strongSwan 2.8 - Installation

Contents

  1. Required packages
    1. libgmp
  2. Optional packages
    1. libcurl
    2. OpenLDAP
    3. PKCS#11 smart card library modules
  3. Building strongSwan with a Linux 2.4 kernel
  4. Updating strongSwan with a Linux 2.4 kernel
  5. Building strongSwan with a Linux 2.6 kernel

1. Required packages

1.1 libgmp

In order to be able to build strongSwan you'll need the GNU Multiprecision Arithmetic Library (GMP) available from http://www.swox.com/gmp/. The libgmp library and the corresponding header file gmp.h are usually included in the form of one or two packages in the major Linux distributions (SuSE: gmp; Debian unstable:  libgmp3, libgmp3-dev; Gentoo: gmp).

2. Optional packages

2.1 libcurl

If you intend to dynamically fetch Certificate Revocation Lists (CRLs) from an HTTP server or as an alternative want to use the Online Certificate Status Protocol (OCSP) then you will need the  libcurl library available from http://curl.haxx.se/.

In order to keep the library as compact as possible for use with strongSwan you can build libcurl from the sources with the optimized options

./configure --prefix=<dir> --without-ssl \
            --disable-ldap --disable-telnet \
            --disable-dict --disable-gopher \
            --disable-debug \
            --enable-nonblocking --enable-thread

As an alternative you can use the ready-made packages included with your favorite Linux distribution (SuSE: curl, curl-devel).

In order to activate the use of the libcurl library in strongSwan you must set the USE_LIBCURL option in Makefile.inc:

# include libcurl support (CRL fetching, OCSP and SCEP)
USE_LIBCURL?=true

Under Gentoo emerge  strongSwan with

USE="curl -ssl" emerge strongswan

2.2 OpenLDAP

If you intend to dynamically fetch Certificate Revocation Lists (CRLs) from an LDAP server  then you will need the libldap library available from http://www.openldap.org/.

OpenLDAP is usually included  with your Linux distribution. You will need both the run-time and development environments (SuSE: openldap2, openldap2-devel).

In order to activate the use of the libldap library in strongSwan you must set the USE_LDAP option in Makefile.inc:

# include LDAP support (CRL fetching)
USE_LDAP?=true

Depending upon whether your LDAP server understands the V3 (preferred) or V2 LDAP protocol, uncomment one of the two following lines:

# Uncomment to enable dynamic CRL fetching using LDAP V3
LDAP_VERSION=3
# Uncomment to enable dynamic CRL fetching using LDAP V2
#LDAP_VERSION=2

The latest OpenLDAP releases use the LDAP V3 protocol, whereas older versions require LDAP V2.

Under Gentoo emerge strongSwan with

USE="ldap -ssl" emerge strongswan

2.3 PKCS#11 smart card library modules

If you want to securely store your X.509 certificates and private RSA keys on a smart card or a USB crypto token then you will need a PKCS #11 library for the smart card of your choice. The OpenSC PKCS#11 library (version >= 0.9.4) available from http://www.opensc-project.org/  supports quite a selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15 directory structure be present on the smart card. But in principle any other PKCS#11 library could be used since the PKCS#11 API hides the internal data representation on the card.

For USB crypto token support you must add the OpenCT driver library (version >= 0.6.2) from the OpenSC site, whereas for serial smart card readers you'll need the pcsc-lite library and the matching driver from the M.U.S.C.L.E project http://www.linuxnet.com/.

In order to activate the use of the libopensc library in strongSwan you must set the USE_SMARTCARD option in Makefile.inc:

#include PKCS11-based smartcard support
USE_SMARTCARD?=true

During compilation no external smart card libraries need to be present. strongSwan directly references a copy of the standard RSAREF pkcs11.h header files stored in the pluto/rsaref sub directory. During compile time a pathname to a default PKCS#11 dynamical library can be specified in Makefile.inc

# Uncomment this line if using OpenSC <= 0.9.6
PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
# Uncomment this line if using OpenSC >= 0.10.0
#PKCS11_DEFAULT_LIB=\"/usr/lib/opensc-pkcs11.so\"

This default path to the easily-obtainable OpenSC library module can be simply overridden during run-time by specifying an alternative path in ipsec.conf pointing to any dynamic PKCS#11 library of your choice.

config setup
     pkcs11module="/usr/lib/xyz-pkcs11.so"

Under Gentoo emerge strongSwan with

USE="smartcard usb -pam -X" emerge strongswan

3. Building strongSwan with a Linux 2.4 kernel

  • Building strongSwan with a Linux 2.4 kernel requires the presence of the matching kernel sources referenced via the symbolic link /usr/src/linux. The use of the vanilla kernel sources from ftp.kernel.org is strongly recommended.

    Before building strongSwan you must have compiled the kernel sources at least once:

make menuconfig; make dep; make bzImage; make modules

  • Now change into the  strongswan-2.x.x  source directory.

    First uncomment any desired compile options in "programs/pluto/Makefile"
    (see section 2. Optional packages).

    Then in the top source directory type

    • make menumod

    This command applies an ESP_IN_UDP encapsulation patch which is required for NAT-Traversal to the kernel sources.

    In the "Networking options" menu set

    <M> IP Security Protocol (strongSwan IPsec)
    in order to build KLIPS as a loadable kernel module "ipsec.o".  Do not forget to save the modified configuration file when leaving "menumod".

    The strongSwan userland programs are now automatically built and installed, whereas the  ipsec.o  kernel module and the crypto modules are only built and must be installed with the command
    make minstall
  • If you intend to use the NAT-Traversal feature then you must compile the patched kernel sources again by executing
    make bzImage
    and then install and boot the modified kernel.
  • Next add your connections to "/etc/ipsec.conf" and start strongSwan with
    ipsec start

4. Updating strongSwan with a Linux 2.4 kernel

  • If you have already successfully installed  strongSwan and want to update to a newer version then the following shortcut can be taken:

    First uncomment any desired compile options in "programs/pluto/Makefile"
    (see section 2. Optional packages).

    Then in the  strongwan-2.x.x  top directory type

make programs; make install

followed by

make module; make minstall

  • You can then start the updated strongSwan version with

    ipsec restart

5. Building strongSwan with a Linux 2.6 kernel

  • Because the Linux 2.6 kernel comes with a built-in native IPsec stack, you won't need to build the strongSwan kernel modules. Please make sure that the the following Linux 2.6 IPsec kernel modules are available:

    • af_key
    • ah4
    • esp4
    • ipcomp
    • xfrm_user

    Also the built-in kernel Cryptoapi modules with selected encryption and hash algorithms should be available.
  • First uncomment any desired compile options in "programs/pluto/Makefile"
    (see section 2. Optional packages).

    Then in the  strongwan-2.x.x  top directory type

make programs

followed by

make install

  • Next add your connections to "etc/ipsec.conf" and start strongSwan with

    ipsec start
22.03.2007  info@strongsec.net  Docs