strongSwan

h1. strongSwan on FreeBSD

{{>toc}}

Since [[4.3.4|strongSwan 4.3.4]] the IKE daemon charon runs on "FreeBSD":http://www.freebsd.org. There are still some [[FreeBSD#Limitations|limitations]] but

it has since been tested by several users (even with an adapted version of our "test framework":http://www.strongswan.org/uml-testing.html).

Please note that releases before [[5.0.0]] don't support IKEv1 because the old pluto IKEv1 daemon was not ported to FreeBSD.

h2. Prepare FreeBSD

Starting from FreeBSD 11, IPsec is now default in the kernel. If you need NAT Traversal you will have to add

the following line to the kernel config.

<pre>

options IPSEC_NAT_T

</pre>

In older versions then FreeBSD 11.0 generic kernel does not come with IPsec support. So you will have to compile your own kernel.

Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't

have to apply any patches yourself, if you need that feature.

h3. Build the Kernel

Basic documentation on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.

To enable IPsec you'll need to add the following options to your kernel configuration file:

<pre>

options   IPSEC

device    crypto

</pre>

You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state.

<pre>

/sbin/sysctl -a | grep ipsec

</pre>

If you need NAT Traversal, add the following option to your kernel config:

<pre>

options   IPSEC_NAT_T

</pre>

h2. Install FreeBSD Port / Package

The easiest way to install strongSwan on FreeBSD is to use the "security/strongswan":http://www.freshports.org/security/strongswan port

<pre>

cd /usr/ports/security/strongswan/ && make install clean

</pre>

or to install the binary package with

<pre>

pkg install strongswan

</pre>

or in earlier FreeBSD releases with

<pre>

pkg_add -r strongswan

</pre>

h2. Manual Installation

h3. Install Packages

Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.

The packages required to build strongSwan are as follows:

* libgmp (optional, depending on configuration)

* openssl (optional, depending on configuration)

Notes:

* The "printf-Bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the *vstr* string library is not required anymore (check the history of this wiki page for details).

h3. Building strongSwan

Get the "latest tarball":http://www.strongswan.org/download.html and configure strongSwan as follows (this compiles the GMP plugin, so libgmp is required).

For details refer to [[InstallationDocumentation]].

<pre>

./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \

            --disable-scripts --with-group=wheel

</pre>

Notes:

* For releases before [[5.0.0]] you also need to add @--disable-pluto@.

h2. Limitations

* Before [[5.1.0]] virtual IPs could not be used on clients due to the lack of policy based routing. Since [[5.1.0]] TUN devices are created to implement this, so that FreeBSD can be used as client in road-warrior setups.

* Before [[5.1.0]] the kernel-pfroute interface lacked several features to properly support MOBIKE.

* Because there is currently no way to change the IP addresses of an installed IPsec SA in the FreeBSD kernel IPsec SAs are rekeyed when a client's IP address changes. "This discussion":http://forums.freebsd.org/showthread.php?p=226838 on the FreeBSD forums has more on this.

h2. Known Problems

* Before [[4.6.0|strongSwan 4.6.0]] [[IpsecStarter|starter]] did not use the modular kernel interfaces, thus, when it tried to detect an IPsec stack it failed:

<pre>

Starting strongSwan 4.x.x IPsec [starter]...

no netkey IPsec stack detected

no KLIPS IPsec stack detected

no known IPsec stack detected, ignoring!

</pre> Fortunately, this detection is not really needed on FreeBSD so simply ignore this message.