[thirdparty/strongswan.git] / INSTALL

                -------------------------
                strongSwan - Installation
                -------------------------


Contents
--------

    1.   Overview
    2.   Required packages
    3.   Optional packages
    3.1   HTTP fetcher
    3.2   LDAP
    3.3   Other pluggable modules
    4.   Kernel configuration

1.  Overview
    --------

    Since version 4.x strongSwan uses the GNU build system (Autotools).
    This simplifies the build process and package maintenance. First, check for
    the availability of required packages on your system (section 2.). You may
    want to include support for additional features, which require other
    packages to be installed (section 3.).

    To compile an extracted tarball, run the ./configure script first:

      ./configure

    You may want to specify some arguments listed in section 3., or see the
    available options of the script using "./configure --help".

    After a successful run of the script, run

      make

    followed by

      make install

    in the usual manner.

    To check if your kernel fulfills the requirements, see section 4.

    Refer to README for configuration examples.


2.  Required packages
    -----------------

    In order to be able to build strongSwan you'll need one of the following
    cryptographic libraries:

      * The OpenSSL Cryptographic Library (libcrypto)
        https://www.openssl.org
      * The wolfSSL Embedded TLS Library (libwolfssl)
        https://www.wolfssl.com
      * The Botan Crypto Library (libbotan)
        https://botan.randombit.net
      * The GNU Multiprecision Arithmetic Library (GMP, libgmp)
        https://gmplib.org
      * The GNU Cryptographic Library (libgcrypt)
        https://www.gnupg.org

    If no other options are specified during ./configure libgmp will be used.

    The libraries and the corresponding header files are usually included in
    the form of one or two packages in the major Linux distributions (for GMP on
    Debian: libgmp3 and libgmp3-dev).


3.  Optional packages
    -----------------

3.1 HTTP Fetcher
    ------------

    If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
    from an HTTP server or as an alternative want to use the Online
    Certificate Status Protocol (OCSP) then you will need the either of the
    following libraries:

      * The cURL library (libcurl)
        https://curl.se/libcurl/
      * The LibSoup library (libsoup)
        https://live.gnome.org/LibSoup

    In order to activate the use of either of these libraries in strongSwan you
    must enable the appropriate ./configure switch.


3.2 LDAP
    ----

    If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
    from an LDAP server then you will need the libldap library available
    from https://www.openldap.org/.

    OpenLDAP is usually included  with your Linux distribution. You will need
    both the run-time and development environments (SuSE: openldap2,
    openldap2-devel).

    In order to activate the use of the libldap library in strongSwan you must
    enable the ./configure switch:

      ./configure [...] --enable-ldap

    LDAP Protocol version 2 is not supported anymore, --enable-ldap uses always
    version 3 of the LDAP protocol


3.3 Other pluggable modules
    -----------------------

    There are many other optional plugins that, for instance, provide support
    for PKCS#11 or SQL databases.
    For a more detailed description of these refer to our documentation:

      * https://docs.strongswan.org


4.  Kernel configuration
    --------------------

    Please make sure that the following IPsec-related Linux kernel modules are
    available:

      * esp4
      * esp6
      * xfrm_user

    And for older kernels, mode-specific modules such as:

      * xfrm4_tunnel
      * xfrm4_mode_tunnel

    These may be built into the kernel or as modules. Modules should get loaded
    automatically if necessary.

    The built-in kernel Cryptoapi modules with selected encryption and
    hash algorithms should also be available.

    Support for multiple routing tables is also recommended.

    For a more up-to-date list of recommended modules refer to:

      * https://docs.strongswan.org/docs/5.9/install/kernelModules.html
Commit	Line	Data
53f8ac3d TB	1	-------------------------
	2	strongSwan - Installation
	3	-------------------------
997358a6 MW	4
	5
	6	Contents
	7	--------
	8
53f8ac3d TB	9	1. Overview
	10	2. Required packages
	11	3. Optional packages
	12	3.1 HTTP fetcher
	13	3.2 LDAP
	14	3.3 Other pluggable modules
	15	4. Kernel configuration
c0d63ac9 MW	16
	17	1. Overview
	18	--------
997358a6	19
2015c469 TB	20	Since version 4.x strongSwan uses the GNU build system (Autotools).
	21	This simplifies the build process and package maintenance. First, check for
	22	the availability of required packages on your system (section 2.). You may
	23	want to include support for additional features, which require other
	24	packages to be installed (section 3.).
	25
c0d63ac9	26	To compile an extracted tarball, run the ./configure script first:
997358a6	27
c0d63ac9	28	./configure
997358a6	29
c0d63ac9 MW	30	You may want to specify some arguments listed in section 3., or see the
c0d63ac9 MW	31	available options of the script using "./configure --help".
997358a6	32
c0d63ac9	33	After a successful run of the script, run
997358a6	34
c0d63ac9	35	make
997358a6	36
c0d63ac9	37	followed by
997358a6	38
c0d63ac9	39	make install
997358a6	40
c0d63ac9	41	in the usual manner.
997358a6	42
2015c469	43	To check if your kernel fulfills the requirements, see section 4.
997358a6	44
df18934d	45	Refer to README for configuration examples.
997358a6	46
997358a6	47
c0d63ac9 MW	48	2. Required packages
c0d63ac9 MW	49	-----------------
997358a6	50
2015c469 TB	51	In order to be able to build strongSwan you'll need one of the following
	52	cryptographic libraries:
	53
df18934d TB	54	* The OpenSSL Cryptographic Library (libcrypto)
	55	https://www.openssl.org
	56	* The wolfSSL Embedded TLS Library (libwolfssl)
	57	https://www.wolfssl.com
	58	* The Botan Crypto Library (libbotan)
	59	https://botan.randombit.net
2015c469	60	* The GNU Multiprecision Arithmetic Library (GMP, libgmp)
df18934d TB	61	https://gmplib.org
	62	* The GNU Cryptographic Library (libgcrypt)
	63	https://www.gnupg.org
2015c469 TB	64
2015c469 TB	65	If no other options are specified during ./configure libgmp will be used.
997358a6	66
2015c469 TB	67	The libraries and the corresponding header files are usually included in
	68	the form of one or two packages in the major Linux distributions (for GMP on
	69	Debian: libgmp3 and libgmp3-dev).
997358a6	70
997358a6	71
c0d63ac9 MW	72	3. Optional packages
c0d63ac9 MW	73	-----------------
997358a6	74
2015c469 TB	75	3.1 HTTP Fetcher
2015c469 TB	76	------------
c0d63ac9 MW	77
	78	If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
	79	from an HTTP server or as an alternative want to use the Online
2015c469 TB	80	Certificate Status Protocol (OCSP) then you will need the either of the
2015c469 TB	81	following libraries:
c0d63ac9	82
2015c469	83	* The cURL library (libcurl)
df18934d	84	https://curl.se/libcurl/
2015c469 TB	85	* The LibSoup library (libsoup)
2015c469 TB	86	https://live.gnome.org/LibSoup
997358a6	87
2015c469 TB	88	In order to activate the use of either of these libraries in strongSwan you
2015c469 TB	89	must enable the appropriate ./configure switch.
c0d63ac9	90
997358a6	91
2015c469 TB	92	3.2 LDAP
2015c469 TB	93	----
997358a6	94
c0d63ac9 MW	95	If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
c0d63ac9 MW	96	from an LDAP server then you will need the libldap library available
df18934d	97	from https://www.openldap.org/.
997358a6	98
c0d63ac9 MW	99	OpenLDAP is usually included with your Linux distribution. You will need
	100	both the run-time and development environments (SuSE: openldap2,
	101	openldap2-devel).
997358a6	102
c0d63ac9 MW	103	In order to activate the use of the libldap library in strongSwan you must
c0d63ac9 MW	104	enable the ./configure switch:
997358a6	105
53f8ac3d	106	./configure [...] --enable-ldap
997358a6	107
2015c469	108	LDAP Protocol version 2 is not supported anymore, --enable-ldap uses always
c0d63ac9	109	version 3 of the LDAP protocol
997358a6	110
997358a6	111
2015c469 TB	112	3.3 Other pluggable modules
2015c469 TB	113	-----------------------
997358a6	114
2015c469 TB	115	There are many other optional plugins that, for instance, provide support
2015c469 TB	116	for PKCS#11 or SQL databases.
df18934d	117	For a more detailed description of these refer to our documentation:
997358a6	118
df18934d	119	* https://docs.strongswan.org
997358a6	120
997358a6	121
c0d63ac9 MW	122	4. Kernel configuration
c0d63ac9 MW	123	--------------------
997358a6	124
df18934d TB	125	Please make sure that the following IPsec-related Linux kernel modules are
df18934d TB	126	available:
9820c0e2	127
2015c469	128	* esp4
df18934d	129	* esp6
2015c469	130	* xfrm_user
df18934d TB	131
	132	And for older kernels, mode-specific modules such as:
	133
2015c469	134	* xfrm4_tunnel
df18934d	135	* xfrm4_mode_tunnel
997358a6	136
df18934d TB	137	These may be built into the kernel or as modules. Modules should get loaded
df18934d TB	138	automatically if necessary.
997358a6	139
df18934d TB	140	The built-in kernel Cryptoapi modules with selected encryption and
df18934d TB	141	hash algorithms should also be available.
997358a6	142
2015c469 TB	143	Support for multiple routing tables is also recommended.
	144
	145	For a more up-to-date list of recommended modules refer to:
	146
df18934d	147	* https://docs.strongswan.org/docs/5.9/install/kernelModules.html