Project

General

Profile

strongSwan on FreeBSD » History » Version 11

Tobias Brunner, 24.02.2013 17:15

1 1 Tobias Brunner
h1. strongSwan on FreeBSD
2 1 Tobias Brunner
3 11 Tobias Brunner
Since [[4.3.4|strongSwan 4.3.4]] the IKE daemon charon runs on "FreeBSD":http://www.freebsd.org. There are still some [[FreeBSD#Limitations|limitations]] but
4 11 Tobias Brunner
it has since been tested by several users (even with an adapted version of our "test framework":http://www.strongswan.org/uml-testing.html).
5 1 Tobias Brunner
6 11 Tobias Brunner
Please note that releases before [[5.0.0]] don't support IKEv1 because the old pluto IKEv1 daemon was not ported to FreeBSD.
7 1 Tobias Brunner
8 1 Tobias Brunner
h2. Prepare FreeBSD
9 1 Tobias Brunner
10 1 Tobias Brunner
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
11 1 Tobias Brunner
12 8 Tobias Brunner
Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't
13 8 Tobias Brunner
have to apply any patches yourself, if you need that feature.
14 8 Tobias Brunner
15 3 Tobias Brunner
h3. Build the Kernel
16 1 Tobias Brunner
17 8 Tobias Brunner
Basic documentation on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.
18 3 Tobias Brunner
19 8 Tobias Brunner
To enable IPsec you'll need to add the following options to your kernel configuration file:
20 1 Tobias Brunner
21 1 Tobias Brunner
<pre>
22 1 Tobias Brunner
options   IPSEC
23 1 Tobias Brunner
device    crypto
24 1 Tobias Brunner
</pre>
25 1 Tobias Brunner
26 8 Tobias Brunner
You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state.
27 2 Tobias Brunner
28 3 Tobias Brunner
<pre>
29 3 Tobias Brunner
/sbin/sysctl -a | grep ipsec
30 1 Tobias Brunner
</pre>
31 1 Tobias Brunner
32 8 Tobias Brunner
If you need NAT Traversal, add the following option to your kernel config:
33 1 Tobias Brunner
34 7 Tobias Brunner
<pre>
35 1 Tobias Brunner
options   IPSEC_NAT_T
36 1 Tobias Brunner
</pre>
37 1 Tobias Brunner
38 11 Tobias Brunner
h2. Install FreeBSD Port / Package
39 11 Tobias Brunner
40 11 Tobias Brunner
The easiest way to install strongSwan on FreeBSD is to use the "security/strongswan":http://www.freshports.org/security/strongswan port
41 11 Tobias Brunner
42 11 Tobias Brunner
<pre>
43 11 Tobias Brunner
cd /usr/ports/security/strongswan/ && make install clean
44 11 Tobias Brunner
</pre>
45 11 Tobias Brunner
46 11 Tobias Brunner
or to install the binary package
47 11 Tobias Brunner
48 11 Tobias Brunner
<pre>
49 11 Tobias Brunner
pkg_add -r strongswan
50 11 Tobias Brunner
</pre>
51 11 Tobias Brunner
52 11 Tobias Brunner
h2. Manual Installation
53 11 Tobias Brunner
54 1 Tobias Brunner
h3. Install Packages
55 1 Tobias Brunner
56 1 Tobias Brunner
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
57 8 Tobias Brunner
58 8 Tobias Brunner
The packages required to build strongSwan are as follows:
59 5 Tobias Brunner
60 1 Tobias Brunner
* libgmp (optional, depending on configuration)
61 1 Tobias Brunner
* openssl (optional, depending on configuration)
62 1 Tobias Brunner
63 8 Tobias Brunner
Notes:
64 11 Tobias Brunner
* The "printf-Bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the *vstr* string library is not required anymore (check the history of this wiki page for details).
65 1 Tobias Brunner
66 11 Tobias Brunner
h3. Building strongSwan
67 1 Tobias Brunner
68 8 Tobias Brunner
Get the "latest tarball":http://www.strongswan.org/download.html and configure strongSwan as follows (this compiles the GMP plugin, so libgmp is required).
69 8 Tobias Brunner
For details refer to [[InstallationDocumentation]].
70 1 Tobias Brunner
71 1 Tobias Brunner
<pre>
72 1 Tobias Brunner
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \
73 11 Tobias Brunner
            --disable-tools --disable-scripts --with-group=wheel
74 8 Tobias Brunner
</pre>
75 8 Tobias Brunner
76 11 Tobias Brunner
Notes:
77 11 Tobias Brunner
* For strongSwan before [[5.0.0]] you also need to add @--disable-pluto@.
78 1 Tobias Brunner
79 1 Tobias Brunner
h2. Limitations
80 1 Tobias Brunner
81 1 Tobias Brunner
* Due to the lack of policy based routes, virtual IPs can not be used (client-side).
82 2 Tobias Brunner
* The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.
83 9 Tobias Brunner
84 9 Tobias Brunner
h2. Known Problems
85 9 Tobias Brunner
86 10 Tobias Brunner
* Before [[4.6.0|strongSwan 4.6.0]] [[IpsecStarter|starter]] did not use the modular kernel interfaces, thus, when it tried to detect an IPsec stack it failed:
87 9 Tobias Brunner
<pre>
88 9 Tobias Brunner
Starting strongSwan 4.x.x IPsec [starter]...
89 9 Tobias Brunner
no netkey IPsec stack detected
90 9 Tobias Brunner
no KLIPS IPsec stack detected
91 9 Tobias Brunner
no known IPsec stack detected, ignoring!
92 9 Tobias Brunner
</pre> Fortunately, this detection is not really needed on FreeBSD so simply ignore this message.