forked from mestery/strongswan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
INSTALL
148 lines (98 loc) · 4.15 KB
/
INSTALL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
-------------------------
strongSwan - Installation
-------------------------
Contents
--------
1. Overview
2. Required packages
3. Optional packages
3.1 HTTP fetcher
3.2 LDAP
3.3 Other pluggable modules
4. Kernel configuration
1. Overview
--------
Since version 4.x strongSwan uses the GNU build system (Autotools).
This simplifies the build process and package maintenance. First, check for
the availability of required packages on your system (section 2.). You may
want to include support for additional features, which require other
packages to be installed (section 3.).
To compile an extracted tarball, run the ./configure script first:
./configure
You may want to specify some arguments listed in section 3., or see the
available options of the script using "./configure --help".
After a successful run of the script, run
make
followed by
make install
in the usual manner.
To check if your kernel fulfills the requirements, see section 4.
Next add your connections to "/etc/ipsec.conf" and your secrets to
"/etc/ipsec.secrets".
At last start strongSwan with
ipsec start
2. Required packages
-----------------
In order to be able to build strongSwan you'll need one of the following
cryptographic libraries:
* The GNU Multiprecision Arithmetic Library (GMP, libgmp)
http://www.gmplib.org
* The OpenSSL cryptographic library (libcrypto)
http://www.openssl.org
* The GNU cryptographic library (libgcrypt)
http://www.gnupg.org
If no other options are specified during ./configure libgmp will be used.
The libraries and the corresponding header files are usually included in
the form of one or two packages in the major Linux distributions (for GMP on
Debian: libgmp3 and libgmp3-dev).
3. Optional packages
-----------------
3.1 HTTP Fetcher
------------
If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
from an HTTP server or as an alternative want to use the Online
Certificate Status Protocol (OCSP) then you will need the either of the
following libraries:
* The cURL library (libcurl)
http://curl.haxx.se/libcurl/
* The LibSoup library (libsoup)
https://live.gnome.org/LibSoup
In order to activate the use of either of these libraries in strongSwan you
must enable the appropriate ./configure switch.
3.2 LDAP
----
If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
from an LDAP server then you will need the libldap library available
from http://www.openldap.org/.
OpenLDAP is usually included with your Linux distribution. You will need
both the run-time and development environments (SuSE: openldap2,
openldap2-devel).
In order to activate the use of the libldap library in strongSwan you must
enable the ./configure switch:
./configure [...] --enable-ldap
LDAP Protocol version 2 is not supported anymore, --enable-ldap uses always
version 3 of the LDAP protocol
3.3 Other pluggable modules
-----------------------
There are many other optional plugins that, for instance, provide support
for PKCS#11 or SQL databases.
For a more detailed description of these refer to our wiki:
* http://wiki.strongswan.org
4. Kernel configuration
--------------------
Since version 4.x strongSwan only supports 2.6.x and 3.x kernels and its
native NETKEY IPsec stack. Please make sure that the following IPsec kernel
modules are available:
* af_key
* ah4
* esp4
* ipcomp
* xfrm_user
* xfrm4_tunnel
These may be built into the kernel or as modules. Modules get loaded
automatically at strongSwan startup.
Also the built-in kernel Cryptoapi modules with selected encryption and
hash algorithms should be available.
Support for multiple routing tables is also recommended.
For a more up-to-date list of recommended modules refer to:
* http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules