strongSwan 4.2 - Installation
The strongSwan 4.x branch introduces a new build environment based on the GNU autotools. This should simplify the build process and package maintenance. First check for the availability of the required packages on your system (chapter 2). You may want to include support for additional features, which require other packages to be installed (chapter 3).
To compile an extracted tarball, run the ./configure script first:
In this example everything is installed under the /usr directory with the exception of the configuration files which are placed under /etc.
You may want to specify some of the arguments listed in chapter 3 , or study all available options by typing ./configure --help.
After the successful run of the ./configure script, type
in the usual manner.
In order to be able to build strongSwan you'll need the GNU Multiprecision Arithmetic Library (GMP) available from http://www.swox.com/gmp/. At least version 4.1.5 of libgmp is required. The libgmp library and the corresponding header file gmp.h are usually included in the form of one or two packages in the major Linux distributions (SuSE: gmp; Debian unstable: libgmp3, libgmp3-dev; Gentoo: gmp).
If you intend to dynamically fetch Certificate Revocation Lists (CRLs) from an HTTP server or as an alternative want to use the Online Certificate Status Protocol (OCSP) then you will need the libcurl library available from http://curl.haxx.se/.
In order to keep the library as compact as possible for use with
strongSwan you can build libcurl from the
sources with the optimized options
As an alternative you can use the ready-made packages included with your favorite Linux distribution (SuSE: curl, curl-devel).
In order to activate the use of the libcurl library in strongSwan you must set the option
If you intend to dynamically fetch Certificate Revocation Lists (CRLs) from an LDAP server then you will need the libldap library available from http://www.openldap.org/.
OpenLDAP is usually included with your Linux distribution. You will need both the run-time and development environments (SuSE: openldap2, openldap2-devel).
In order to activate the use of the libldap library in strongSwan you must set option
LDAPv2 is not supported anymore. --enable-ldap always uses version 3 of the LDAP protocol.
If you want to securely store your X.509 certificates and private RSA keys on a smart card or a USB crypto token then you will need a PKCS #11 library for the smart card of your choice. The OpenSC PKCS#11 library (version >= 0.9.4) available from http://www.opensc-project.org/ supports quite a selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15 directory structure be present on the smart card. But in principle any other PKCS#11 library could be used since the PKCS#11 API hides the internal data representation on the card.
For USB crypto token support you must add the OpenCT driver library (version >= 0.6.2) from the OpenSC site, whereas for serial smart card readers you'll need the pcsc-lite library and the matching driver from the M.U.S.C.L.E project http://www.linuxnet.com/.
In order to activate the PKCS#11-based smartcard support in strongSwan you must set the option:
During compilation no external smart card libraries need to be present. strongSwan directly references a copy of the standard RSAREF pkcs11.h header files stored in the pluto/rsaref sub directory. During compile time a pathname to a default PKCS#11 dynamical library can be specified with the following flag
This default path to the easily-obtainable OpenSC library module can be simply overridden during run-time by specifying an alternative path in ipsec.conf pointing to any dynamic PKCS#11 library of your choice.
The strongSwan 4.x branch currently runs only on Linux 2.6 kernels and depents on its native NETKEY IPsec stack. Please make sure that the following IPsec kernel modules are available:
These may be built right into the kernel or as externally as modules.
Modules are loaded automatically during strongSwan startup.