Project

General

Profile

strongSwan on FreeBSD » History » Version 11

« Previous - Version 11/21 (diff) - Next » - Current version
Tobias Brunner, 24.02.2013 17:15


strongSwan on FreeBSD

Since strongSwan 4.3.4 the IKE daemon charon runs on FreeBSD. There are still some limitations but
it has since been tested by several users (even with an adapted version of our test framework).

Please note that releases before 5.0.0 don't support IKEv1 because the old pluto IKEv1 daemon was not ported to FreeBSD.

Prepare FreeBSD

The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.

Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't
have to apply any patches yourself, if you need that feature.

Build the Kernel

Basic documentation on how to build a custom kernel can be found in the FreeBSD Handbook.

To enable IPsec you'll need to add the following options to your kernel configuration file:

options   IPSEC
device    crypto

You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state.

/sbin/sysctl -a | grep ipsec

If you need NAT Traversal, add the following option to your kernel config:

options   IPSEC_NAT_T

Install FreeBSD Port / Package

The easiest way to install strongSwan on FreeBSD is to use the security/strongswan port

cd /usr/ports/security/strongswan/ && make install clean

or to install the binary package

pkg_add -r strongswan

Manual Installation

Install Packages

Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.

The packages required to build strongSwan are as follows:

  • libgmp (optional, depending on configuration)
  • openssl (optional, depending on configuration)
Notes:
  • The printf-Bug in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the vstr string library is not required anymore (check the history of this wiki page for details).

Building strongSwan

Get the latest tarball and configure strongSwan as follows (this compiles the GMP plugin, so libgmp is required).
For details refer to InstallationDocumentation.

./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \
            --disable-tools --disable-scripts --with-group=wheel
Notes:
  • For strongSwan before 5.0.0 you also need to add --disable-pluto.

Limitations

  • Due to the lack of policy based routes, virtual IPs can not be used (client-side).
  • The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.

Known Problems

  • Before strongSwan 4.6.0 starter did not use the modular kernel interfaces, thus, when it tried to detect an IPsec stack it failed:
    Starting strongSwan 4.x.x IPsec [starter]...
    no netkey IPsec stack detected
    no KLIPS IPsec stack detected
    no known IPsec stack detected, ignoring!
    
    Fortunately, this detection is not really needed on FreeBSD so simply ignore this message.