[people/ms/strongswan.git] / INSTALL

                 ---------------------------
                  strongSwan - Installation
                 ---------------------------


Contents
--------

   1.   Overview
   2.   Required packages
   3.   Optional packages
   3.1   HTTP fetcher
   3.2   LDAP
   3.3   Other pluggable modules
   4.   Kernel configuration

1.  Overview
    --------

    Since version 4.x strongSwan uses the GNU build system (Autotools).
    This simplifies the build process and package maintenance. First, check for
    the availability of required packages on your system (section 2.). You may
    want to include support for additional features, which require other
    packages to be installed (section 3.).

    To compile an extracted tarball, run the ./configure script first:

      ./configure

    You may want to specify some arguments listed in section 3., or see the
    available options of the script using "./configure --help".

    After a successful run of the script, run

      make

    followed by

      make install

    in the usual manner.

    To check if your kernel fulfills the requirements, see section 4.

    Next add your connections to "/etc/ipsec.conf" and your secrets to
    "/etc/ipsec.secrets".

    At last start strongSwan with

      ipsec start


2.  Required packages
    -----------------

    In order to be able to build strongSwan you'll need one of the following
    cryptographic libraries:

      * The GNU Multiprecision Arithmetic Library (GMP, libgmp)
        http://www.gmplib.org
      * The OpenSSL cryptographic library (libcrypto)
        http://www.openssl.org
      * The GNU cryptographic library (libgcrypt)
        http://www.gnupg.org

    If no other options are specified during ./configure libgmp will be used.

    The libraries and the corresponding header files are usually included in
    the form of one or two packages in the major Linux distributions (for GMP on
    Debian: libgmp3 and libgmp3-dev).


3.  Optional packages
    -----------------

3.1 HTTP Fetcher
    ------------

    If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
    from an HTTP server or as an alternative want to use the Online
    Certificate Status Protocol (OCSP) then you will need the either of the
    following libraries:

      * The cURL library (libcurl)
        http://curl.haxx.se/libcurl/
      * The LibSoup library (libsoup)
        https://live.gnome.org/LibSoup

    In order to activate the use of either of these libraries in strongSwan you
    must enable the appropriate ./configure switch.


3.2 LDAP
    ----

    If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
    from an LDAP server then you will need the libldap library available
    from http://www.openldap.org/.

    OpenLDAP is usually included  with your Linux distribution. You will need
    both the run-time and development environments (SuSE: openldap2,
    openldap2-devel).

    In order to activate the use of the libldap library in strongSwan you must
    enable the ./configure switch:

       ./configure [...] --enable-ldap

    LDAP Protocol version 2 is not supported anymore, --enable-ldap uses always
    version 3 of the LDAP protocol


3.3 Other pluggable modules
    -----------------------

    There are many other optional plugins that, for instance, provide support
    for PKCS#11 or SQL databases.
    For a more detailed description of these refer to our wiki:

      * http://wiki.strongswan.org


4.  Kernel configuration
    --------------------

    Since version 4.x strongSwan only supports 2.6.x and 3.x kernels and its
    native NETKEY IPsec stack. Please make sure that the following IPsec kernel
    modules are available:

      * af_key
      * ah4
      * esp4
      * ipcomp
      * xfrm_user
      * xfrm4_tunnel

    These may be built into the kernel or as modules. Modules get loaded
    automatically at strongSwan startup.

    Also the built-in kernel Cryptoapi modules with selected encryption and
    hash algorithms should be available.

    Support for multiple routing tables is also recommended.

    For a more up-to-date list of recommended modules refer to:

     * http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
Commit	Line	Data
997358a6	1	---------------------------
9820c0e2	2	strongSwan - Installation
997358a6 MW	3	---------------------------
	4
	5
	6	Contents
	7	--------
	8
c0d63ac9 MW	9	1. Overview
	10	2. Required packages
	11	3. Optional packages
2015c469 TB	12	3.1 HTTP fetcher
	13	3.2 LDAP
	14	3.3 Other pluggable modules
c0d63ac9 MW	15	4. Kernel configuration
	16
	17	1. Overview
	18	--------
997358a6	19
2015c469 TB	20	Since version 4.x strongSwan uses the GNU build system (Autotools).
	21	This simplifies the build process and package maintenance. First, check for
	22	the availability of required packages on your system (section 2.). You may
	23	want to include support for additional features, which require other
	24	packages to be installed (section 3.).
	25
c0d63ac9	26	To compile an extracted tarball, run the ./configure script first:
997358a6	27
c0d63ac9	28	./configure
997358a6	29
c0d63ac9 MW	30	You may want to specify some arguments listed in section 3., or see the
c0d63ac9 MW	31	available options of the script using "./configure --help".
997358a6	32
c0d63ac9	33	After a successful run of the script, run
997358a6	34
c0d63ac9	35	make
997358a6	36
c0d63ac9	37	followed by
997358a6	38
c0d63ac9	39	make install
997358a6	40
c0d63ac9	41	in the usual manner.
997358a6	42
2015c469	43	To check if your kernel fulfills the requirements, see section 4.
997358a6	44
5ed3e3a7	45	Next add your connections to "/etc/ipsec.conf" and your secrets to
2015c469	46	"/etc/ipsec.secrets".
997358a6	47
c0d63ac9	48	At last start strongSwan with
997358a6	49
c0d63ac9	50	ipsec start
997358a6	51
997358a6	52
c0d63ac9 MW	53	2. Required packages
c0d63ac9 MW	54	-----------------
997358a6	55
2015c469 TB	56	In order to be able to build strongSwan you'll need one of the following
	57	cryptographic libraries:
	58
	59	* The GNU Multiprecision Arithmetic Library (GMP, libgmp)
	60	http://www.gmplib.org
	61	* The OpenSSL cryptographic library (libcrypto)
	62	http://www.openssl.org
	63	* The GNU cryptographic library (libgcrypt)
	64	http://www.gnupg.org
	65
	66	If no other options are specified during ./configure libgmp will be used.
997358a6	67
2015c469 TB	68	The libraries and the corresponding header files are usually included in
	69	the form of one or two packages in the major Linux distributions (for GMP on
	70	Debian: libgmp3 and libgmp3-dev).
997358a6	71
997358a6	72
c0d63ac9 MW	73	3. Optional packages
c0d63ac9 MW	74	-----------------
997358a6	75
2015c469 TB	76	3.1 HTTP Fetcher
2015c469 TB	77	------------
c0d63ac9 MW	78
	79	If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
	80	from an HTTP server or as an alternative want to use the Online
2015c469 TB	81	Certificate Status Protocol (OCSP) then you will need the either of the
2015c469 TB	82	following libraries:
c0d63ac9	83
2015c469 TB	84	* The cURL library (libcurl)
	85	http://curl.haxx.se/libcurl/
	86	* The LibSoup library (libsoup)
	87	https://live.gnome.org/LibSoup
997358a6	88
2015c469 TB	89	In order to activate the use of either of these libraries in strongSwan you
2015c469 TB	90	must enable the appropriate ./configure switch.
c0d63ac9	91
997358a6	92
2015c469 TB	93	3.2 LDAP
2015c469 TB	94	----
997358a6	95
c0d63ac9 MW	96	If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
	97	from an LDAP server then you will need the libldap library available
	98	from http://www.openldap.org/.
997358a6	99
c0d63ac9 MW	100	OpenLDAP is usually included with your Linux distribution. You will need
	101	both the run-time and development environments (SuSE: openldap2,
	102	openldap2-devel).
997358a6	103
c0d63ac9 MW	104	In order to activate the use of the libldap library in strongSwan you must
c0d63ac9 MW	105	enable the ./configure switch:
997358a6	106
c0d63ac9	107	./configure [...] --enable-ldap
997358a6	108
2015c469	109	LDAP Protocol version 2 is not supported anymore, --enable-ldap uses always
c0d63ac9	110	version 3 of the LDAP protocol
997358a6	111
997358a6	112
2015c469 TB	113	3.3 Other pluggable modules
2015c469 TB	114	-----------------------
997358a6	115
2015c469 TB	116	There are many other optional plugins that, for instance, provide support
	117	for PKCS#11 or SQL databases.
	118	For a more detailed description of these refer to our wiki:
997358a6	119
2015c469	120	* http://wiki.strongswan.org
997358a6	121
997358a6	122
c0d63ac9 MW	123	4. Kernel configuration
c0d63ac9 MW	124	--------------------
997358a6	125
2015c469 TB	126	Since version 4.x strongSwan only supports 2.6.x and 3.x kernels and its
2015c469 TB	127	native NETKEY IPsec stack. Please make sure that the following IPsec kernel
c0d63ac9	128	modules are available:
9820c0e2	129
2015c469 TB	130	* af_key
	131	* ah4
	132	* esp4
	133	* ipcomp
	134	* xfrm_user
	135	* xfrm4_tunnel
997358a6	136
8b4f4452	137	These may be built into the kernel or as modules. Modules get loaded
c0d63ac9	138	automatically at strongSwan startup.
997358a6	139
c0d63ac9 MW	140	Also the built-in kernel Cryptoapi modules with selected encryption and
c0d63ac9 MW	141	hash algorithms should be available.
997358a6	142
2015c469 TB	143	Support for multiple routing tables is also recommended.
	144
	145	For a more up-to-date list of recommended modules refer to:
	146
	147	* http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
	148