strongSwan on FreeBSD » History » Version 10

Version 9 (Tobias Brunner, 20.09.2011 16:04) → Version 10/21 (Tobias Brunner, 05.03.2012 10:29)

h1. strongSwan on FreeBSD

With strongSwan 4.3.4 the IKEv2 daemon charon was ported to "FreeBSD": There are still some [[FreeBSD#Limitations|limitations]] but
it has since been tested by several users (even with an adapted version of our "UML test framework":

This document describes how to install strongSwan on FreeBSD 8.2 (see older revisions of this page for instructions for previous releases).

h2. Prepare FreeBSD

The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.

Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't
have to apply any patches yourself, if you need that feature.

h3. Build the Kernel

Basic documentation on how to build a custom kernel can be found in the "FreeBSD Handbook":

To enable IPsec you'll need to add the following options to your kernel configuration file:

options IPSEC
device crypto

You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state.

/sbin/sysctl -a | grep ipsec

If you need NAT Traversal, add the following option to your kernel config:

options IPSEC_NAT_T

h3. Install Packages

Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.

The packages required to build strongSwan are as follows:

* libgmp (optional, depending on configuration)
* openssl (optional, depending on configuration)

* The "printf-Bug": in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the *vstr* string library is not required anymore.

h2. Building strongSwan

Get the "latest tarball": and configure strongSwan as follows (this compiles the GMP plugin, so libgmp is required).
For details refer to [[InstallationDocumentation]].

./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \
--disable-tools --disable-scripts --disable-pluto --with-group=wheel

h2. Limitations

* Due to the lack of policy based routes, virtual IPs can not be used (client-side).
* The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.

h2. Known Problems

* Before [[4.6.0|strongSwan 4.6.0]] [[IpsecStarter|starter]] did [[IpsecStarter|Starter]] does not yet use the modular kernel interfaces, thus, when it tried tries to detect an IPsec stack it failed: fails:
Starting strongSwan 4.x.x IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
</pre> Fortunately, this detection is not really needed on FreeBSD so simply ignore this message.