Project

General

Profile

Autoconf options for the most current strongSwan release

Please note: This page documents the ./configure options for the most current release. Therefore, you should always use ./configure --help to check which options are actually available for the release you are using.

--dir options

Some directories can be configure through --with options.

--prefix=PREFIX

where to put installation [ /usr/local ]. Most Linux distributions use "/usr".

--libexecdir=LIBEXECDIR

program executables [ PREFIX/libexec ]

--libdir=LIBDIR

shared libraries [ PREFIX/lib ]

--sysconfdir=SYSCONFDIR

where to put configuration files [ PREFIX/etc ]. We strongly recommend "/etc".

--enable options

The plugin list provides more information on specific plugins.

--enable-acert

enable X.509 attribute certificate checking plugin [ no ]. Since 5.1.3.

--enable-addrblock

enable RFC 3779 address block constraint support plugin [ no ].

--enable-aesni

enable Intel AES-NI crypto plugin [ no ]. Since 5.3.1.

--enable-af-alg

enable AF_ALG crypto interface to Linux Crypto API [ no ].

--enable-agent

enable the ssh-agent signing plugin [ no ].

--enable-aikgen

enable AIK generator for TPM 1.2 [ no ]. Since 5.2.0.

--enable-all

enable all optional plugins and features (they can be disabled with their respective --disable options) [ no ]. Mainly intended for testing. Since 5.1.3.

--enable-android

enable Android specific plugin [ no ].

--enable-android-log

enable Android specific logger plugin [ no ].

--enable-attr-sql

enable the SQL based configuration attribute plugin [ no ].
This is a plugin for VPN gateways only, serving virtual IP addresses

--enable-bfd-backtraces

use binutil's libbfd to resolve backtraces for memory leaks and segfaults [ no ]. Since 5.0.1.

--enable-bliss

enable Bimodal Lattice Signature Scheme (BLISS) software implementation plugin [ no ]. Since 5.2.2.

--enable-blowfish

enable Blowfish software implementation plugin [ no ].

--enable-botan

enable the Botan crypto plugin [ no ]. Requires Botan 2.8.0 or newer. Since 5.7.0.

--enable-bypass-lan

enable plugin to automatically install bypass policies for local subnets. [ no ]. Since 5.5.2.

--enable-ccm

enable the CCM AEAD wrapper crypto plugin [ no ].

--enable-chapoly

enables the ChaCha20/Poly1305 AEAD plugin [ no ]. Since 5.3.3.

--enable-certexpire

enable CSV export of expiration dates of used certificates [ no ].

--enable-cmd

enable the command line IKE client charon-cmd [ no ]. Since 5.1.0.

--enable-conftest

enable the IKE conformance test framework [ no ].

--enable-connmark

enable connmark plugin, which enables conntrack based marks to select return path SA [ no ]. Since 5.3.0.

--enable-counters

enable plugin that collects several performance counters [ no ]. Since 5.6.1.

--enable-coupling

enable IKEv2 plugin to couple peer certificates permanently to authentication [ no ].

--enable-coverage

enable lcov coverage report report generation [ no ]. Since 5.1.0.
Note: This disables any optimization, so it shouldn't be enabled when building production releases.

--enable-ctr

enable the counter mode wrapper crypto plugin [ no ].

--enable-curl

enable plugin to fetch files (CRL/OCSP) via libcurl [ no ]. Requires libcurl.

--enable-dbghelp-backtraces

use dbghlp.dll on Windows to create and print backtraces for memory leaks and segfaults [ no ]. Since 5.2.0.

--enable-dhcp

enable DHCP based attribute provider plugin. [ no ].

--enable-dnscert

enable plugin that authenticates peers based on CERT resource records in the DNS protected by DNSSEC [ no ]. Since 5.1.1.

--enable-duplicheck

enable advanced duplicate checking plugin using liveness checks [ no ].

--enable-eap-aka

build EAP AKA authentication module [ no ].

--enable-eap-aka-3gpp

build EAP AKA backend module implementing 3GPP MILENAGE algorithms in software [ no ]. Since 5.6.0.

--enable-eap-aka-3gpp2

build EAP AKA backend module implementing 3GPP2 algorithms in software [ no ]. Requires libgmp.

--enable-eap-dynamic

build dynamic EAP proxy module [ no ].

--enable-eap-gtc

build EAP GTC authentication module [ no ].

--enable-eap-identity

build EAP module providing EAP-Identity helper [ no ].

--enable-eap-md5

build EAP MD5 (CHAP) authentication module [ no ].

--enable-eap-mschapv2

enable EAP MS-CHAPv2 authentication module [ no ].

--enable-eap-peap

enable EAP PEAP authentication plugin [ no ].

--enable-eap-radius

enable RADIUS proxy authentication module for EAP [ no ].

--enable-eap-sim

enable EAP-SIM authentication module [ no ].

--enable-eap-sim-file

enable EAP-SIM back end based on a triplets file [ no ].

--enable-eap-sim-pcsc

enable EAP-SIM back end based on a smartcard reader [ no ]. Requires libpcsclite.

--enable-eap-simaka-pseudonym

enable EAP-SIM/AKA pseudonym storage [ no ].

--enable-eap-simaka-reauth

enable EAP-SIM/AKA reauthentication data storage [ no ].

--enable-eap-simaka-sql

enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database [ no ].

--enable-eap-tls

enable EAP TLS authentication plugin [ no ].

--enable-eap-tnc

enable EAP TNC trusted network connect plugin [ no ].

--enable-eap-ttls

enable EAP TTLS authentication plugin [ no ].

--enable-error-notify

enable error notification plugin [ no ].

--enable-ext-auth

enable plugin calling an external authorization script [ no ]. Since 5.2.1.

--enable-farp

enable ARP faking plugin that responds to ARP requests for virtual IPs assigned to peers [ no ].

--enable-fast

build libfast (FastCGI Application Server w/ templates) [ no ]. See libfast.

--enable-files

enable simple file:// URI fetcher [ no ]. Since 5.3.0.

--enable-forecast

enable forecast plugin, which forwards broadcast/multicast messages [ no ]. Since 5.3.0.

--enable-fuzzing

enable fuzzing scripts (found in directory fuzz and intended for use on the OSS-Fuzz infrastructure). [ no ]. Since 5.5.3.

--enable-gcm

enable the GCM AEAD wrapper crypto plugin [ no ].

--enable-gcrypt

enable the libgcrypt plugin [ no ]. Requires the GNU Libgcrypt library.

--enable-ha

enable the high availability cluster plugin [ no ].

--enable-imc-attestation

enable IMC attestation module [ no ].

--enable-imc-hcd

enable IMC hcd module [ no ]. Since 5.3.3.

--enable-imc-os

enable IMC operating system module [ no ].

--enable-imc-scanner

enable IMC port scanner module [ no ].

--enable-imc-swima

enable IMC swima module [ no ]. Since 5.6.0.

--enable-imc-test

enable IMC test module [ no ].

--enable-imv-attestation

enable IMV attestation module [ no ].

--enable-imv-hcd

enable IMV hcd module [ no ]. Since 5.3.3.

--enable-imv-os

enable IMV operating system module [ no ].

--enable-imv-scanner

enable IMV port scanner module [ no ].

--enable-imv-swima

enable IMV swima module [ no ]. Since 5.6.0.

--enable-imv-test

enable IMV test module [ no ].

--enable-integrity-test

enable integrity testing of the daemon, libraries and loaded plugins [ no ].

--enable-ipseckey

enable IPSECKEY authentication plugin, which authenticates peers based on IPSECKEY resource records in the DNS protected by DNSSEC [ no ]. Since 5.0.3.

--enable-kernel-iph

enable the Windows IP Helper based networking backend [ no ]. Since 5.2.0.

--enable-kernel-libipsec

enable the libipsec-based user-space "kernel" interface [ no ]. Since 5.1.0.

--enable-kernel-pfkey

enable the PF_KEYv2 NETKEY kernel interface [ no ].

--enable-kernel-pfroute

enable the PF_ROUTE kernel interface [ no ]. Required for FreeBSD and Mac OS X.

--enable-kernel-wfp

enable the Windows Filtering Platform IPsec backend [ no ]. Since 5.2.0.

--enable-keychain

enable Mac OS X Keychain Services credential set [ no ]. Since 5.1.0.

--enable-libipsec

enable user space IPsec implementation [ no ].

--enable-ldap

enable LDAP fetcher to fetch files (CRLs) from an LDAP server [ no ]. Requires OpenLDAP.

--enable-leak-detective

enable malloc hooks to find memory leaks [ no ].

--enable-led

enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem [ no ].

--enable-load-tester

enable load testing plugin for IKEv2 daemon [ no ].

--enable-lock-profiler

enable lock/mutex profiling code [ no ].

--enable-log-thread-ids

use thread ID, if available, instead of an incremented value starting from 1, to identify threads [ no ]. Since 5.4.0.

--enable-lookip

enable fast virtual IP lookup and notification plugin [ no ].

--enable-manager

build the strongSwan manager web application [ no ]. See Manager.

--enable-md4

enable MD4 software implementation plugin. Required for eap-mschapv2 plugin [ no ].

--enable-medcli

enable mediation client web front end and daemon plugin [ no ].

--enable-mediation

enable IKEv2 Mediation Extension [ no ].

--enable-medsrv

enable mediation server web front end and daemon plugin [ no ].

--enable-mgf1

enable the MGF1 software implementation plugin [ no ]. Since 5.5.1

--enable-monolithic

build monolithic versions of libstrongswan, libhydra, and libcharon that include all enabled plugins [ no ].

--enable-mysql

enable MySQL database support [ no ]. Requires libmysqlclient_r.

--enable-newhope

enable the NewHope post-quantum key exchange plugin [ no ]. Since 5.5.1

--enable-nm

enable the NetworkManager backend [ no ].

--enable-ntru

enable the NTRUEncrypt key exchange plugin [ no ]. Since 5.1.2

--enable-openssl

enable the OpenSSL crypto plugin [ no ]. Requires libcrypto.so.0.9.8.

--enable-osx-attr

enable Mac OS X SystemConfiguration attribute handler [ no ]. Since 5.1.0.

--enable-p-cscf

enable plugin to request P-CSCF server addresses from an ePDG (RFC 7651) [ no ]. Since 5.4.0.

--enable-padlock

enable the padlock crypto plugin [ no ]. Requires a VIA Padlock crypto engine.

--enable-perl-cpan

enable build of provided perl CPAN modules (such as that for the vici protocol) [ no ]. Since 5.4.0.

--enable-perl-cpan-install

enable installation of provided CPAN modules [ no ]. Since 5.4.0.

--enable-pkcs11

enable the PKCS#11 crypto token support plugin [ no ].

--enable-python-eggs

enable build of provided python eggs (such as that for the vici protocol) [ no ]. Since 5.3.0.

--enable-python-eggs-install

enable local installation of provided python eggs [ no ]. Since 5.3.1.

--enable-rdrand

enable the Intel RDRAND random generator plugin [ no ].

--enable-ruby-gems

enable build of provided ruby gems (such as that for the vici protocol) [ no ]. Since 5.2.1.

--enable-ruby-gems-install

enable local installation of provided ruby gems [ no ]. Since 5.3.1.

--enable-save-keys

enable development/debugging plugin that saves IKE and ESP keys in Wireshark format. [ no ]. Since 5.6.2.

--enable-sha3

enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software implementation plugin [ no ]. Since 5.3.4.

--enable-smp

enable XML configuration and control interface [ no ]. Requires libxml. See SMP.

--enable-socket-dynamic

enable dynamic socket implementation for charon [ no ].

--enable-socket-win

enable Winsock2 based socket implementation for charon [ no ]. Since 5.2.0.

--enable-soup

enable soup fetcher plugin to fetch from HTTP URIs. [ no ]. Requires libsoup.

--enable-sql

enable SQL database configuration backend [ no ]. See SQL.

--enable-sqlite

enable SQLite database support [ no ]. Requires libsqlite3.

--enable-svc

enable charon Windows service [ no ]. Since 5.2.0.

--enable-systemd

enable systemd specific IKE daemon charon-systemd [ no ]. Since 5.2.1.

--enable-systime-fix

enable plugin to handle cert lifetimes with invalid system time gracefully [ no ]. See SystimeFixPlugin. Since 5.0.3.

--enable-test-vectors

enable crypto test vectors plugin [ no ].

--enable-tkm

enable charon-tkm an IKEv2 daemon that is backed by a Trusted Key Manager (TKM) [ no ]. More information can be found on http://www.codelabs.ch/tkm/. Since 5.0.3.

--enable-tnccs-11

enable TNCCS 1.1 protocol module [ no ]. Requires libxml2.

--enable-tnccs-20

enable TNCCS 2.0 protocol module [ no ].

--enable-tnccs-dynamic

enable dynamic TNCCS protocol discovery module [ no ].

--enable-tnc-ifmap

enable TNC IF-MAP module [ no ].

--enable-tnc-imc

enable TNC IMC integrity measurement collector module [ no ].

--enable-tnc-imv

enable TNC IMV integrity measurement verifier module [ no ].

--enable-tpm

enable plugin to access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0 [ no ]. Since 5.5.2.

--enable-tss-trousers

enable TPM 1.2 TrouSerS library, requires libtspi library [ no ]. Since 5.5.0.

--enable-tss-tss2

enable TPM 2.0 TSS2 library, requires libtss2 library [ no ]. Since 5.5.0.

--enable-uci

enable the OpenWRT UCI configuration plugin [ no ].

--enable-unbound

DNSSEC-enabled resolver plugin based on libunbound [ no ].

--enable-unity

enable Cisco Unity extension plugin [ no ].

--enable-unwind-backtraces

use libunwind to create backtraces for memory leaks and segfaults [ no ]. Since 5.1.0.

--enable-whitelist

enable peer identity whitelisting plugin [ no ].

--enable-winhttp

enable WinHTTP based HTTP/HTTPS fetching plugin. [ no ]. Since 5.2.0.

--enable-xauth-eap

enable XAuth backend using EAP methods to verify password [ no ].

--enable-xauth-noauth

enable XAuth pseudo-backend that does not actually verify or even request any credentials [ no ]. Since 5.0.3.

--enable-xauth-pam

enable XAuth backend using PAM to verify passwords [ no ].

--disable options

The plugin list provides more information on specific plugins.

--disable-aes

disable default AES software implementation plugin [ no ].

--disable-attr

disable strongswan.conf based configuration of DNS and WINS server attributes [ no ].
This is a plugin for VPN gateways only, serving internal DNS and WINS nameserver information.

--disable-charon

disable the build of the IKEv1/IKEv2 keying daemon charon [ no ].

--disable-cmac

disable CMAC crypto implementation plugin [ no ].

--disable-constraints

disable advanced X.509 constraint checking plugin [ no ].

--disable-curve25519

disable plugin providing X25519 DH group and Ed25519 public key authentication [ no ]. Since 5.5.2.

--disable-defaults

disable all features that are enabled by default [ no ]. Basically it's short for adding all options listed in this section. Since 5.0.3.

--disable-des

disable default DES/3DES software implementation plugin [ no ].

--disable-dnskey

disable DNS RR key decoding plugin [ no ].

--disable-fips-prf

disable default FIPS PRF software implementation plugin [ no ].

--disable-gmp

disable default GNU Multi Precision (libgmp) based public key cryptography implementation plugin [ no ].

--disable-hmac

disable default HMAC crypto implementation plugin [ no ].

--disable-ikev1

disable IKEv1 protocol support in charon [ no ].

--disable-ikev2

disable IKEv2 protocol support in charon [ no ].

--disable-kernel-netlink

disable default Netlink kernel interface [ no ].

--disable-load-warning

disable the charon plugin load option warning in starter [ no ]

--disable-md5

disable default MD5 software implementation plugin [ no ].

--disable-nonce

disable nonce generation plugin [ no ].

--disable-pem

disable PEM decoding plugin [ no ].

--disable-pgp

disable PGP key decoding plugin [ no ].

--disable-pkcs1

disable PKCS#1 key decoding plugin [ no ].

--disable-pkcs7

disable PKCS#7 container support plugin [ no ].

--disable-pkcs8

disable PKCS#8 private key decoding plugin [ no ].

--disable-pkcs12

disable PKCS#12 container support plugin [ no ]. Since 5.1.0.

--disable-pki

disable pki certificate utility [ no ]. Separate option since 5.2.0, was included in --disable-tools before.

--disable-pubkey

disable default RAW public key support plugin [ no ].

--disable-random

disable default RNG implementation using the raw /dev/(u)random devices [ no ].

--disable-rc2

disable RC2 software implementation plugin [ no ]. Since 5.1.0.

--disable-resolve

disable writing DNS information received via configuration payload to /etc/resolv.conf [ no ].
This is a plugin for VPN clients only.

--disable-revocation

disable X.509 CRL/OCSP revocation check plugin [ no ].

--disable-scepclient

disable SCEP client tool [ no ]. Separate option since 5.2.0, was included in --disable-tools before.

--disable-scripts

disable the build of additional utilities (found in directory scripts) [ no ].

--disable-sha1

disable default SHA-1 software implementation plugin [ no ].

--disable-sha2

disable default SHA-256/SHA-384/SHA-512 software implementation plugin [ no ].

--disable-socket-default

disable default socket implementation for charon [ no ].

--disable-sshkey

disable SSH key decoding plugin [ no ]. Since 5.1.0.

--disable-stroke

disable charon's stroke configuration backend [ no ].

--disable-swanctl

disable swanctl configuration and control tool [ no ]. Since 5.2.0, enabled since 5.4.0.

--disable-updown

disable updown firewall script plugin [ no ].

--disable-vici

disable the Versatile IKE Configuration Interface plugin. [ no ]. Since 5.2.0, enabled since 5.4.0.

--disable-x509

disable default X.509 certificate implementation plugin [ no ].

--disable-xauth-generic

disable generic XAauth backend [ no ].

--disable-xcbc

disable default XCBC crypto implementation plugin [ no ].

--with options

--with-capabilities=LIBCAP

set capability dropping library. Currently supported values are libcap and native [ no ].

--with-charon-udp-port=PORT

UDP port used by charon locally. Set to 0 to allocate randomly. [ 500 ]

--with-charon-natt-port=PORT

UDP port used by charon locally in case a NAT is detected (must be different from charon-udp-port). Set to 0 to allocate randomly. [ 4500 ]

--with-dev-headers=DIR

install strongSwan development headers to DIR [ no ].

--with-fips-mode=MODE

set OpenSSL FIPS mode: disabled (0), enabled (1), Suite B enabled (2) [ 0 ].

--with-libfuzzer=FILE

path to libFuzzer.a [ ]. Since 5.5.3.

--with-group=GROUP

change group of the daemons to GROUP after startup [ root ].

--with-imcvdir=IMCVDIR

set the installation path of IMC and IMV dynamic libraries [ IPSECLIBDIR/imcvs ].

--with-ipsecdir=IPSECDIR

installation path for ipsec tools [ LIBEXECDIR/ipsec ].

--with-ipseclibdir=IPSECLIBDIR

installation path for ipsec libraries (libstrongswan, libhydra, libcharon etc.) [ LIBDIR/ipsec ].

--with-ipsec-script=SCRIPTNAME

change the name of the ipsec script [ ipsec].

--with-linux-headers=DIR

linux header files to be used [ ../include ].

--with-mpz_powm_sec=YES|NO

use the more side-channel resistant mpz_powm_sec in libgmp, if available [ yes ].

--with-nm-ca-dir=NMCADIR

directory the NM backend uses to look up trusted root certificates [ /usr/share/ca-certificates ].

--with-piddir=DIR

path for PID and UNIX socket files [ /var/run ].

--with-plugindir=PLUGINDIR

installation path for plugins [ IPSECLIBDIR/plugins ].

--with-printf-hooks=IMPL

force the use of a specific printf()-hook implementation (auto, builtin, glibc, vstr) [ auto ], since 5.1.3.

--with-pythoneggdir=arg

path to install python eggs to [ site-packages directory ]. Since 5.3.0.

--with-random-device=DEV

set the device for true random data [ /dev/random ].

--with-resolv-conf=FILE

set the file to store DNS server information [ SYSCONFDIR/resolv.conf ].

--with-routing-table=NUM

routing table for IPsec source routes (set to 0 to use default routing table) [ 220 ].

--with-routing-table-prio=PRIO

priority for IPsec routing table [ 220 ].

--with-rubygemdir=arg

path to install ruby gems to [ gem environment gemdir ]. Since 5.2.1.

--with-strongswan-conf=FILE

set the strongswan.conf file location [ SYSCONFDIR/strongswan.conf ].

--with-systemdsystemunitdir=arg

directory for systemd service files [ $systemdsystemunitdir_default ].

--with-swanctldir=arg

base directory for swanctl configuration files and credentials [ SYSCONFDIR/swanctl ]. Since 5.2.0.

--with-urandom-device=DEV

set the device for pseudo random data [ /dev/urandom ].

--with-user=USER

change user of the daemons to USER after startup [ root ].