strongSwan on FreeBSD » History » Version 11
strongSwan on FreeBSD¶
Please note that releases before 5.0.0 don't support IKEv1 because the old pluto IKEv1 daemon was not ported to FreeBSD.
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't
have to apply any patches yourself, if you need that feature.
Build the Kernel¶
Basic documentation on how to build a custom kernel can be found in the FreeBSD Handbook.
To enable IPsec you'll need to add the following options to your kernel configuration file:
options IPSEC device crypto
You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state.
/sbin/sysctl -a | grep ipsec
If you need NAT Traversal, add the following option to your kernel config:
Install FreeBSD Port / Package¶
The easiest way to install strongSwan on FreeBSD is to use the security/strongswan port
cd /usr/ports/security/strongswan/ && make install clean
or to install the binary package
pkg_add -r strongswan
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
The packages required to build strongSwan are as follows:
- libgmp (optional, depending on configuration)
- openssl (optional, depending on configuration)
- The printf-Bug in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the vstr string library is not required anymore (check the history of this wiki page for details).
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \ --disable-tools --disable-scripts --with-group=wheelNotes:
- For strongSwan before 5.0.0 you also need to add
- Due to the lack of policy based routes, virtual IPs can not be used (client-side).
- The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.
- Before strongSwan 4.6.0 starter did not use the modular kernel interfaces, thus, when it tried to detect an IPsec stack it failed:
Starting strongSwan 4.x.x IPsec [starter]... no netkey IPsec stack detected no KLIPS IPsec stack detected no known IPsec stack detected, ignoring!Fortunately, this detection is not really needed on FreeBSD so simply ignore this message.