Autoconf options for the most current strongSwan release¶
- Table of contents
- Autoconf options for the most current strongSwan release
Please note: This page documents the ./configure options for the most current release. Therefore, you should always use ./configure --help to check which options are actually available for the release you are using.
--dir options¶
Some directories can be configure through --with options.
--prefix=PREFIX
where to put installation [ /usr/local ]. Most Linux distributions use "/usr".
--libexecdir=LIBEXECDIR
program executables [ PREFIX/libexec ]
--libdir=LIBDIR
shared libraries [ PREFIX/lib ]
--sysconfdir=SYSCONFDIR
where to put configuration files [ PREFIX/etc ]. We strongly recommend "/etc".
--enable options¶
The plugin list provides more information on specific plugins.
--enable-acert
enable X.509 attribute certificate checking plugin [ no ]. Since 5.1.3.
--enable-addrblock
enable RFC 3779 address block constraint support plugin [ no ].
--enable-aesni
enable Intel AES-NI crypto plugin [ no ]. Since 5.3.1.
--enable-af-alg
enable AF_ALG crypto interface to Linux Crypto API [ no ].
--enable-agent
enable the ssh-agent signing plugin [ no ].
--enable-aikgen
enable AIK generator for TPM 1.2 [ no ]. Since 5.2.0.
--enable-all
enable all optional plugins and features (they can be disabled with their respective --disable options) [ no ]. Mainly intended for testing. Since 5.1.3.
--enable-android
enable Android specific plugin [ no ].
--enable-android-log
enable Android specific logger plugin [ no ].
--enable-attr-sql
enable the SQL based configuration attribute plugin [ no ].
This is a plugin for VPN gateways only, serving virtual IP addresses
--enable-bfd-backtraces
use binutil's libbfd to resolve backtraces for memory leaks and segfaults [ no ]. Since 5.0.1.
--enable-bliss
enable Bimodal Lattice Signature Scheme (BLISS) software implementation plugin [ no ]. Since 5.2.2.
--enable-blowfish
enable Blowfish software implementation plugin [ no ].
--enable-botan
enable the Botan crypto plugin [ no ]. Requires Botan 2.8.0 or newer. Since 5.7.0.
--enable-bypass-lan
enable plugin to automatically install bypass policies for local subnets. [ no ]. Since 5.5.2.
--enable-ccm
enable the CCM AEAD wrapper crypto plugin [ no ].
--enable-chapoly
enables the ChaCha20/Poly1305 AEAD plugin [ no ]. Since 5.3.3.
--enable-certexpire
enable CSV export of expiration dates of used certificates [ no ].
--enable-cmd
enable the command line IKE client charon-cmd [ no ]. Since 5.1.0.
--enable-conftest
enable the IKE conformance test framework [ no ].
--enable-connmark
enable connmark plugin, which enables conntrack based marks to select return path SA [ no ]. Since 5.3.0.
--enable-counters
enable plugin that collects several performance counters [ no ]. Since 5.6.1.
--enable-coupling
enable IKEv2 plugin to couple peer certificates permanently to authentication [ no ].
--enable-coverage
enable lcov coverage report report generation [ no ]. Since 5.1.0.
Note: This disables any optimization, so it shouldn't be enabled when building production releases.
--enable-ctr
enable the counter mode wrapper crypto plugin [ no ].
--enable-curl
enable plugin to fetch files (CRL/OCSP) via libcurl [ no ]. Requires libcurl.
--enable-dbghelp-backtraces
use dbghlp.dll on Windows to create and print backtraces for memory leaks and segfaults [ no ]. Since 5.2.0.
--enable-dhcp
enable DHCP based attribute provider plugin. [ no ].
--enable-dnscert
enable plugin that authenticates peers based on CERT resource records in the DNS protected by DNSSEC [ no ]. Since 5.1.1.
--enable-duplicheck
enable advanced duplicate checking plugin using liveness checks [ no ].
--enable-eap-aka
build EAP AKA authentication module [ no ].
--enable-eap-aka-3gpp
build EAP AKA backend module implementing 3GPP MILENAGE algorithms in software [ no ]. Since 5.6.0.
--enable-eap-aka-3gpp2
build EAP AKA backend module implementing 3GPP2 algorithms in software [ no ]. Requires libgmp.
--enable-eap-dynamic
build dynamic EAP proxy module [ no ].
--enable-eap-gtc
build EAP GTC authentication module [ no ].
--enable-eap-identity
build EAP module providing EAP-Identity helper [ no ].
--enable-eap-md5
build EAP MD5 (CHAP) authentication module [ no ].
--enable-eap-mschapv2
enable EAP MS-CHAPv2 authentication module [ no ].
--enable-eap-peap
enable EAP PEAP authentication plugin [ no ].
--enable-eap-radius
enable RADIUS proxy authentication module for EAP [ no ].
--enable-eap-sim
enable EAP-SIM authentication module [ no ].
--enable-eap-sim-file
enable EAP-SIM back end based on a triplets file [ no ].
--enable-eap-sim-pcsc
enable EAP-SIM back end based on a smartcard reader [ no ]. Requires libpcsclite.
--enable-eap-simaka-pseudonym
enable EAP-SIM/AKA pseudonym storage [ no ].
--enable-eap-simaka-reauth
enable EAP-SIM/AKA reauthentication data storage [ no ].
--enable-eap-simaka-sql
enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database [ no ].
--enable-eap-tls
enable EAP TLS authentication plugin [ no ].
--enable-eap-tnc
enable EAP TNC trusted network connect plugin [ no ].
--enable-eap-ttls
enable EAP TTLS authentication plugin [ no ].
--enable-error-notify
enable error notification plugin [ no ].
--enable-ext-auth
enable plugin calling an external authorization script [ no ]. Since 5.2.1.
--enable-farp
enable ARP faking plugin that responds to ARP requests for virtual IPs assigned to peers [ no ].
--enable-fast
build libfast (FastCGI Application Server w/ templates) [ no ]. See libfast.
--enable-files
enable simple file:// URI fetcher [ no ]. Since 5.3.0.
--enable-forecast
enable forecast plugin, which forwards broadcast/multicast messages [ no ]. Since 5.3.0.
--enable-fuzzing
enable fuzzing scripts (found in directory fuzz and intended for use on the OSS-Fuzz infrastructure). [ no ]. Since 5.5.3.
--enable-gcm
enable the GCM AEAD wrapper crypto plugin [ no ].
--enable-gcrypt
enable the libgcrypt plugin [ no ]. Requires the GNU Libgcrypt library.
--enable-ha
enable the high availability cluster plugin [ no ].
--enable-imc-attestation
enable IMC attestation module [ no ].
--enable-imc-hcd
enable IMC hcd module [ no ]. Since 5.3.3.
--enable-imc-os
enable IMC operating system module [ no ].
--enable-imc-scanner
enable IMC port scanner module [ no ].
--enable-imc-swima
enable IMC swima module [ no ]. Since 5.6.0.
--enable-imc-test
enable IMC test module [ no ].
--enable-imv-attestation
enable IMV attestation module [ no ].
--enable-imv-hcd
enable IMV hcd module [ no ]. Since 5.3.3.
--enable-imv-os
enable IMV operating system module [ no ].
--enable-imv-scanner
enable IMV port scanner module [ no ].
--enable-imv-swima
enable IMV swima module [ no ]. Since 5.6.0.
--enable-imv-test
enable IMV test module [ no ].
--enable-integrity-test
enable integrity testing of the daemon, libraries and loaded plugins [ no ].
--enable-ipseckey
enable IPSECKEY authentication plugin, which authenticates peers based on IPSECKEY resource records in the DNS protected by DNSSEC [ no ]. Since 5.0.3.
--enable-kernel-iph
enable the Windows IP Helper based networking backend [ no ]. Since 5.2.0.
--enable-kernel-libipsec
enable the libipsec-based user-space "kernel" interface [ no ]. Since 5.1.0.
--enable-kernel-pfkey
enable the PF_KEYv2 NETKEY kernel interface [ no ].
--enable-kernel-pfroute
enable the PF_ROUTE kernel interface [ no ]. Required for FreeBSD and Mac OS X.
--enable-kernel-wfp
enable the Windows Filtering Platform IPsec backend [ no ]. Since 5.2.0.
--enable-keychain
enable Mac OS X Keychain Services credential set [ no ]. Since 5.1.0.
--enable-libipsec
enable user space IPsec implementation [ no ].
--enable-ldap
enable LDAP fetcher to fetch files (CRLs) from an LDAP server [ no ]. Requires OpenLDAP.
--enable-leak-detective
enable malloc hooks to find memory leaks [ no ].
--enable-led
enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem [ no ].
--enable-load-tester
enable load testing plugin for IKEv2 daemon [ no ].
--enable-lock-profiler
enable lock/mutex profiling code [ no ].
--enable-log-thread-ids
use thread ID, if available, instead of an incremented value starting from 1, to identify threads [ no ]. Since 5.4.0.
--enable-lookip
enable fast virtual IP lookup and notification plugin [ no ].
--enable-manager
build the strongSwan manager web application [ no ]. See Manager.
--enable-md4
enable MD4 software implementation plugin. Required for eap-mschapv2 plugin [ no ].
--enable-medcli
enable mediation client web front end and daemon plugin [ no ].
--enable-mediation
enable IKEv2 Mediation Extension [ no ].
--enable-medsrv
enable mediation server web front end and daemon plugin [ no ].
--enable-mgf1
enable the MGF1 software implementation plugin [ no ]. Since 5.5.1
--enable-monolithic
build monolithic versions of libstrongswan, libhydra, and libcharon that include all enabled plugins [ no ].
--enable-mysql
enable MySQL database support [ no ]. Requires libmysqlclient_r.
--enable-newhope
enable the NewHope post-quantum key exchange plugin [ no ]. Since 5.5.1
--enable-nm
enable the NetworkManager backend [ no ].
--enable-ntru
enable the NTRUEncrypt key exchange plugin [ no ]. Since 5.1.2
--enable-openssl
enable the OpenSSL crypto plugin [ no ]. Requires libcrypto.so.0.9.8.
--enable-osx-attr
enable Mac OS X SystemConfiguration attribute handler [ no ]. Since 5.1.0.
--enable-p-cscf
enable plugin to request P-CSCF server addresses from an ePDG (RFC 7651) [ no ]. Since 5.4.0.
--enable-padlock
enable the padlock crypto plugin [ no ]. Requires a VIA Padlock crypto engine.
--enable-perl-cpan
enable build of provided perl CPAN modules (such as that for the vici protocol) [ no ]. Since 5.4.0.
--enable-perl-cpan-install
enable installation of provided CPAN modules [ no ]. Since 5.4.0.
--enable-pkcs11
enable the PKCS#11 crypto token support plugin [ no ].
--enable-python-eggs
enable build of provided python eggs (such as that for the vici protocol) [ no ]. Since 5.3.0.
--enable-python-eggs-install
enable local installation of provided python eggs [ no ]. Since 5.3.1.
--enable-rdrand
enable the Intel RDRAND random generator plugin [ no ].
--enable-ruby-gems
enable build of provided ruby gems (such as that for the vici protocol) [ no ]. Since 5.2.1.
--enable-ruby-gems-install
enable local installation of provided ruby gems [ no ]. Since 5.3.1.
--enable-save-keys
enable development/debugging plugin that saves IKE and ESP keys in Wireshark format. [ no ]. Since 5.6.2.
--enable-sha3
enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software implementation plugin [ no ]. Since 5.3.4.
--enable-smp
enable XML configuration and control interface [ no ]. Requires libxml. See SMP.
--enable-socket-dynamic
enable dynamic socket implementation for charon [ no ].
--enable-socket-win
enable Winsock2 based socket implementation for charon [ no ]. Since 5.2.0.
--enable-soup
enable soup fetcher plugin to fetch from HTTP URIs. [ no ]. Requires libsoup.
--enable-sql
enable SQL database configuration backend [ no ]. See SQL.
--enable-sqlite
enable SQLite database support [ no ]. Requires libsqlite3.
--enable-svc
enable charon Windows service [ no ]. Since 5.2.0.
--enable-systemd
enable systemd specific IKE daemon charon-systemd [ no ]. Since 5.2.1.
--enable-systime-fix
enable plugin to handle cert lifetimes with invalid system time gracefully [ no ]. See SystimeFixPlugin. Since 5.0.3.
--enable-test-vectors
enable crypto test vectors plugin [ no ].
--enable-tkm
enable charon-tkm an IKEv2 daemon that is backed by a Trusted Key Manager (TKM) [ no ]. More information can be found on http://www.codelabs.ch/tkm/. Since 5.0.3.
--enable-tnccs-11
enable TNCCS 1.1 protocol module [ no ]. Requires libxml2.
--enable-tnccs-20
enable TNCCS 2.0 protocol module [ no ].
--enable-tnccs-dynamic
enable dynamic TNCCS protocol discovery module [ no ].
--enable-tnc-ifmap
enable TNC IF-MAP module [ no ].
--enable-tnc-imc
enable TNC IMC integrity measurement collector module [ no ].
--enable-tnc-imv
enable TNC IMV integrity measurement verifier module [ no ].
--enable-tpm
enable plugin to access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0 [ no ]. Since 5.5.2.
--enable-tss-trousers
enable TPM 1.2 TrouSerS library, requires libtspi library [ no ]. Since 5.5.0.
--enable-tss-tss2
enable TPM 2.0 TSS2 library, requires libtss2 library [ no ]. Since 5.5.0.
--enable-uci
enable the OpenWRT UCI configuration plugin [ no ].
--enable-unbound
DNSSEC-enabled resolver plugin based on libunbound [ no ].
--enable-unity
enable Cisco Unity extension plugin [ no ].
--enable-unwind-backtraces
use libunwind to create backtraces for memory leaks and segfaults [ no ]. Since 5.1.0.
--enable-whitelist
enable peer identity whitelisting plugin [ no ].
--enable-winhttp
enable WinHTTP based HTTP/HTTPS fetching plugin. [ no ]. Since 5.2.0.
--enable-wolfssl
enable the wolfSSL crypto plugin [ no ]. Requires wolfSSL. Since 5.8.0.
--enable-xauth-eap
enable XAuth backend using EAP methods to verify password [ no ].
--enable-xauth-noauth
enable XAuth pseudo-backend that does not actually verify or even request any credentials [ no ]. Since 5.0.3.
--enable-xauth-pam
enable XAuth backend using PAM to verify passwords [ no ].
--disable options¶
The plugin list provides more information on specific plugins.
--disable-aes
disable default AES software implementation plugin [ no ].
--disable-attr
disable strongswan.conf based configuration of DNS and WINS server attributes [ no ].
This is a plugin for VPN gateways only, serving internal DNS and WINS nameserver information.
--disable-charon
disable the build of the IKEv1/IKEv2 keying daemon charon [ no ].
--disable-cmac
disable CMAC crypto implementation plugin [ no ].
--disable-constraints
disable advanced X.509 constraint checking plugin [ no ].
--disable-curve25519
disable plugin providing X25519 DH group and Ed25519 public key authentication [ no ]. Since 5.5.2.
--disable-defaults
disable all features that are enabled by default [ no ]. Basically it's short for adding all options listed in this section. Since 5.0.3.
--disable-des
disable default DES/3DES software implementation plugin [ no ].
--disable-dnskey
disable DNS RR key decoding plugin [ no ].
--disable-drgb
disable the NIST Deterministic Random Bit Generator plugin [ no ].
--disable-fips-prf
disable default FIPS PRF software implementation plugin [ no ].
--disable-gmp
disable default GNU Multi Precision (libgmp) based public key cryptography implementation plugin [ no ].
--disable-hmac
disable default HMAC crypto implementation plugin [ no ].
--disable-ikev1
disable IKEv1 protocol support in charon [ no ].
--disable-ikev2
disable IKEv2 protocol support in charon [ no ].
--disable-kernel-netlink
disable default Netlink kernel interface [ no ].
--disable-load-warning
disable the charon plugin load option warning in starter [ no ]
--disable-md5
disable default MD5 software implementation plugin [ no ].
--disable-nonce
disable nonce generation plugin [ no ].
--disable-pem
disable PEM decoding plugin [ no ].
--disable-pgp
disable PGP key decoding plugin [ no ].
--disable-pkcs1
disable PKCS#1 key decoding plugin [ no ].
--disable-pkcs7
disable PKCS#7 container support plugin [ no ].
--disable-pkcs8
disable PKCS#8 private key decoding plugin [ no ].
--disable-pkcs12
disable PKCS#12 container support plugin [ no ]. Since 5.1.0.
--disable-pki
disable pki certificate utility [ no ]. Separate option since 5.2.0, was included in --disable-tools before.
--disable-pubkey
disable default RAW public key support plugin [ no ].
--disable-random
disable default RNG implementation using the raw /dev/(u)random devices [ no ].
--disable-rc2
disable RC2 software implementation plugin [ no ]. Since 5.1.0.
--disable-resolve
disable writing DNS information received via configuration payload to /etc/resolv.conf [ no ].
This is a plugin for VPN clients only.
--disable-revocation
disable X.509 CRL/OCSP revocation check plugin [ no ].
--disable-scepclient
disable SCEP client tool [ no ]. Separate option since 5.2.0, was included in --disable-tools before.
--disable-scripts
disable the build of additional utilities (found in directory scripts) [ no ].
--disable-sha1
disable default SHA-1 software implementation plugin [ no ].
--disable-sha2
disable default SHA-256/SHA-384/SHA-512 software implementation plugin [ no ].
--disable-socket-default
disable default socket implementation for charon [ no ].
--disable-sshkey
disable SSH key decoding plugin [ no ]. Since 5.1.0.
--disable-stroke
disable charon's stroke configuration backend [ no ].
--disable-swanctl
disable swanctl configuration and control tool [ no ]. Since 5.2.0, enabled since 5.4.0.
--disable-updown
disable updown firewall script plugin [ no ].
--disable-vici
disable the Versatile IKE Configuration Interface plugin. [ no ]. Since 5.2.0, enabled since 5.4.0.
--disable-x509
disable default X.509 certificate implementation plugin [ no ].
--disable-xauth-generic
disable generic XAauth backend [ no ].
--disable-xcbc
disable default XCBC crypto implementation plugin [ no ].
--with options¶
--with-capabilities=LIBCAP
set capability dropping library. Currently supported values are libcap and native [ no ].
--with-charon-udp-port=PORT
UDP port used by charon locally. Set to 0 to allocate randomly. [ 500 ]
--with-charon-natt-port=PORT
UDP port used by charon locally in case a NAT is detected (must be different from charon-udp-port). Set to 0 to allocate randomly. [ 4500 ]
--with-dev-headers=DIR
install strongSwan development headers to DIR [ no ].
--with-fips-mode=MODE
set OpenSSL FIPS mode: disabled (0), enabled (1), Suite B enabled (2) [ 0 ].
--with-libfuzzer=FILE
-fsanitize=fuzzer
or path to libFuzzer.a, a local driver is used if not specified [ ]. Since 5.5.3, -fsanitize=fuzzer
is supported since 5.8.1.
--with-group=GROUP
change group of the daemons to GROUP after startup [ root ].
--with-imcvdir=IMCVDIR
set the installation path of IMC and IMV dynamic libraries [ IPSECLIBDIR/imcvs ].
--with-ipsecdir=IPSECDIR
installation path for ipsec tools [ LIBEXECDIR/ipsec ].
--with-ipseclibdir=IPSECLIBDIR
installation path for ipsec libraries (libstrongswan, libhydra, libcharon etc.) [ LIBDIR/ipsec ].
--with-ipsec-script=SCRIPTNAME
change the name of the ipsec script [ ipsec].
--with-linux-headers=DIR
linux header files to be used [ ../include ].
--with-mpz_powm_sec=YES|NO
use the more side-channel resistant mpz_powm_sec in libgmp, if available [ yes ].
--with-nm-ca-dir=NMCADIR
directory the NM backend uses to look up trusted root certificates [ /usr/share/ca-certificates ].
--with-piddir=DIR
path for PID and UNIX socket files [ /var/run ].
--with-plugindir=PLUGINDIR
installation path for plugins [ IPSECLIBDIR/plugins ].
--with-printf-hooks=IMPL
force the use of a specific printf()-hook implementation (auto, builtin, glibc, vstr) [ auto ], since 5.1.3.
--with-pythoneggdir=arg
path to install python eggs to [ site-packages directory ]. Since 5.3.0.
--with-random-device=DEV
set the device for true random data [ /dev/random ].
--with-resolv-conf=FILE
set the file to store DNS server information [ SYSCONFDIR/resolv.conf ].
--with-routing-table=NUM
routing table for IPsec source routes (set to 0 to use default routing table) [ 220 ].
--with-routing-table-prio=PRIO
priority for IPsec routing table [ 220 ].
--with-rubygemdir=arg
path to install ruby gems to [ gem environment gemdir ]. Since 5.2.1.
--with-strongswan-conf=FILE
set the strongswan.conf file location [ SYSCONFDIR/strongswan.conf ].
--with-systemdsystemunitdir=arg
directory for systemd service files [ $systemdsystemunitdir_default ].
--with-swanctldir=arg
base directory for swanctl configuration files and credentials [ SYSCONFDIR/swanctl ]. Since 5.2.0.
--with-urandom-device=DEV
set the device for pseudo random data [ /dev/urandom ].
--with-user=USER
change user of the daemons to USER after startup [ root ].