Project

General

Profile

Autoconf options for the most current strongSwan release » History » Version 40

Version 39 (Tobias Brunner, 25.03.2015 11:37) → Version 40/60 (Tobias Brunner, 27.05.2015 13:11)

h1. Autoconf options for the most current strongSwan release

{{>toc}}

bq. *Please note:* This page documents the _./configure_ options for the most current release. Therefore, you should always use _./configure --help_ to check which options are actually available for the release you are using.

h2. --dir options

*Some directories can be configure through [[Autoconf#--with-options|--with options]].*

--prefix=PREFIX

p((. where to put installation [ _/usr/local_ ]. Most Linux distributions use _"/usr"_.

--libexecdir=LIBEXECDIR

p((. program executables [ _PREFIX/libexec_ ]

--libdir=LIBDIR

p((. shared libraries [ _PREFIX/lib_ ]

--sysconfdir=SYSCONFDIR

p((. where to put configuration files [ _PREFIX/etc_ ]. We strongly recommend _"/etc"_.

h2. --enable options

*The [[pluginlist|plugin list]] provides more information on specific plugins.*

--enable-acert

p((. enable X.509 attribute certificate checking plugin [ _no_ ]. Since [[5.1.3]].

--enable-addrblock

p((. enable RFC 3779 address block constraint support plugin [ _no_ ].

--enable-aesni

p((. enable Intel AES-NI crypto plugin [ _no_ ]. Since version:5.3.1.

--enable-af-alg

p((. enable AF_ALG crypto interface to Linux Crypto API [ _no_ ].

--enable-agent

p((. enable the ssh-agent signing plugin [ _no_ ].

--enable-aikgen

p((. enable AIK generator [ _no_ ]. Since [[5.2.0]].

--enable-all

p((. enable all optional plugins and features (they can be disabled with their respective --disable options) [ _no_ ]. Mainly intended for testing. Since [[5.1.3]].

--enable-android

p((. enable Android specific plugin [ _no_ ].

--enable-android-log

p((. enable Android specific logger plugin [ _no_ ].

--enable-attr-sql

p((. enable the SQL based configuration attribute plugin [ _no_ ].
This is a plugin for VPN gateways only, serving virtual IP addresses

--enable-bfd-backtraces

p((. use binutil's libbfd to resolve backtraces for memory leaks and segfaults [ _no_ ]. Since [[5.0.1]].

--enable-bliss

p((. enable Bimodal Lattice Signature Scheme (BLISS) software implementation plugin [ _no_ ]. Since version:5.2.2.

--enable-blowfish

p((. enable Blowfish software implementation plugin [ _no_ ].

--enable-ccm

p((. enable the CCM AEAD wrapper crypto plugin [ _no_ ].

--enable-certexpire

p((. enable CSV export of expiration dates of used certificates [ _no_ ].

--enable-cmd

p((. enable the command line IKE client charon-cmd [ _no_ ]. Since [[5.1.0]].

--enable-conftest

p((. enable the [[IpsecConftest|IKE conformance test framework]] [ _no_ ].

--enable-connmark

p((. enable [[connmark]] plugin, which enables conntrack based marks to select return path SA [ _no_ ]. Since version:5.3.0.

--enable-coupling

p((. enable IKEv2 plugin to couple peer certificates permanently to authentication [ _no_ ].

--enable-coverage

p((. enable lcov coverage report report generation [ _no_ ]. Since [[5.1.0]].
*Note:* This disables any optimization, so it shouldn't be enabled when building production releases.

--enable-ctr

p((. enable the counter mode wrapper crypto plugin [ _no_ ].

--enable-curl

p((. enable plugin to fetch files (CRL/OCSP) via libcurl [ _no_ ]. Requires libcurl.

--enable-dbghelp-backtraces

p((. use dbghlp.dll on Windows to create and print backtraces for memory leaks and segfaults [ _no_ ]. Since [[5.2.0]].

--enable-dhcp

p((. enable DHCP based attribute provider plugin. [ _no_ ].

--enable-dnscert

p((. enable plugin that authenticates peers based on CERT resource records in the DNS protected by DNSSEC [ _no_ ]. Since [[5.1.1]].

--enable-dumm

p((. build the new UML test framework [ _no_ ]. See [[DynamicUmlMeshModeler|DUMM]].

--enable-duplicheck

p((. enable advanced duplicate checking plugin using liveness checks [ _no_ ].

--enable-eap-aka

p((. build EAP AKA authentication module [ _no_ ].

--enable-eap-aka-3gpp2

p((. build EAP AKA backend module implementing 3GPP2 algorithm in software [ _no_ ]. Requires libgmp.

--enable-eap-dynamic

p((. build dynamic EAP proxy module [ _no_ ].

--enable-eap-gtc

p((. build [[EapGtc|EAP GTC]] authentication module [ _no_ ].

--enable-eap-identity

p((. build EAP module providing EAP-Identity helper [ _no_ ].

--enable-eap-md5

p((. build EAP MD5 (CHAP) authentication module [ _no_ ].

--enable-eap-mschapv2

p((. enable EAP MS-CHAPv2 authentication module [ _no_ ].

--enable-eap-peap

p((. enable EAP PEAP authentication plugin [ _no_ ].

--enable-eap-radius

p((. enable [[EapRadius|RADIUS]] proxy authentication module for EAP [ _no_ ].

--enable-eap-sim

p((. enable EAP-SIM authentication module [ _no_ ].

--enable-eap-sim-file

p((. enable EAP-SIM back end based on a triplets file [ _no_ ].

--enable-eap-sim-pcsc

p((. enable EAP-SIM back end based on a smartcard reader [ _no_ ]. Requires libpcsclite.

--enable-eap-simaka-pseudonym

p((. enable EAP-SIM/AKA pseudonym storage [ _no_ ].

--enable-eap-simaka-reauth

p((. enable EAP-SIM/AKA reauthentication data storage [ _no_ ].

--enable-eap-simaka-sql

p((. enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database [ _no_ ].

--enable-eap-tls

p((. enable EAP TLS authentication plugin [ _no_ ].

--enable-eap-tnc

p((. enable EAP TNC trusted network connect plugin [ _no_ ].

--enable-eap-ttls

p((. enable EAP TTLS authentication plugin [ _no_ ].

--enable-error-notify

p((. enable [[ErrorNotifyPlugin|error notification plugin]] [ _no_ ].

--enable-ext-auth

p((. enable plugin calling an external authorization script [ _no_ ]. Since version:5.2.1.

--enable-farp

p((. enable ARP faking plugin that responds to ARP requests for virtual IPs assigned to peers [ _no_ ].

--enable-fast

p((. build libfast (FastCGI Application Server w/ templates) [ _no_ ]. See [[libfast]].

--enable-files

p((. enable simple file:// URI fetcher [ _no_ ]. Since version:5.3.0.

--enable-forecast

p((. enable [[forecast]] plugin, which forwards broadcast/multicast messages [ _no_ ]. Since version:5.3.0.

--enable-gcm

p((. enable the GCM AEAD wrapper crypto plugin [ _no_ ].

--enable-gcrypt

p((. enable the libgcrypt plugin [ _no_ ]. Requires the GNU Libgcrypt library.

--enable-ha

p((. enable the [[HighAvailability|high availability]] cluster plugin [ _no_ ].

--enable-imc-attestation

p((. enable IMC attestation module [ _no_ ].

--enable-imc-os

p((. enable IMC operating system module [ _no_ ].

--enable-imc-scanner

p((. enable IMC port scanner module [ _no_ ].

--enable-imc-swid

p((. enable IMC swid module [ _no_ ]. Since [[5.1.1]].

--enable-imc-test

p((. enable IMC test module [ _no_ ].

--enable-imv-attestation

p((. enable IMV attestation module [ _no_ ].

--enable-imv-os

p((. enable IMV operating system module [ _no_ ].

--enable-imv-scanner

p((. enable IMV port scanner module [ _no_ ].

--enable-imv-swid

p((. enable IMV swid module [ _no_ ]. Since [[5.1.1]].

--enable-imv-test

p((. enable IMV test module [ _no_ ].

--enable-integrity-test

p((. enable [[IntegrityTest|integrity testing]] of the daemon, libraries and loaded plugins [ _no_ ].

--enable-ipseckey

p((. enable IPSECKEY authentication plugin, which authenticates peers based on IPSECKEY resource records in the DNS protected by DNSSEC [ _no_ ]. Since [[5.0.3]].

--enable-kernel-iph

p((. enable the [[Kernel-iph|Windows IP Helper based networking backend]] [ _no_ ]. Since [[5.2.0]].

--enable-kernel-libipsec

p((. enable the [[kernel-libipsec|libipsec-based user-space "kernel" interface]] [ _no_ ]. Since [[5.1.0]].

--enable-kernel-pfkey

p((. enable the PF_KEYv2 NETKEY kernel interface [ _no_ ].

--enable-kernel-pfroute

p((. enable the PF_ROUTE kernel interface [ _no_ ]. Required for FreeBSD and Mac OS X.

--enable-kernel-wfp

p((. enable the [[Kernel-wfp|Windows Filtering Platform IPsec backend]] [ _no_ ]. Since [[5.2.0]].

--enable-keychain

p((. enable Mac OS X Keychain Services credential set [ _no_ ]. Since [[5.1.0]].

--enable-libipsec

p((. enable user space IPsec implementation [ _no_ ].

--enable-ldap

p((. enable LDAP fetcher to fetch files (CRLs) from an LDAP server [ _no_ ]. Requires OpenLDAP.

--enable-leak-detective

p((. enable malloc hooks to find memory leaks [ _no_ ].

--enable-led

p((. enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem [ _no_ ].

--enable-load-tester

p((. enable load testing plugin for IKEv2 daemon [ _no_ ].

--enable-lock-profiler

p((. enable lock/mutex profiling code [ _no_ ].

--enable-lookip

p((. enable fast virtual IP [[lookip|lookup and notification plugin]] [ _no_ ].

--enable-maemo

p((. enable the Maemo specific plugin [ _no_ ].

--enable-manager

p((. build the strongSwan manager web application [ _no_ ]. See [[Manager]].

--enable-md4

p((. enable MD4 software implementation plugin. Required for eap-mschapv2 plugin [ _no_ ].

--enable-medcli

p((. enable mediation client web front end and daemon plugin [ _no_ ].

--enable-mediation

p((. enable IKEv2 Mediation Extension [ _no_ ].

--enable-medsrv

p((. enable mediation server web front end and daemon plugin [ _no_ ].

--enable-monolithic

p((. build monolithic versions of libstrongswan, libhydra, and libcharon that include all enabled plugins [ _no_ ].

--enable-mysql

p((. enable MySQL database support [ _no_ ]. Requires libmysqlclient_r.

--enable-nm

p((. enable the [[NetworkManager]] backend [ _no_ ].

--enable-ntru

p((. enable the NTRUEncrypt key exchange plugin [ _no_ ]. Since [[5.1.2]]

--enable-openssl

p((. enable the OpenSSL crypto plugin [ _no_ ]. Requires libcrypto.so.0.9.8.

--enable-osx-attr

p((. enable Mac OS X SystemConfiguration attribute handler [ _no_ ]. Since [[5.1.0]].

--enable-padlock

p((. enable the padlock crypto plugin [ _no_ ]. Requires a VIA Padlock crypto engine.

--enable-pkcs11

p((. enable the [[SmartcardsIKEv2|PKCS#11 crypto token]] support plugin [ _no_ ].

--enable-python-eggs

p((. enable build installation of provided python eggs (such as that for the [[vici]] protocol) [ _no_ ]. Since version:5.3.0.

--enable-python-eggs-install

p((. enable local installation of provided python eggs [ _no_ ]. Since version:5.3.1.

--enable-rdrand

p((. enable the Intel RDRAND random generator plugin [ _no_ ].

--enable-ruby-gems

p((. enable build installation of provided ruby gems (such as that for the [[vici]] protocol) [ _no_ ]. Since version:5.2.1.

--enable-ruby-gems-install

p((. enable local installation of provided ruby gems [ _no_ ]. Since version:5.3.1.


--enable-smp

p((. enable XML configuration and control interface [ _no_ ]. Requires libxml. See [[SMP]].

--enable-socket-dynamic

p((. enable dynamic socket implementation for charon [ _no_ ].

--enable-socket-win

p((. enable [[Socket-win|Winsock2 based socket implementation]] for charon [ _no_ ]. Since [[5.2.0]].

--enable-soup

p((. enable soup fetcher plugin to fetch from HTTP URIs. [ _no_ ]. Requires libsoup.

--enable-sql

p((. enable SQL database configuration backend [ _no_ ]. See [[SQL]].

--enable-sqlite

p((. enable SQLite database support [ _no_ ]. Requires libsqlite3.

--enable-svc

p((. enable [[Charon-svc|charon Windows service]] [ _no_ ]. Since [[5.2.0]].

--enable-swanctl

p((. enable [[swanctl]] configuration and control tool [ _no_ ]. Since [[5.2.0]].

--enable-systemd

p((. enable systemd specific IKE daemon charon-systemd [ _no_ ]. Since version:5.2.1.

--enable-systime-fix

p((. enable plugin to handle cert lifetimes with invalid system time gracefully [ _no_ ]. See [[SystimeFixPlugin]]. Since [[5.0.3]].

--enable-test-vectors

p((. enable [[CryptoTest|crypto test]] vectors plugin [ _no_ ].

--enable-tkm

p((. enable _charon-tkm_ an IKEv2 daemon that is backed by a Trusted Key Manager (TKM) [ _no_ ]. More information can be found on http://www.codelabs.ch/tkm/. Since [[5.0.3]].

--enable-tnccs-11

p((. enable TNCCS 1.1 protocol module [ _no_ ]. Requires libxml2.

--enable-tnccs-20

p((. enable TNCCS 2.0 protocol module [ _no_ ].

--enable-tnccs-dynamic

p((. enable dynamic TNCCS protocol discovery module [ _no_ ].

--enable-tnc-ifmap

p((. enable TNC IF-MAP module [ _no_ ].

--enable-tnc-imc

p((. enable TNC IMC integrity measurement collector module [ _no_ ].

-enable-tnc-imv

p((. enable TNC IMV integrity measurement verifier module [ _no_ ].

--enable-uci

p((. enable the OpenWRT UCI configuration plugin [ _no_ ].

--enable-unbound

p((. DNSSEC-enabled resolver plugin based on libunbound [ _no_ ].

--enable-unity

p((. enable Cisco Unity extension plugin [ _no_ ].

--enable-unwind-backtraces

p((. use libunwind to create backtraces for memory leaks and segfaults [ _no_ ]. Since [[5.1.0]].

--enable-vici

p((. enable the [[Vici|Versatile IKE Configuration Interface]] plugin. [ _no_ ]. Since [[5.2.0]].

--enable-whitelist

p((. enable peer identity whitelisting plugin [ _no_ ].

--enable-winhttp

p((. enable [[Winhttp|WinHTTP based HTTP/HTTPS fetching plugin]]. [ _no_ ]. Since [[5.2.0]].

--enable-xauth-eap

p((. enable XAuth backend using EAP methods to verify password [ _no_ ].

--enable-xauth-noauth

p((. enable XAuth pseudo-backend that does not actually verify or even request any credentials [ _no_ ]. Since [[5.0.3]].

--enable-xauth-pam

p((. enable [[XAuthPam|XAuth backend using PAM]] to verify passwords [ _no_ ].

h2. --disable options

*The [[pluginlist|plugin list]] provides more information on specific plugins.*

--disable-aes

p((. disable default AES software implementation plugin [ _no_ ].

--disable-attr

p((. disable strongswan.conf based configuration of DNS and WINS server attributes [ _no_ ].
This is a plugin for VPN gateways only, serving internal DNS and WINS nameserver information.

--disable-charon

p((. disable the build of the IKEv1/IKEv2 keying daemon charon [ _no_ ].

--disable-cmac

p((. disable CMAC crypto implementation plugin [ _no_ ].

--disable-constraints

p((. disable advanced X.509 constraint checking plugin [ _no_ ].

--disable-defaults

p((. disable all features that are enabled by default [ _no_ ]. Basically it's short for adding all options listed in this section. Since [[5.0.3]].

--disable-des

p((. disable default DES/3DES software implementation plugin [ _no_ ].

--disable-dnskey

p((. disable DNS RR key decoding plugin [ _no_ ].

--disable-fips-prf

p((. disable default FIPS PRF software implementation plugin [ _no_ ].

--disable-gmp

p((. disable default GNU Multi Precision (libgmp) based public key cryptography implementation plugin [ _no_ ].

--disable-hmac

p((. disable default HMAC crypto implementation plugin [ _no_ ].

--disable-ikev1

p((. disable IKEv1 protocol support in charon [ _no_ ].

--disable-ikev2

p((. disable IKEv2 protocol support in charon [ _no_ ].

--disable-kernel-netlink

p((. disable default Netlink kernel interface [ _no_ ].

--disable-load-warning

p((. disable the charon plugin load option warning in starter [ _no_ ]

--disable-md5

p((. disable default MD5 software implementation plugin [ _no_ ].

--disable-nonce

p((. disable nonce generation plugin [ _no_ ].

--disable-pem

p((. disable PEM decoding plugin [ _no_ ].

--disable-pgp

p((. disable PGP key decoding plugin [ _no_ ].

--disable-pkcs1

p((. disable PKCS#1 key decoding plugin [ _no_ ].

--disable-pkcs7

p((. disable PKCS#7 container support plugin [ _no_ ].

--disable-pkcs8

p((. disable PKCS#8 private key decoding plugin [ _no_ ].

--disable-pkcs12

p((. disable PKCS#12 container support plugin [ _no_ ]. Since [[5.1.0]].

--disable-pki

p((. disable [[ipsecpki|pki]] certificate utility [ _no_ ]. Separate option since [[5.2.0]], was included in _--disable-tools_ before.

--disable-pubkey

p((. disable default RAW public key support plugin [ _no_ ].

--disable-random

p((. disable default RNG implementation using the raw /dev/(u)random devices [ _no_ ].

--disable-rc2

p((. disable RC2 software implementation plugin [ _no_ ]. Since [[5.1.0]].

--disable-resolve

p((. disable writing DNS information received via configuration payload to /etc/resolv.conf [ _no_ ].
This is a plugin for VPN clients only.

--disable-revocation

p((. disable X.509 CRL/OCSP revocation check plugin [ _no_ ].

--disable-scepclient

p((. disable [[ScepClient|SCEP client]] tool [ _no_ ]. Separate option since [[5.2.0]], was included in _--disable-tools_ before.

--disable-scripts

p((. disable the build of additional utilities (found in directory scripts) [ _no_ ].

--disable-sha1

p((. disable default SHA-1 software implementation plugin [ _no_ ].

--disable-sha2

p((. disable default SHA-256/SHA-384/SHA-512 software implementation plugin [ _no_ ].

--disable-socket-default

p((. disable default socket implementation for charon [ _no_ ].

--disable-sshkey

p((. disable SSH key decoding plugin [ _no_ ]. Since [[5.1.0]].

--disable-stroke

p((. disable charon's stroke configuration backend [ _no_ ].

--disable-updown

p((. disable updown firewall script plugin [ _no_ ].

--disable-x509

p((. disable default X.509 certificate implementation plugin [ _no_ ].

--disable-xauth-generic

p((. disable generic XAauth backend [ _no_ ].

--disable-xcbc

p((. disable default XCBC crypto implementation plugin [ _no_ ].

h2. --with options

--with-capabilities=LIBCAP

p((. set capability dropping library. Currently supported values are _libcap_ and _native_ [ _no_ ].

--with-charon-udp-port=PORT

p((. UDP port used by charon locally. Set to 0 to allocate randomly. [ _500_ ]

--with-charon-natt-port=PORT

p((. UDP port used by charon locally in case a NAT is detected (must be different from charon-udp-port). Set to 0 to allocate randomly. [ _4500_ ]

--with-dev-headers=DIR

p((. install strongSwan development headers to DIR [ _no_ ].

--with-fips-mode=MODE

p((. set OpenSSL FIPS mode: disabled (0), enabled (1), Suite B enabled (2) [ _0_ ].

--with-group=GROUP

p((. [[ReducedPrivileges|change group]] of the daemons to GROUP after startup [ _root_ ].

--with-imcvdir=IMCVDIR

p((. set the installation path of IMC and IMV dynamic libraries [ _IPSECLIBDIR/imcvs_ ].

--with-ipsecdir=IPSECDIR

p((. installation path for ipsec tools [ _LIBEXECDIR/ipsec_ ].

--with-ipseclibdir=IPSECLIBDIR

p((. installation path for ipsec libraries (libstrongswan, libhydra, libcharon etc.) [ _LIBDIR/ipsec_ ].

--with-ipsec-script=SCRIPTNAME

p((. change the name of the ipsec script [ _ipsec_].

--with-linux-headers=DIR

p((. linux header files to be used [ _../include_ ].

--with-mpz_powm_sec=YES|NO

p((. use the more side-channel resistant mpz_powm_sec in libgmp, if available [ _yes_ ].

--with-nm-ca-dir=NMCADIR

p((. directory the NM backend uses to look up trusted root certificates [ _/usr/share/ca-certificates_ ].

--with-piddir=DIR

p((. path for PID and UNIX socket files [ _/var/run_ ].

--with-plugindir=PLUGINDIR

p((. installation path for plugins [ _IPSECLIBDIR/plugins_ ].

--with-printf-hooks=IMPL

p((. force the use of a specific printf()-hook implementation (auto, builtin, glibc, vstr) [ _auto_ ], since [[5.1.3]].

--with-pythoneggdir=arg

p((. path to install python eggs to [ _site-packages directory_ ]. Since version:5.3.0.

--with-random-device=DEV

p((. set the device for true random data [ _/dev/random_ ].

--with-resolv-conf=FILE

p((. set the file to store DNS server information [ _SYSCONFDIR/resolv.conf_ ].

--with-routing-table=NUM

p((. routing table for IPsec source routes (set to 0 to use default routing table) [ _220_ ].

--with-routing-table-prio=PRIO

p((. priority for IPsec routing table [ _220_ ].

--with-rubygemdir=arg

p((. path to install ruby gems to [ _gem environment gemdir_ ]. Since version:5.2.1.

--with-strongswan-conf=FILE

p((. set the strongswan.conf file location [ _SYSCONFDIR/strongswan.conf_ ].

--with-systemdsystemunitdir=arg

p((. directory for systemd service files [ _$systemdsystemunitdir_default_ ].

--with-swanctldir=arg

p((. base directory for [[swanctl]] configuration files and credentials [ _SYSCONFDIR/swanctl_ ]. Since [[5.2.0]].

--with-tss=TSS

p((. set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers".

--with-urandom-device=DEV

p((. set the device for pseudo random data [ _/dev/urandom_ ].

--with-user=USER

p((. [[nonRoot|change user]] of the daemons to USER after startup [ _root_ ].