Project

General

Profile

strongSwan on FreeBSD » History » Version 1

Version 1/21 - Next » - Current version
Tobias Brunner, 14.07.2009 15:20
Started How-To for FreeBSD


strongSwan on FreeBSD

The IKEv2 daemon charon has recently been ported to FreeBSD. There are some limitations and it is not thoroughly tested.

This document describes how to install strongSwan on FreeBSD 7.2.

Prepare FreeBSD

The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
Also, the kernel sources do not include NAT traversal. If you need that, you'll have to apply a patch.
Then you will also need some additional packages to compile strongSwan.

The Kernel

Basic information on how to build a custom kernel can be found in the FreeBSD Handbook.

You'll need to add the following options to your kernel configuration files:

options   IPSEC
device    crypto

If you need NAT Traversal, apply one of the patches provided by Yvan Vanhullebus.

Install Packages

Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.

The packages required to build strongSwan are as follows:

  • Build system:
    • automake110
    • automake-wrapper
    • autoconf262
    • autoconf-wrapper
    • libtool
    • bison
  • Libraries
    • vstr
    • libgmp
    • libgcrypt
Notes:
  • bison is required because our parsers are not fully YACC compatible.
  • Although FreeBSD supports the GNU specific register_printf_function function, the implementation in the C library contains a bug that prevents this from working in a multi-thread program. Therefore the vstr string library is required.
  • libgcrypt is required because our configure script depends on some M4 macros provided by it.

Building strongSwan

Get the latest tarball and configure strongSwan as follows:

./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink --enable-vstr --disable-tools --disable-pluto --with-lib-prefix=/usr/local

Limitations

  • Due to the lack of policy based routes, virtual IPs can not be used (client-side).
  • The kernel interface misses some last