel
modules are available:
- o af_key
- o ah4
- o esp4
- o ipcomp
- o xfrm_user
- o xfrm4_tunnel
+ * af_key
+ * ah4
+ * esp4
+ * ipcomp
+ * xfrm_user
+ * xfrm4_tunnel
These may be built into the kernel or as modules. Modules get loaded
automatically at strongSwan startup.
Also the built-in kernel Cryptoapi modules with selected encryption and
hash algorithms should be available.
+ Support for multiple routing tables is also recommended.
+
+ For a more up-to-date list of recommended modules refer to:
+
+ * http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
+