strongSwan 4.2 - Installation

Contents

  1. Overview
  2. Required packages
    1. libgmp
  3. Optional packages
    1. libcurl
    2. OpenLDAP
    3. PKCS#11 smart card library modules
  4. Kernel configuration

1. Overview

The strongSwan 4.x branch introduces a new build environment based on the GNU autotools. This should simplify the build process and package maintenance. First check for the availability of the required packages on your system (chapter 2). You may want to include support for additional features, which require other packages to be installed (chapter 3).

To compile an extracted tarball, run the ./configure script first:

./configure --prefix=/usr --sysconfdir=/etc

In this example everything is installed under the /usr directory with the exception of the configuration files which are placed under /etc.

You may want to specify some of the arguments listed in chapter 3 , or study all available options by typing ./configure --help.

After the successful run of the ./configure script, type

make

followed by

make install

in the usual manner.

2. Required packages

2.1 libgmp

In order to be able to build strongSwan you'll need the GNU Multiprecision Arithmetic Library (GMP) available from http://www.swox.com/gmp/. At least version 4.1.5 of libgmp is required. The libgmp library and the corresponding header file gmp.h are usually included in the form of one or two packages in the major Linux distributions (SuSE: gmp; Debian unstable:  libgmp3, libgmp3-dev; Gentoo: gmp).

3. Optional packages

3.1 libcurl

If you intend to dynamically fetch Certificate Revocation Lists (CRLs) from an HTTP server or as an alternative want to use the Online Certificate Status Protocol (OCSP) then you will need the  libcurl library available from http://curl.haxx.se/.

In order to keep the library as compact as possible for use with strongSwan you can build libcurl from the sources with the optimized options

./configure --prefix=<dir> --without-ssl \
            --disable-ldap --disable-telnet \
            --disable-dict --disable-gopher \
            --disable-debug \
            --enable-nonblocking --enable-thread

As an alternative you can use the ready-made packages included with your favorite Linux distribution (SuSE: curl, curl-devel).

In order to activate the use of the libcurl library in strongSwan you must set the option

./configure [...] --enable-curl

3.2 OpenLDAP

If you intend to dynamically fetch Certificate Revocation Lists (CRLs) from an LDAP server  then you will need the libldap library available from http://www.openldap.org/.

OpenLDAP is usually included  with your Linux distribution. You will need both the run-time and development environments (SuSE: openldap2, openldap2-devel).

In order to activate the use of the libldap library in strongSwan you must set option

./configure [...] --enable-ldap

LDAPv2 is not supported anymore. --enable-ldap always uses version 3 of the LDAP protocol.

3.3 PKCS#11 smart card library modules

If you want to securely store your X.509 certificates and private RSA keys on a smart card or a USB crypto token then you will need a PKCS #11 library for the smart card of your choice. The OpenSC PKCS#11 library (version >= 0.9.4) available from http://www.opensc-project.org/  supports quite a selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15 directory structure be present on the smart card. But in principle any other PKCS#11 library could be used since the PKCS#11 API hides the internal data representation on the card.

For USB crypto token support you must add the OpenCT driver library (version >= 0.6.2) from the OpenSC site, whereas for serial smart card readers you'll need the pcsc-lite library and the matching driver from the M.U.S.C.L.E project http://www.linuxnet.com/.

In order to activate the PKCS#11-based smartcard support in strongSwan you must set the option:

./configure [...] --enable-smartcard

During compilation no external smart card libraries need to be present. strongSwan directly references a copy of the standard RSAREF pkcs11.h header files stored in the pluto/rsaref sub directory. During compile time a pathname to a default PKCS#11 dynamical library can be specified with the following flag

./configure --enable-smartcard \
          --with-default-pkcs11=/usr/lib/opensc-pkcs11.so

This default path to the easily-obtainable OpenSC library module can be simply overridden during run-time by specifying an alternative path in ipsec.conf pointing to any dynamic PKCS#11 library of your choice.

config setup
     pkcs11module="/usr/lib/xyz-pkcs11.so"

4. Kernel configuration

The strongSwan 4.x branch currently runs only on Linux 2.6 kernels and depents on its native NETKEY IPsec stack. Please make sure that the following IPsec kernel modules are available:

  • af_key
  • ah4
  • esp4
  • ipcomp
  • xfrm_user
  • xfrm4_tunnel

These may be built right into the kernel or as externally as modules. Modules are loaded automatically during strongSwan startup.
Also the built-in kernel Cryptoapi modules with selected encryption and hash algorithms should be available.

21.05.2008  info@strongswan.org  Docs