Autoconf options for strongSwan 4.5 releases¶

• Table of contents
• Autoconf options for strongSwan 4.5 releases
  • --dir options
  • --enable options
  • --disable options
  • --with options

strongSwan can be built with the following ./configure options:

--dir options¶

--prefix=PREFIX

where to put installation [ /usr/local ]. Most Linux distributions use "/usr".

--libexecdir=LIBEXECDIR

program executables [ PREFIX/libexec ]

--sysconfdir=SYSCONFDIR

where to put configuration files [ PREFIX/etc ]. We strongly recommend "/etc".

--enable options¶

--enable-addrblock

enable RFC 3779 address block constraint support plugin.

--enable-af-alg

enable AF_ALG crypto interface to Linux Crypto API [ no ].

--enable-agent

enable the ssh-agent signing plugin [ no ].

--enable-android

enable the Android specific plugin [ no ].

--enable-attr-sql

enable the SQL based configuration attribute plugin [ no ].
This is a plugin for VPN gateways only, serving virtual IP addresses

--enable-blowfish

enable Blowfish software implementation plugin [ no ].

--enable-ccm

enable the CCM AEAD wrapper crypto plugin [ no ].

--enable-cisco-quirks

enable support of Cisco VPN client [ no ].

--enable-conftest

enforce Suite B conformance test framework [ no ].

--enable-coupling

enable plugin coupling peer certificates [ no ].

--enable-curl

enable plugin to fetch files (CRL/OCSP) via libcurl [ no ]. Requires libcurl.

--enable-ctr

enable the counter mode wrapper crypto plugin [ no ].

--enable-dhcp

enable DHCP-based attribute provider plugin. [ no ].

--enable-dumm

build the new UML test framework [ no ]. See DUMM.

--enable-duplicheck

enable advanced duplicate checking plugin using liveness [ no ].

--enable-eap-aka

build AKA authentication module for EAP [ no ].

--enable-eap-aka-3gpp2

build EAP AKA backend module implementing 3GPP2 algorithm in software [ no ]. Requires libgmp.

--enable-eap-gtc

build PAM-based GTC authentication module for EAP [ no ]

--enable-eap-identity

build EAP module providing EAP-Identity helper [ no ].

--enable-eap-md5

build MD5 (CHAP) authentication module for EAP [ no ].

--enable-eap-mschapv2

build Microsoft CHAP version 2 authentication module for EAP [ no ].

--enable-eap-peap

enable EAP PEAP authentication plugin [ no ].

--enable-eap-radius

build RADIUS proxy authentication module for EAP [ no ].

--enable-eap-sim

build SIM authentication module for EAP [ no ].

--enable-eap-sim-file

build EAP-SIM back end based on a triplets file [ no ]

---enable-eap-sim-pcsc

build EAP-SIM back end based on a smartcard reader [ no ]. Requires libpcsclite

-enable-eap-simaka

enable EAP-SIM/AKA backend [ no ].

--enable-eap-simaka-pseudonym

enable EAP-SIM/AKA pseudonym storage [ no ].

--enable-eap-simaka-reauth

enable EAP-SIM/AKA reauthentication data storage [ no ].

--enable-eap-simaka-sql

enable EAP-SIM/AKA backend based on a database [ no ].

--enable-eap-tls

enable EAP TLS authentication plugin [ no ].

--enable-eap-tnc

enable EAP TNC trusted network connect plugin [ no ].

--enable-eap-ttls

enable EAP TTLS authentication plugin [ no ].

--enable-farp

enable ARP-faking plugin that responds to ARP requests [ no ].

--enable-fast

build libfast (FastCGI Application Server w/ templates [ no ]. See libfast.

--enable-gcm

enable the GCM AEAD wrapper crypto plugin [ no ].

--enable-gcrypt

enable the libgcrypt plugin [ no ]. Requires the GNU Libgcrypt library.

--enable-ha

enable the high availability cluster plugin [ no ].

--enable-integrity-test

enable integrity testing of the daemon, libstrongswan and loaded plugins [ no ].

--enable-kernel-klips

enable the PFKEYv2 KLIPS kernel interface [ no ].

--enable-kernel-pfkey

enable the PFKEYv2 NETKEY kernel interface [ no ].

--enable-kernel-pfroute

enable the PF ROUTE kernel interface [ no ]. Required for FreeBSD and Mac OS X.

--enable-ldap

enable LDAP fetcher to fetch files (CRLs) from an LDAP server [ no ]. Requires OpenLDAP.

--enable-leak-detective

enable malloc hooks to find memory leaks [ no ].

--enable-led

enable plugin to control LEDs on IKEv2 activity [ no ].

--enable-load-tester

enable load testing plugin for IKEv2 daemon [ no ].

--enable-lock-profiler

enable lock/mutex profiling code [ no ].

--enable-manager

build the strongSwan manager web application [ no ]. See Manager.

--enable-medcli

enable mediation client web front end and daemon plugin [ no ].

--enable-mediation

enable IKEv2 Mediation Extension [ no ].

--enable-medsrv

enable mediation server web front end and daemon plugin [ no ].

--enable-md4

enable MD4 software implementation plugin. Required for eap-mschapv2 plugin [ no ].

--enable-monolithic

build monolithic version of libstrongswan, libhydra, and libcharon that includes all plugins [ no ].

--enable-mysql

enable MySQL database support [ no ]. Requires libmysqlclient_r.

--enable-nat-transport

enable NAT traversal with IPsec transport mode [ no ].

--enable-nm

enable the NetworkManager plugin [ no ].

--enable-openssl

enable the OpenSSL crypto plugin [ no ]. Requires libcrypto.so.0.9.8.

--enable-padlock

enable the padlock crypto plugin [ no ]. Requires a VIA Padlock crypto engine.

--enable-pkcs11

enable the PKCS11 crypto token support plugin [ no ].

--enable-smartcard

enable smartcard support [ no ].

--enable-smp

enable XML configuration and control interface [ no ]. Requires libxml. See SMP.

--enable-sql

enable SQL database configuration backend [ no ]. See SQL.

--enable-sqlite

enable SQLite database support [ no ]. Requires libsqlite3.

--enable-socket-dynamic

enable dynamic socket implementation for charon [ no ].

--enable-socket-raw

enable raw socket implementation for charon, enforced if pluto is enabled [ no ].

--enable-soup

enable soup fetcher plugin to fetch from HTTP URIs. [ no ]. Requires libsoup.

--enable-test-vectors

enable crypto test vectors plugin [ no ].

--enable-tnccs-11

enable TNCCS 1.1 protocol module [ no ]. Requires libxml2.

--enable-tnccs-20

enable TNCCS 2.0 protocol module [ no ].

--enable-tnccs-dynamic

enable dynamic TNCCS protocol discovery module [ no ].

--enable-tnc-imc

enable TNC IMC integrity measurement collector module [ no ].

-enable-tnc-imv

enable TNC IMV integrity measurement verifier module [ no ].

--enable-uci

enable the OpenWRT UCI configuration plugin [ no ].

--enable-unit-tests

enable unit tests on IKEv2 daemon startup [ no ].

--enable-vstr

enable the use of the Vstr string library to replace glibc-like printf hooks [ no ].

--enable-whitelist

enable peer identity whitelisting plugin [ no ].

--disable options¶

--disable-aes

disable default AES software implementation plugin [ no ].

--disable-attr

disable strongswan.conf based configuration of DNS and WINS server attributes [ no ].
This is a plugin for VPN gateways only, serving internal DNS and WINS nameserver information.

--disable-charon

disable the build of the IKEv2 keying daemon charon [ no ].

--disable-constraints

disable advanced X.509 constraint checking plugin [ no ].

--disable-des

disable default DES/3DES software implementation plugin [ no ].

--disable-dnskey

disable DNS RR key decoding plugin [ no ].

--disable-fips-prf

disable default FIPS PRF software implementation plugin [ no ].

--disable-gmp

disable default GNU Multi Precision (libgmp) based public key cryptography implementation plugin [ no ].

--disable-hmac

disable default HMAC crypto implementation plugin [ no ].

--disable-load-warning

disable the charon/pluto plugin load option warning in starter [ no ]

--disable-md5

disable default MD5 software implementation plugin [ no ].

--disable-pem

disable PEM decoding plugin [ no ].

--disable-pgp

disable PGP key decoding plugin [ no ].

--disable-pkcs1

disable PKCS1 key decoding plugin [ no ].

--disable-pluto

disable the build of the IKEv1 keying daemon pluto [ no ].
The IKEv2 keying daemon charon does not use a RAW socket, as only one daemon is running.

--disable-pubkey

disable default RAW public key support plugin [ no ].

--disable-random

disable default RNG implementation using the raw /dev/(u)random devices [ no ].

--disable-resolve

disable writing DNS information received via configuration payload to /etc/resolv.conf [ no ].
This is a plugin for VPN clients only.

--disable-revocation

disable X.509 CRL/OCSP revocation check plugin [ no ].

--disable-scripts

disable the build of additional utilities (found in directory scripts) [ no ].

--disable-sha1

disable default SHA-1 software implementation plugin [ no ].

--disable-sha2

disable default SHA-2 software implementation plugin [ no ].

--disable-stroke

disable charons stroke (pluto compatibility) configuration backend [ no ].

--disable-tools

disable the build of additional ipsec utilites (currently scepclient and openac) [ no ].

--disable-updown

disable the installation of the updown firewall scripts [ no ].

--disable-vendor-id

disable the sending of the strongSwan vendor ID [ no ].

--disable-xauth-vid

disable the sending of the XAUTH vendor ID [ no ].

--disable-x509

disable default X.509 certificate implementation plugin [ no ].

--disable-xcbc

disable default XCBC crypto implementation plugin [ no ].

--with options¶

--with-backenddir=DIR

path for pluggable configuration backend modules [ PLUGINDIR/backends ]

--with-capabilities=LIBCAP

capability dropping using libcap. Currently only the value libcap is supported [ no ].

--with-default-pkcs11=LIB

set the default PKCS11 library [ /usr/lib/opensc-pkcs11.so ].

--with-eapdir=DIR

path for pluggable EAP modules [ PLUGINDIR/eap ].

--with-group=GROUP

change group of the daemons to GROUP after startup [ root ].

--with-interfacedir=DIR

path for pluggable control interface modules [ PLUGINDIR/interfaces ].

--with-ipsecdir=IPSECDIR

installation path for ipsec tools [ LIBEXECDIR/ipsec ].

--with-linux-headers=DIR

linux header files to be used [ ../include ].

--with-piddir=DIR

path for PID and UNIX socket files [ /var/run ].

--with-plugindir=PLUGINDIR

installation path for plugins [ IPSECDIR/plugins ].

--with-random-device=DEV

set the device for true random data [ /dev/random ].

--with-resolv-conf=FILE

set the file to store DNS server information [ SYSCONFDIR/resolv.conf ].

--with-routing-table=NUM

routing table for IPsec source routes [ 220 ].

--with-routing-table-prio=PRIO

priority for IPsec routing table [ 220 ].

--with-sim-reader=LIB

library containing the sim_run_alg()/sim_get_triplet() function for EAP-SIM [].

--with-user=USER

change user of the daemons to USER after startup [ root ].

--with-urandom-device=DEV

set the device for pseudo random data [ /dev/urandom ].

--with-xauth-module=LIB

set the path to the XAUTH module [].